blade-tuvok: LINX updates

2021-08-17 01:30:33 +00:00 · 2021-08-17 01:30:33 +00:00 · fdacf57ead
commit fdacf57ead
parent 8ad77134ae
3 changed files with 136 additions and 3 deletions
--- a/ops/nixos/blade-tuvok/default.nix
+++ b/ops/nixos/blade-tuvok/default.nix
@ -84,6 +84,8 @@ in {
      v6.addr = "2a09:a441::ffff";
    };
    linx.enable = true;
    vrrp.priority = 100;
  };
 }
--- a/ops/nixos/lib/bgp.nix
+++ b/ops/nixos/lib/bgp.nix
@ -24,11 +24,13 @@ let
  enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"};";
  passwordSnippet = { password ? null, ... }: if password == null then "# no password" else "password \"${password}\";";
  multihopSnippet = { multihop ? null, ... }: if multihop == null then "# not multihop" else "multihop ${toString multihop};";
  passiveSnippet = { passive, ... }: "passive ${if passive then "on" else "off"};";
  generateSnippetForRouter = { ixName, ix, routerNum, router, ... }: ''
    protocol bgp ${ixName}${toString routerNum}_4 {
      ${enabledSnippet router}
      ${passwordSnippet router}
      ${multihopSnippet router}
      ${passiveSnippet ix.remote}
      local ${ix.local.v4} as ${toString ix.local.asn};
      neighbor ${router.v4} as ${toString ix.remote.asn};
      graceful restart on;
@ -43,6 +45,7 @@ let
      ${enabledSnippet router}
      ${passwordSnippet router}
      ${multihopSnippet router}
      ${passiveSnippet ix.remote}
      local ${ix.local.v6} as ${toString ix.local.asn};
      neighbor ${router.v6} as ${toString ix.remote.asn};
      graceful restart on;
@ -98,6 +101,10 @@ in {
                      asn = mkOption { # lukegbgp.config.peering.<foo>.remote.asn
                        type = int;
                      };
                      passive = mkOption { # lukegbgp.config.peering.<foo>.remote.passive
                        type = bool;
                        default = false;
                      };
                      export_community = mkOption { # lukegbgp.config.peering.<foo>.remote.export_community
                        type = int;
                      };
@ -188,6 +195,13 @@ in {
              bgp_ext_community.add((ro, 205479, 4000));
              bgp_ext_community.add((ro, 205479, 4001));
              bgp_ext_community.add((ro, 205479, 4002));
              bgp_ext_community.add((ro, 205479, 5000));
              bgp_ext_community.add((ro, 205479, 5001));
              bgp_ext_community.add((ro, 205479, 5002));
              bgp_ext_community.add((ro, 205479, 5003));
              bgp_ext_community.add((ro, 205479, 5004));
              bgp_ext_community.add((ro, 205479, 5005));
              bgp_ext_community.add((ro, 205479, 5006));
              accept;
            };
          };
@ -205,6 +219,13 @@ in {
              bgp_ext_community.add((ro, 205479, 4000));
              bgp_ext_community.add((ro, 205479, 4001));
              bgp_ext_community.add((ro, 205479, 4002));
              bgp_ext_community.add((ro, 205479, 5000));
              bgp_ext_community.add((ro, 205479, 5001));
              bgp_ext_community.add((ro, 205479, 5002));
              bgp_ext_community.add((ro, 205479, 5003));
              bgp_ext_community.add((ro, 205479, 5004));
              bgp_ext_community.add((ro, 205479, 5005));
              bgp_ext_community.add((ro, 205479, 5006));
              accept;
            };
          };
--- a/ops/nixos/lib/blade-router.nix
+++ b/ops/nixos/lib/blade-router.nix
@ -4,6 +4,9 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.my.blade-router;
 in
 {
  imports = [
    ../lib/bgp.nix
@ -48,12 +51,29 @@ with lib;
      prefixLength = mkOption { type = types.int; default = 64; };
    };
    linx.enable = mkEnableOption "linx";
    addresses.vl-linx.v4 = {
      addr = mkOption { type = types.str; default = "195.66.224.58"; };
      prefixLength = mkOption { type = types.int; default = 22; };
    };
    addresses.vl-linx.v6 = {
      addr = mkOption { type = types.str; default = "2001:7f8:4::3:22a7:1"; };
      prefixLength = mkOption { type = types.int; default = 64; };
    };
    vrrp.priority = mkOption { type = types.int; };
  };
  config = {
-    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+    boot.kernel.sysctl = {
-    boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
+      "net.ipv4.ip_forward" = 1;
      "net.ipv6.conf.all.forwarding" = 1;
      "net.ipv4.conf.vl-linx.arp_announce" = 1;
      "net.ipv4.conf.vl-linx.arp_ignore" = 1;
      "net.ipv4.neigh.vl-linx.base_reachable_time_ms" = 14400000;
      "net.ipv6.neigh.vl-linx.base_reachable_time_ms" = 14400000;
    };
    networking = {
      vlans.vl-transit = {
@ -81,6 +101,14 @@ with lib;
        address = config.my.blade-router.addresses.linknet.v6.local;
        prefixLength = config.my.blade-router.addresses.linknet.v6.prefixLength;
      }];
      interfaces.vl-linx.ipv4.addresses = [{
        address = cfg.addresses.vl-linx.v4.addr;
        prefixLength = cfg.addresses.vl-linx.v4.prefixLength;
      }];
      interfaces.vl-linx.ipv6.addresses = [{
        address = cfg.addresses.vl-linx.v6.addr;
        prefixLength = cfg.addresses.vl-linx.v6.prefixLength;
      }];
      defaultGateway = config.my.blade-router.addresses.linknet.v4.remote;
      defaultGateway6 = config.my.blade-router.addresses.linknet.v6.remote;
      firewall.extraCommands = ''
@ -91,7 +119,15 @@ with lib;
    services.lukegbgp = {
      enable = true;
-      config = {
+      config = let
        linx = {
          local = {
            asn = 205479;
            v4 = cfg.addresses.vl-linx.v4.addr;
            v6 = cfg.addresses.vl-linx.v6.addr;
          };
        };
      in {
        local.routerID = config.my.blade-router.addresses.linknet.v4.local;
        peering.veloxserv = {
          local = {
@ -108,6 +144,80 @@ with lib;
            }];
          };
        };
        peering.linxcollector = linx // {
          remote = {
            asn = 5459;
            export_community = 5000;
            routers = [{
              enabled = cfg.linx.enable;
              v4 = "195.66.224.254";
              v6 = "2001:7f8:4::1553:1";
            }];
          };
        };
        peering.linx = linx // {
          remote = {
            asn = 8714;
            export_community = 5001;
            routers = [{
              enabled = cfg.linx.enable;
              v4 = "195.66.225.230";
              v6 = "2001:7f8:4::220a:1";
            } {
              enabled = cfg.linx.enable;
              v4 = "195.66.225.231";
              v6 = "2001:7f8:4::220a:2";
            }];
          };
        };
        peering.facebook = linx // {
          remote = {
            asn = 32934;
            export_community = 5002;
            passive = true;  # pending
            routers = [{
              enabled = cfg.linx.enable;
              v4 = "195.66.225.69";
              v6 = "2001:7f8:4::80a6:1";
            } {
              enabled = cfg.linx.enable;
              v4 = "195.66.225.121";
              v6 = "2001:7f8:4::80a6:2";
            } {
              enabled = cfg.linx.enable;
              v4 = "195.66.227.19";
              v6 = "2001:7f8:4::80a6:5";
            } {
              enabled = cfg.linx.enable;
              v4 = "195.66.226.140";
              v6 = "2001:7f8:4::80a6:3";
            }];
          };
        };
        peering.openpeering = linx // {
          remote = {
            asn = 20562;
            export_community = 5003;
            passive = true;  # pending
            routers = [{
              enabled = cfg.linx.enable;
              v4 = "195.66.225.53";
              v6 = "2001:7f8:4::5052:1";
            }];
          };
        };
        peering.freetransitnet = linx // {
          remote = {
            asn = 212895;
            export_community = 5004;
            passive = true;  # pending
            routers = [{
              enabled = cfg.linx.enable;
              v4 = "195.66.225.105";
              v6 = "2001:7f8:4::3:3f9f:2";
            }];
          };
        };
        export.v4 = [ "92.118.28.0/24" ];
        export.v6 = [ "2a09:a441::/32" ];
      };