nixos/estuary: Announce and route internal / home prefixes

2022-10-16 19:07:41 +01:00 · 2022-10-16 19:07:41 +01:00 · 02395acaf1
commit 02395acaf1
parent 681ad3fe9f
2 changed files with 44 additions and 8 deletions
--- a/nixos/boxes/colony/vms/estuary/bgp.nix
+++ b/nixos/boxes/colony/vms/estuary/bgp.nix
@ -1,7 +1,9 @@
 { lib, pkgs, config, assignments, allAssignments, ... }:
 let
  securebitSpace = "2a0e:97c0:4d0::/44";
+  intnet6 = "2a0e:97c0:4df::/48";
  amsnet6 = "2a0e:97c0:4d2::/48";
+  homenet6 = "2a0e:97c0:4d0::/48";
 in
 {
  config = {
@ -14,12 +16,12 @@ in
          define OWNIP4 = ${assignments.internal.ipv4.address};
          define OWNNETSET4 = [ ${assignments.internal.ipv4.address}/32 ];

-          define INTNET6 = 2a0e:97c0:4df::/48;
+          define INTNET6 = ${intnet6};
          define AMSNET6 = ${amsnet6};
-          define HOMENET6 = 2a0e:97c0:4d0::/48;
+          define HOMENET6 = ${homenet6};

          define OWNIP6 = ${assignments.internal.ipv6.address};
-          define OWNNETSET6 = [ ${amsnet6} ];
+          define OWNNETSET6 = [ ${intnet6}, ${amsnet6}, ${homenet6} ];
          #define TRANSSET6 = [ ::1/128 ];

          define DUB1IP6 = 2a0e:97c0:4df:0:2::1;
@ -45,9 +47,9 @@ in
          }
          protocol static {
            # Special case: We have to do the routing on behalf of this _internal_ next-hop
-            #route INTNET6 via "devplayer0";
+            route INTNET6 via "as211024";
            route AMSNET6 via "base";
-            #route HOMENET6 via DUB1IP6;
+            route HOMENET6 via DUB1IP6;
            ipv6 {
              import all;
              export none;
@ -68,6 +70,7 @@ in
            ipv6 {
              import none;
              export filter {
+                if net = HOMENET6 then accept;
                if net ~ OWNNETSET6 then reject;
                krt_prefsrc = OWNIP6;
                accept;
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@ -1,4 +1,21 @@
-{ lib, ... }: {
+{ lib, ... }:
+let
+  pubV4 = "94.142.240.44";
+in
+{
+  nixos = {
+    vpns = {
+      l2 = {
+        as211024 = {
+          vni = 211024;
+          peers = {
+            estuary.addr = pubV4;
+            home.addr = "109.255.1.83";
+          };
+        };
+      };
+    };
+  };
  nixos.systems.estuary = {
    system = "x86_64-linux";
    nixpkgs = "mine";
@ -10,7 +27,7 @@
        altNames = [ "fw" ];
        domain = lib.my.colony.domain;
        ipv4 = {
-          address = "94.142.240.44";
+          address = pubV4;
          mask = 24;
          gateway = "94.142.240.254";
          genPTR = false;
@ -31,6 +48,13 @@
        };
        ipv6.address = "${lib.my.colony.start.base.v6}1";
      };
+      as211024 = {
+        ipv4 = {
+          address = "10.255.3.1";
+          gateway = null;
+        };
+        ipv6.address = "2a0e:97c0:4df:0:3::1";
+      };
    };

    configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
@ -180,6 +204,14 @@
                      ]) [ "vms" "ctrs" "oci" ])));
                  }
                ];
+
+                "90-l2mesh-as211024" = {
+                  address = with assignments.as211024; [
+                    (with ipv4; "${address}/${toString mask}")
+                    (with ipv6; "${address}/${toString mask}")
+                  ];
+                  networkConfig.IPv6AcceptRA = false;
+                };
              };
            };

@ -189,7 +221,7 @@
              server.enable = true;

              firewall = {
-                trustedInterfaces = [ "base" ];
+                trustedInterfaces = [ "base" "as211024" ];
                udp.allowed = [ 5353 ];
                tcp.allowed = [ 5353 ];
                nat = {
@ -250,6 +282,7 @@
                    }
                    chain forward {
                      iifname wan oifname base jump filter-routing
+                      oifname as211024 accept
                    }
                  }
                  table inet nat {