From b559512200a3c53f15a69b8f6a0ed7790d818e48 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Mon, 29 Mar 2021 11:47:44 +0000 Subject: [PATCH] blade-paris/blade-tuvok: add BGP config --- ops/nixos/blade-paris/default.nix | 45 ++++++++++++++++++++++++------- ops/nixos/blade-tuvok/default.nix | 41 ++++++++++++++++++++++++---- ops/nixos/lib/bgp.nix | 6 +++++ 3 files changed, 78 insertions(+), 14 deletions(-) diff --git a/ops/nixos/blade-paris/default.nix b/ops/nixos/blade-paris/default.nix index f71c47ec21..8442855c3c 100644 --- a/ops/nixos/blade-paris/default.nix +++ b/ops/nixos/blade-paris/default.nix @@ -5,31 +5,55 @@ { depot, lib, pkgs, rebuilder, config, ... }: let inherit (depot.ops) secrets; + + internetAddresses = { + v4 = { local = "195.74.55.23"; remote = "195.74.55.22"; }; + v6 = { + local = "2a03:ee40:8080:9:2::2"; + remote = "2a03:ee40:8080:9:2::1"; + }; + }; in { imports = [ ../lib/blade.nix + ../lib/bgp.nix ]; boot.loader.grub.device = "/dev/disk/by-id/usb-USB_SanDisk_3.2Gen1_0101da58c052a35c497ff39f7bd33f46a018bf2f2cd4503e52a89df5e552da8d661f000000000000000000005e0619e7ff90240091558107b6a8e58d-0:0"; + services.lukegbgp = { + enable = true; + config = { + local.routerID = internetAddresses.v4.local; + peering.veloxserv = { + local = { + asn = 205479; + v4 = internetAddresses.v4.local; + v6 = internetAddresses.v6.local; + }; + remote = { + asn = 3170; + export_community = 4001; + routers = [{ v4 = internetAddresses.v4.remote; v6 = internetAddresses.v6.remote; }]; + }; + }; + }; + }; + # Networking! networking = { hostName = "blade-paris"; hostId = "41b2a198"; - interfaces.br-public.ipv4.addresses = [{ - address = "92.118.28.1"; - prefixLength = 24; - }]; interfaces.en-internet.ipv4.addresses = [{ - address = "195.74.55.23"; + address = internetAddresses.v4.local; prefixLength = 31; }]; interfaces.en-internet.ipv6.addresses = [{ - address = "2a03:ee40:8080:9:2::2"; + address = internetAddresses.v6.local; prefixLength = 126; }]; - defaultGateway = "195.74.55.22"; - defaultGateway6 = "2a03:ee40:8080:9:2::1"; + defaultGateway = internetAddresses.v4.remote; + defaultGateway6 = internetAddresses.v6.remote; firewall.extraCommands = "iptables -A INPUT -p vrrp -i br-mgmt -j ACCEPT"; }; my.ip.tailscale = "100.117.185.118"; @@ -55,7 +79,10 @@ in { interface = "br-mgmt"; state = "MASTER"; priority = 100; - virtualIps = [{ addr = "10.100.0.1/23"; }]; + virtualIps = [ + { addr = "10.100.0.1/23"; } + { addr = "92.118.28.1/24"; dev = "br-public"; } + ]; virtualRouterId = 1; }; }; diff --git a/ops/nixos/blade-tuvok/default.nix b/ops/nixos/blade-tuvok/default.nix index cae739ced9..bef1b27ce8 100644 --- a/ops/nixos/blade-tuvok/default.nix +++ b/ops/nixos/blade-tuvok/default.nix @@ -5,28 +5,56 @@ { depot, lib, pkgs, rebuilder, config, ... }: let inherit (depot.ops) secrets; + + internetAddresses = { + v4 = { local = "195.74.55.21"; remote = "195.74.55.20"; }; + v6 = { + local = "2a03:ee40:8080:9:1::2"; + remote = "2a03:ee40:8080:9:1::1"; + }; + }; in { imports = [ + ../lib/bgp.nix ../lib/blade.nix ../lib/fup.nix ]; boot.loader.grub.device = "/dev/disk/by-id/usb-USB_SanDisk_3.2Gen1_0101cabb1ebdbdc0fd7b18edd207d43717c39c4a59d1b138b363e315841eca15743400000000000000000000443273100087260091558107b6a8e06e-0:0"; + services.lukegbgp = { + enable = true; + config = { + local.routerID = internetAddresses.v4.local; + peering.veloxserv = { + local = { + asn = 205479; + v4 = internetAddresses.v4.local; + v6 = internetAddresses.v6.local; + }; + remote = { + asn = 3170; + export_community = 4001; + routers = [{ v4 = internetAddresses.v4.remote; v6 = internetAddresses.v6.remote; }]; + }; + }; + }; + }; + # Networking! networking = { hostName = "blade-tuvok"; hostId = "525229f7"; interfaces.en-internet.ipv4.addresses = [{ - address = "195.74.55.21"; + address = internetAddresses.v4.local; prefixLength = 31; }]; interfaces.en-internet.ipv6.addresses = [{ - address = "2a03:ee40:8080:9:1::2"; + address = internetAddresses.v6.local; prefixLength = 126; }]; - defaultGateway = "195.74.55.20"; - defaultGateway6 = "2a03:ee40:8080:9:1::1"; + defaultGateway = internetAddresses.v4.remote; + defaultGateway6 = internetAddresses.v6.remote; firewall.allowedTCPPorts = [ 80 443 ]; firewall.extraCommands = "iptables -A INPUT -p vrrp -i br-mgmt -j ACCEPT"; }; @@ -86,7 +114,10 @@ in { interface = "br-mgmt"; state = "MASTER"; priority = 50; - virtualIps = [{ addr = "10.100.0.1/23"; }]; + virtualIps = [ + { addr = "10.100.0.1/23"; } + { addr = "92.118.28.1/24"; dev = "br-public"; } + ]; virtualRouterId = 1; }; }; diff --git a/ops/nixos/lib/bgp.nix b/ops/nixos/lib/bgp.nix index 831f56edf9..c0ae2bf1cc 100644 --- a/ops/nixos/lib/bgp.nix +++ b/ops/nixos/lib/bgp.nix @@ -167,6 +167,9 @@ in { bgp_ext_community.add((ro, 205479, 2002)); bgp_ext_community.add((ro, 205479, 2003)); bgp_ext_community.add((ro, 205479, 3000)); + bgp_ext_community.add((ro, 205479, 4000)); + bgp_ext_community.add((ro, 205479, 4001)); + bgp_ext_community.add((ro, 205479, 4002)); accept; }; }; @@ -181,6 +184,9 @@ in { bgp_ext_community.add((ro, 205479, 2002)); bgp_ext_community.add((ro, 205479, 2003)); bgp_ext_community.add((ro, 205479, 3000)); + bgp_ext_community.add((ro, 205479, 4000)); + bgp_ext_community.add((ro, 205479, 4001)); + bgp_ext_community.add((ro, 205479, 4002)); accept; }; };