From 02395acaf12e35738d19939a1d925ccafdb2937b Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Sun, 16 Oct 2022 19:07:41 +0100 Subject: [PATCH] nixos/estuary: Announce and route internal / home prefixes --- nixos/boxes/colony/vms/estuary/bgp.nix | 13 +++++--- nixos/boxes/colony/vms/estuary/default.nix | 39 ++++++++++++++++++++-- 2 files changed, 44 insertions(+), 8 deletions(-) diff --git a/nixos/boxes/colony/vms/estuary/bgp.nix b/nixos/boxes/colony/vms/estuary/bgp.nix index 8ffa978..b73a0ad 100644 --- a/nixos/boxes/colony/vms/estuary/bgp.nix +++ b/nixos/boxes/colony/vms/estuary/bgp.nix @@ -1,7 +1,9 @@ { lib, pkgs, config, assignments, allAssignments, ... }: let securebitSpace = "2a0e:97c0:4d0::/44"; + intnet6 = "2a0e:97c0:4df::/48"; amsnet6 = "2a0e:97c0:4d2::/48"; + homenet6 = "2a0e:97c0:4d0::/48"; in { config = { @@ -14,12 +16,12 @@ in define OWNIP4 = ${assignments.internal.ipv4.address}; define OWNNETSET4 = [ ${assignments.internal.ipv4.address}/32 ]; - define INTNET6 = 2a0e:97c0:4df::/48; + define INTNET6 = ${intnet6}; define AMSNET6 = ${amsnet6}; - define HOMENET6 = 2a0e:97c0:4d0::/48; + define HOMENET6 = ${homenet6}; define OWNIP6 = ${assignments.internal.ipv6.address}; - define OWNNETSET6 = [ ${amsnet6} ]; + define OWNNETSET6 = [ ${intnet6}, ${amsnet6}, ${homenet6} ]; #define TRANSSET6 = [ ::1/128 ]; define DUB1IP6 = 2a0e:97c0:4df:0:2::1; @@ -45,9 +47,9 @@ in } protocol static { # Special case: We have to do the routing on behalf of this _internal_ next-hop - #route INTNET6 via "devplayer0"; + route INTNET6 via "as211024"; route AMSNET6 via "base"; - #route HOMENET6 via DUB1IP6; + route HOMENET6 via DUB1IP6; ipv6 { import all; export none; @@ -68,6 +70,7 @@ in ipv6 { import none; export filter { + if net = HOMENET6 then accept; if net ~ OWNNETSET6 then reject; krt_prefsrc = OWNIP6; accept; diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index 14d1a0d..07624df 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -1,4 +1,21 @@ -{ lib, ... }: { +{ lib, ... }: +let + pubV4 = "94.142.240.44"; +in +{ + nixos = { + vpns = { + l2 = { + as211024 = { + vni = 211024; + peers = { + estuary.addr = pubV4; + home.addr = "109.255.1.83"; + }; + }; + }; + }; + }; nixos.systems.estuary = { system = "x86_64-linux"; nixpkgs = "mine"; @@ -10,7 +27,7 @@ altNames = [ "fw" ]; domain = lib.my.colony.domain; ipv4 = { - address = "94.142.240.44"; + address = pubV4; mask = 24; gateway = "94.142.240.254"; genPTR = false; @@ -31,6 +48,13 @@ }; ipv6.address = "${lib.my.colony.start.base.v6}1"; }; + as211024 = { + ipv4 = { + address = "10.255.3.1"; + gateway = null; + }; + ipv6.address = "2a0e:97c0:4df:0:3::1"; + }; }; configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }: @@ -180,6 +204,14 @@ ]) [ "vms" "ctrs" "oci" ]))); } ]; + + "90-l2mesh-as211024" = { + address = with assignments.as211024; [ + (with ipv4; "${address}/${toString mask}") + (with ipv6; "${address}/${toString mask}") + ]; + networkConfig.IPv6AcceptRA = false; + }; }; }; @@ -189,7 +221,7 @@ server.enable = true; firewall = { - trustedInterfaces = [ "base" ]; + trustedInterfaces = [ "base" "as211024" ]; udp.allowed = [ 5353 ]; tcp.allowed = [ 5353 ]; nat = { @@ -250,6 +282,7 @@ } chain forward { iifname wan oifname base jump filter-routing + oifname as211024 accept } } table inet nat {