dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos: Working l2mesh with IPsec
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 17m15s
Details

Browse Source
This commit is contained in:
Jack O'Sullivan
2023-11-26 01:29:44 +00:00
parent 7404779c6d
commit 0cc35547f2
9 changed files with 188 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/boxes/colony/vms/estuary/bgp.nix
View File

@@ -29,7 +29,7 @@ in
define OWNNETSET6 = [ ${intnet6}, ${amsnet6}, ${homenet6} ];
#define TRANSSET6 = [ ::1/128 ];
define DUB1IP6 = 2a0e:97c0:4df:0:2::1;
define DUB1IP6 = ${lib.my.c.home.vips.as211024.v6};
define PREFIXP = 110;
define PREFPEER = 120;

70
nixos/boxes/colony/vms/estuary/default.nix
View File

@@ -1,9 +1,8 @@
{ lib, ... }:
let
inherit (builtins) elemAt;
inherit (lib.my) net;
inherit (lib.my.c.colony) domain prefixes;
pubV4 = "94.142.240.44";
inherit (lib.my.c.colony) pubV4 domain prefixes;
in
{
nixos = {
@@ -11,9 +10,11 @@ in
l2 = {
as211024 = {
vni = 211024;
security.enable = true;
peers = {
estuary.addr = pubV4;
home.addr = "188.141.75.2";
# river.addr = elemAt lib.my.c.home.routersPubV4 0;
stream.addr = elemAt lib.my.c.home.routersPubV4 1;
};
};
};
@@ -53,10 +54,10 @@ in
};
as211024 = {
ipv4 = {
address = "10.255.3.1";
address = net.cidr.host 1 prefixes.as211024.v4;
gateway = null;
};
ipv6.address = "2a0e:97c0:4df:0:3::1";
ipv6.address = net.cidr.host 1 prefixes.as211024.v6;
};
};
@@ -90,6 +91,7 @@ in
environment = {
systemPackages = with pkgs; [
ethtool
conntrack-tools
wireguard-tools
];
};
@@ -114,34 +116,19 @@ in
};
systemd = {
services = {
# Use this as a way to make sure the router always knows we're here (NDP seems kindy funky)
ipv6-neigh-keepalive =
let
waitOnline = "systemd-networkd-wait-online@wan.service";
in
{
description = "Frequent ICMP6 neighbour solicitations";
enable = false;
requires = [ waitOnline ];
after = [ waitOnline ];
script = ''
while true; do
${pkgs.ndisc6}/bin/ndisc6 ${assignments.internal.ipv6.gateway} wan
sleep 10
done
'';
wantedBy = [ "multi-user.target" ];
};
bird2 =
let
waitOnline = "systemd-networkd-wait-online@wan.service";
in
{
services =
let
waitOnline = "systemd-networkd-wait-online@wan.service";
in
{
bird2 = {
after = [ waitOnline ];
# requires = [ waitOnline ];
};
ipsec = {
after = [ waitOnline ];
requires = [ waitOnline ];
};
};
};
@@ -337,14 +324,13 @@ in
}
];
"90-l2mesh-as211024" = {
matchConfig.Name = "as211024";
address = with assignments.as211024; [
(with ipv4; "${address}/${toString mask}")
(with ipv6; "${address}/${toString mask}")
];
networkConfig.IPv6AcceptRA = false;
};
"90-l2mesh-as211024" = mkMerge [
(networkdAssignment "as211024" assignments.as211024)
{
matchConfig.Name = "as211024";
networkConfig.IPv6AcceptRA = mkForce false;
}
];
"95-kelder" = {
matchConfig.Name = "kelder";
routes = [
@@ -366,10 +352,16 @@ in
"estuary/kelder-wg.key" = {
owner = "systemd-network";
};
"l2mesh/as211024.key" = {};
};
};
server.enable = true;
vpns = {
l2.pskFiles = {
as211024 = config.age.secrets."l2mesh/as211024.key".path;
};
};
firewall = {
trustedInterfaces = [ "as211024" ];
udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ];

38
nixos/boxes/home/routing-common/default.nix
View File

@@ -1,4 +1,4 @@
index: { lib, ... }:
index: { lib, allAssignments, ... }:
let
inherit (builtins) elemAt;
inherit (lib.my) net;
@@ -54,6 +54,13 @@ in
};
ipv6.address = net.cidr.host (index + 1) prefixes.untrusted.v6;
};
as211024 = {
ipv4 = {
address = net.cidr.host (index + 2) prefixes.as211024.v4;
gateway = null;
};
ipv6.address = net.cidr.host ((1*65536*65536*65536) + index + 1) prefixes.as211024.v6;
};
};
configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
@@ -72,6 +79,7 @@ in
environment = {
systemPackages = with pkgs; [
ethtool
conntrack-tools
];
};
@@ -107,6 +115,17 @@ in
networking.domain = "h.${pubDomain}";
systemd.services = {
ipsec =
let
waitOnline = "systemd-networkd-wait-online@wan.service";
in
{
after = [ waitOnline ];
requires = [ waitOnline ];
};
};
systemd.network = {
wait-online.enable = false;
config = {
@@ -277,6 +296,14 @@ in
networkConfig.IPv6AcceptRA = mkForce false;
}
];
"90-l2mesh-as211024" = mkMerge [
(networkdAssignment "as211024" assignments.as211024)
{
matchConfig.Name = "as211024";
networkConfig.IPv6AcceptRA = mkForce false;
}
];
}
(mkVLANConfig "hi" 9000)
@@ -288,12 +315,15 @@ in
my = {
secrets = {
files = {
# "estuary/kelder-wg.key" = {
# owner = "systemd-network";
# };
"l2mesh/as211024.key" = {};
};
};
vpns = {
l2.pskFiles = {
as211024 = config.age.secrets."l2mesh/as211024.key".path;
};
};
firewall = {
trustedInterfaces = [ "lan-hi" "lan-lo" ];
udp.allowed = [ 5353 ];

1
nixos/boxes/home/routing-common/dns.nix
View File

@@ -49,6 +49,7 @@ in
query-local-address = [
# TODO: IPv6
"0.0.0.0"
"::"
# TODO: Dynamic IPv4 WAN address?
# assignments.internal.ipv4.address
# assignments.internal.ipv6.address

3
nixos/boxes/home/routing-common/keepalived.nix
View File

@@ -4,9 +4,10 @@ let
inherit (lib.my) net;
inherit (lib.my.c.home) prefixes vips;
vlanIface = vlan: if vlan == "as211024" then vlan else "lan-${vlan}";
vrrpIPs = family: map (vlan: {
addr = "${vips.${vlan}.${family}}/${toString (net.cidr.length prefixes.${vlan}.${family})}";
dev = "lan-${vlan}";
dev = vlanIface vlan;
}) (attrNames vips);
mkVRRP = family: routerId: {
state = if index == 0 then "MASTER" else "BACKUP";