diff --git a/ops/nixos/blade-tuvok/default.nix b/ops/nixos/blade-tuvok/default.nix index 374a9bd18f..f8d63e4dec 100644 --- a/ops/nixos/blade-tuvok/default.nix +++ b/ops/nixos/blade-tuvok/default.nix @@ -84,6 +84,8 @@ in { v6.addr = "2a09:a441::ffff"; }; + linx.enable = true; + vrrp.priority = 100; }; } diff --git a/ops/nixos/lib/bgp.nix b/ops/nixos/lib/bgp.nix index e979a70edc..285e9317c3 100644 --- a/ops/nixos/lib/bgp.nix +++ b/ops/nixos/lib/bgp.nix @@ -24,11 +24,13 @@ let enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"};"; passwordSnippet = { password ? null, ... }: if password == null then "# no password" else "password \"${password}\";"; multihopSnippet = { multihop ? null, ... }: if multihop == null then "# not multihop" else "multihop ${toString multihop};"; + passiveSnippet = { passive, ... }: "passive ${if passive then "on" else "off"};"; generateSnippetForRouter = { ixName, ix, routerNum, router, ... }: '' protocol bgp ${ixName}${toString routerNum}_4 { ${enabledSnippet router} ${passwordSnippet router} ${multihopSnippet router} + ${passiveSnippet ix.remote} local ${ix.local.v4} as ${toString ix.local.asn}; neighbor ${router.v4} as ${toString ix.remote.asn}; graceful restart on; @@ -43,6 +45,7 @@ let ${enabledSnippet router} ${passwordSnippet router} ${multihopSnippet router} + ${passiveSnippet ix.remote} local ${ix.local.v6} as ${toString ix.local.asn}; neighbor ${router.v6} as ${toString ix.remote.asn}; graceful restart on; @@ -98,6 +101,10 @@ in { asn = mkOption { # lukegbgp.config.peering..remote.asn type = int; }; + passive = mkOption { # lukegbgp.config.peering..remote.passive + type = bool; + default = false; + }; export_community = mkOption { # lukegbgp.config.peering..remote.export_community type = int; }; @@ -188,6 +195,13 @@ in { bgp_ext_community.add((ro, 205479, 4000)); bgp_ext_community.add((ro, 205479, 4001)); bgp_ext_community.add((ro, 205479, 4002)); + bgp_ext_community.add((ro, 205479, 5000)); + bgp_ext_community.add((ro, 205479, 5001)); + bgp_ext_community.add((ro, 205479, 5002)); + bgp_ext_community.add((ro, 205479, 5003)); + bgp_ext_community.add((ro, 205479, 5004)); + bgp_ext_community.add((ro, 205479, 5005)); + bgp_ext_community.add((ro, 205479, 5006)); accept; }; }; @@ -205,6 +219,13 @@ in { bgp_ext_community.add((ro, 205479, 4000)); bgp_ext_community.add((ro, 205479, 4001)); bgp_ext_community.add((ro, 205479, 4002)); + bgp_ext_community.add((ro, 205479, 5000)); + bgp_ext_community.add((ro, 205479, 5001)); + bgp_ext_community.add((ro, 205479, 5002)); + bgp_ext_community.add((ro, 205479, 5003)); + bgp_ext_community.add((ro, 205479, 5004)); + bgp_ext_community.add((ro, 205479, 5005)); + bgp_ext_community.add((ro, 205479, 5006)); accept; }; }; diff --git a/ops/nixos/lib/blade-router.nix b/ops/nixos/lib/blade-router.nix index 36ff1ee107..89a8c69bbe 100644 --- a/ops/nixos/lib/blade-router.nix +++ b/ops/nixos/lib/blade-router.nix @@ -4,6 +4,9 @@ { lib, config, pkgs, ... }: with lib; +let + cfg = config.my.blade-router; +in { imports = [ ../lib/bgp.nix @@ -48,12 +51,29 @@ with lib; prefixLength = mkOption { type = types.int; default = 64; }; }; + linx.enable = mkEnableOption "linx"; + addresses.vl-linx.v4 = { + addr = mkOption { type = types.str; default = "195.66.224.58"; }; + prefixLength = mkOption { type = types.int; default = 22; }; + }; + addresses.vl-linx.v6 = { + addr = mkOption { type = types.str; default = "2001:7f8:4::3:22a7:1"; }; + prefixLength = mkOption { type = types.int; default = 64; }; + }; + vrrp.priority = mkOption { type = types.int; }; }; config = { - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + + "net.ipv4.conf.vl-linx.arp_announce" = 1; + "net.ipv4.conf.vl-linx.arp_ignore" = 1; + "net.ipv4.neigh.vl-linx.base_reachable_time_ms" = 14400000; + "net.ipv6.neigh.vl-linx.base_reachable_time_ms" = 14400000; + }; networking = { vlans.vl-transit = { @@ -81,6 +101,14 @@ with lib; address = config.my.blade-router.addresses.linknet.v6.local; prefixLength = config.my.blade-router.addresses.linknet.v6.prefixLength; }]; + interfaces.vl-linx.ipv4.addresses = [{ + address = cfg.addresses.vl-linx.v4.addr; + prefixLength = cfg.addresses.vl-linx.v4.prefixLength; + }]; + interfaces.vl-linx.ipv6.addresses = [{ + address = cfg.addresses.vl-linx.v6.addr; + prefixLength = cfg.addresses.vl-linx.v6.prefixLength; + }]; defaultGateway = config.my.blade-router.addresses.linknet.v4.remote; defaultGateway6 = config.my.blade-router.addresses.linknet.v6.remote; firewall.extraCommands = '' @@ -91,7 +119,15 @@ with lib; services.lukegbgp = { enable = true; - config = { + config = let + linx = { + local = { + asn = 205479; + v4 = cfg.addresses.vl-linx.v4.addr; + v6 = cfg.addresses.vl-linx.v6.addr; + }; + }; + in { local.routerID = config.my.blade-router.addresses.linknet.v4.local; peering.veloxserv = { local = { @@ -108,6 +144,80 @@ with lib; }]; }; }; + peering.linxcollector = linx // { + remote = { + asn = 5459; + export_community = 5000; + routers = [{ + enabled = cfg.linx.enable; + v4 = "195.66.224.254"; + v6 = "2001:7f8:4::1553:1"; + }]; + }; + }; + peering.linx = linx // { + remote = { + asn = 8714; + export_community = 5001; + routers = [{ + enabled = cfg.linx.enable; + v4 = "195.66.225.230"; + v6 = "2001:7f8:4::220a:1"; + } { + enabled = cfg.linx.enable; + v4 = "195.66.225.231"; + v6 = "2001:7f8:4::220a:2"; + }]; + }; + }; + peering.facebook = linx // { + remote = { + asn = 32934; + export_community = 5002; + passive = true; # pending + routers = [{ + enabled = cfg.linx.enable; + v4 = "195.66.225.69"; + v6 = "2001:7f8:4::80a6:1"; + } { + enabled = cfg.linx.enable; + v4 = "195.66.225.121"; + v6 = "2001:7f8:4::80a6:2"; + } { + enabled = cfg.linx.enable; + v4 = "195.66.227.19"; + v6 = "2001:7f8:4::80a6:5"; + } { + enabled = cfg.linx.enable; + v4 = "195.66.226.140"; + v6 = "2001:7f8:4::80a6:3"; + }]; + }; + }; + peering.openpeering = linx // { + remote = { + asn = 20562; + export_community = 5003; + passive = true; # pending + routers = [{ + enabled = cfg.linx.enable; + v4 = "195.66.225.53"; + v6 = "2001:7f8:4::5052:1"; + }]; + }; + }; + peering.freetransitnet = linx // { + remote = { + asn = 212895; + export_community = 5004; + passive = true; # pending + routers = [{ + enabled = cfg.linx.enable; + v4 = "195.66.225.105"; + v6 = "2001:7f8:4::3:3f9f:2"; + }]; + }; + }; export.v4 = [ "92.118.28.0/24" ]; export.v6 = [ "2a09:a441::/32" ]; };