# SPDX-FileCopyrightText: 2020 Luke Granger-Brown # # SPDX-License-Identifier: Apache-2.0 { depot, lib, pkgs, rebuilder, config, ... }: let inherit (depot.ops) secrets; internetAddresses = { v4 = { local = "195.74.55.21"; remote = "195.74.55.20"; }; v6 = { local = "2a03:ee40:8080:9:1::2"; remote = "2a03:ee40:8080:9:1::1"; }; }; in { imports = [ ../lib/bgp.nix ../lib/blade.nix ../lib/fup.nix ]; boot.loader.grub.device = "/dev/disk/by-id/usb-USB_SanDisk_3.2Gen1_0101cabb1ebdbdc0fd7b18edd207d43717c39c4a59d1b138b363e315841eca15743400000000000000000000443273100087260091558107b6a8e06e-0:0"; services.lukegbgp = { enable = true; config = { local.routerID = internetAddresses.v4.local; peering.veloxserv = { local = { asn = 205479; v4 = internetAddresses.v4.local; v6 = internetAddresses.v6.local; }; remote = { asn = 3170; export_community = 4001; routers = [{ v4 = internetAddresses.v4.remote; v6 = internetAddresses.v6.remote; }]; }; }; export.v4 = [ "92.118.28.0/24" ]; export.v6 = [ "2a09:a441::/32" ]; }; }; # Networking! networking = { hostName = "blade-tuvok"; hostId = "525229f7"; interfaces.br-public.ipv4.addresses = [{ address = "92.118.28.253"; prefixLength = 24; }]; interfaces.br-public.ipv6.addresses = [{ address = "2a09:a441::fffe"; prefixLength = 48; }]; interfaces.en-internet.ipv4.addresses = [{ address = internetAddresses.v4.local; prefixLength = 31; }]; interfaces.en-internet.ipv6.addresses = [{ address = internetAddresses.v6.local; prefixLength = 126; }]; defaultGateway = internetAddresses.v4.remote; defaultGateway6 = internetAddresses.v6.remote; firewall.allowedTCPPorts = [ 80 443 ]; firewall.extraCommands = '' iptables -A INPUT -p vrrp -i br-mgmt -j ACCEPT ip6tables -A INPUT -p vrrp -i br-mgmt -j ACCEPT ''; }; my.ip.tailscale = "100.119.123.33"; my.blade.bay = 6; my.blade.macAddress = { internal = "e4:11:5b:ac:e3:fe"; storage = "e4:11:5b:ac:e4:02"; internet = "e4:11:5b:ac:e4:00"; }; services.ceph = { mon.enable = true; osd = { enable = true; daemons = [ "3" ]; }; }; services.nginx = { enable = true; recommendedTlsSettings = true; recommendedGzipSettings = true; virtualHosts."objdump.zxcvbnm.ninja" = { useACMEHost = "objdump.zxcvbnm.ninja"; default = true; forceSSL = true; locations."/" = { proxyPass = "http://localhost:7480"; extraConfig = '' proxy_redirect off; client_max_body_size 0; proxy_buffering off; ''; }; }; }; security.acme = { acceptTerms = true; email = "letsencrypt@lukegb.com"; certs."objdump.zxcvbnm.ninja" = { group = config.services.nginx.group; dnsProvider = "cloudflare"; credentialsFile = secrets.cloudflareCredentials; extraDomainNames = [ "*.objdump.zxcvbnm.ninja" ]; }; }; my.fup.listen = [ "0.0.0.0" "[::]" ]; services.keepalived = let mgmtBase = { interface = "br-mgmt"; state = "MASTER"; priority = 50; }; in { enable = true; vrrpInstances.mgmtGateway = mgmtBase // { virtualIps = [ { addr = "10.100.0.1/23"; } { addr = "92.118.28.1/24"; dev = "br-public"; } ]; virtualRouterId = 1; }; vrrpInstances.mgmtGateway6 = mgmtBase // { virtualIps = [ { addr = "fe80::f00f/64"; dev = "br-public"; } { addr = "2a09:a441::/48"; dev = "br-public"; } ]; virtualRouterId = 2; }; }; services.radvd = { enable = true; config = '' interface br-public { AdvSendAdvert on; MinRtrAdvInterval 30; MaxRtrAdvInterval 100; AdvRASrcAddress { fe80::f00f; }; prefix 2a09:a441:ffff:ffff::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr off; }; }; ''; }; }