nixos/estuary: Announce and route internal / home prefixes

nixos/boxes/colony/vms/estuary/bgp.nix

@@ -1,7 +1,9 @@
 { lib, pkgs, config, assignments, allAssignments, ... }:
 let
   securebitSpace = "2a0e:97c0:4d0::/44";
+  intnet6 = "2a0e:97c0:4df::/48";
   amsnet6 = "2a0e:97c0:4d2::/48";
+  homenet6 = "2a0e:97c0:4d0::/48";
 in
 {
   config = {
@@ -14,12 +16,12 @@ in
           define OWNIP4 = ${assignments.internal.ipv4.address};
           define OWNNETSET4 = [ ${assignments.internal.ipv4.address}/32 ];
 
-          define INTNET6 = 2a0e:97c0:4df::/48;
+          define INTNET6 = ${intnet6};
           define AMSNET6 = ${amsnet6};
-          define HOMENET6 = 2a0e:97c0:4d0::/48;
+          define HOMENET6 = ${homenet6};
 
           define OWNIP6 = ${assignments.internal.ipv6.address};
-          define OWNNETSET6 = [ ${amsnet6} ];
+          define OWNNETSET6 = [ ${intnet6}, ${amsnet6}, ${homenet6} ];
           #define TRANSSET6 = [ ::1/128 ];
 
           define DUB1IP6 = 2a0e:97c0:4df:0:2::1;
@@ -45,9 +47,9 @@ in
           }
           protocol static {
             # Special case: We have to do the routing on behalf of this _internal_ next-hop
-            #route INTNET6 via "devplayer0";
+            route INTNET6 via "as211024";
             route AMSNET6 via "base";
-            #route HOMENET6 via DUB1IP6;
+            route HOMENET6 via DUB1IP6;
             ipv6 {
               import all;
               export none;
@@ -68,6 +70,7 @@ in
             ipv6 {
               import none;
               export filter {
+                if net = HOMENET6 then accept;
                 if net ~ OWNNETSET6 then reject;
                 krt_prefsrc = OWNIP6;
                 accept;

nixos/boxes/colony/vms/estuary/default.nix

@@ -1,4 +1,21 @@
-{ lib, ... }: {
+{ lib, ... }:
+let
+  pubV4 = "94.142.240.44";
+in
+{
+  nixos = {
+    vpns = {
+      l2 = {
+        as211024 = {
+          vni = 211024;
+          peers = {
+            estuary.addr = pubV4;
+            home.addr = "109.255.1.83";
+          };
+        };
+      };
+    };
+  };
   nixos.systems.estuary = {
     system = "x86_64-linux";
     nixpkgs = "mine";
@@ -10,7 +27,7 @@
         altNames = [ "fw" ];
         domain = lib.my.colony.domain;
         ipv4 = {
-          address = "94.142.240.44";
+          address = pubV4;
           mask = 24;
           gateway = "94.142.240.254";
           genPTR = false;
@@ -31,6 +48,13 @@
         };
         ipv6.address = "${lib.my.colony.start.base.v6}1";
       };
+      as211024 = {
+        ipv4 = {
+          address = "10.255.3.1";
+          gateway = null;
+        };
+        ipv6.address = "2a0e:97c0:4df:0:3::1";
+      };
     };
 
     configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
@@ -180,6 +204,14 @@
                       ]) [ "vms" "ctrs" "oci" ])));
                   }
                 ];
+
+                "90-l2mesh-as211024" = {
+                  address = with assignments.as211024; [
+                    (with ipv4; "${address}/${toString mask}")
+                    (with ipv6; "${address}/${toString mask}")
+                  ];
+                  networkConfig.IPv6AcceptRA = false;
+                };
               };
             };
 
@@ -189,7 +221,7 @@
               server.enable = true;
 
               firewall = {
-                trustedInterfaces = [ "base" ];
+                trustedInterfaces = [ "base" "as211024" ];
                 udp.allowed = [ 5353 ];
                 tcp.allowed = [ 5353 ];
                 nat = {
@@ -250,6 +282,7 @@
                     }
                     chain forward {
                       iifname wan oifname base jump filter-routing
+                      oifname as211024 accept
                     }
                   }
                   table inet nat {