diff --git a/lib/constants.nix b/lib/constants.nix index 293fa71..ba17157 100644 --- a/lib/constants.nix +++ b/lib/constants.nix @@ -220,8 +220,13 @@ rec { domain = "lon1.int.${pubDomain}"; pubV4 = "45.76.141.188"; prefixes = { + vultr = { + v6 = "2001:19f0:7402:128b::/64"; + }; inherit (colony.prefixes) as211024; }; + # Need to use this IP as the source address for BGP + assignedV6 = "2001:19f0:7402:128b:5400:04ff:feac:6e06"; }; kelder = { diff --git a/nixos/boxes/britway/bgp.nix b/nixos/boxes/britway/bgp.nix new file mode 100644 index 0000000..11f408d --- /dev/null +++ b/nixos/boxes/britway/bgp.nix @@ -0,0 +1,194 @@ +{ lib, pkgs, config, assignments, ... }: +let + inherit (lib.my.c.britway) assignedV6; + + securebitSpace = "2a0e:97c0:4d0::/44"; + intnet6 = "2a0e:97c0:4df::/48"; + amsnet6 = "2a0e:97c0:4d2::/48"; + homenet6 = "2a0e:97c0:4d0::/48"; +in +{ + config = { + my = { + secrets.files."britway/bgp-password-vultr.conf" = { + owner = "bird2"; + group = "bird2"; + }; + }; + + environment.etc."bird/vultr-password.conf".source = config.age.secrets."britway/bgp-password-vultr.conf".path; + + systemd = { + services.bird2.after = [ "systemd-networkd-wait-online@veth0.service" ]; + network = { + config.networkConfig.ManageForeignRoutes = false; + }; + }; + + services = { + bird2 = { + enable = true; + preCheckConfig = '' + echo '"dummy"' > vultr-password.conf + ''; + # TODO: Clean up and modularise + config = '' + define OWNAS = 211024; + + define OWNIP4 = ${assignments.vultr.ipv4.address}; + define OWNNETSET4 = [ ${assignments.vultr.ipv4.address}/32 ]; + + define INTNET6 = ${intnet6}; + define AMSNET6 = ${amsnet6}; + define HOMENET6 = ${homenet6}; + + define OWNIP6 = ${assignments.vultr.ipv6.address}; + define OWNNETSET6 = [ ${intnet6}, ${amsnet6}, ${homenet6} ]; + #define TRANSSET6 = [ ::1/128 ]; + + define DUB1IP6 = ${lib.my.c.home.vips.as211024.v6}; + + define PREFIXP = 110; + define PREFPEER = 120; + + filter bgp_import { + if net !~ OWNNETSET4 && net !~ OWNNETSET6 then accept; else reject; + } + filter bgp_export { + if net ~ OWNNETSET4 || net ~ OWNNETSET6 then accept; else reject; + } + + router id from "veth0"; + + protocol device {} + protocol direct { + interface "veth0"; + ipv4; + ipv6; + } + protocol static static4 { + ipv4 { + import all; + export none; + }; + } + protocol static static6 { + # Special case: We have to do the routing on behalf of this _internal_ next-hop + route INTNET6 via "as211024"; + route HOMENET6 via DUB1IP6; + + ipv6 { + import all; + export none; + }; + } + + protocol kernel kernel4 { + ipv4 { + import none; + export none; + }; + } + protocol kernel kernel6 { + ipv6 { + import none; + export none; + }; + } + + protocol bgp bgptools { + local as OWNAS; + multihop; + description "bgp.tools monitoring"; + neighbor 2a0c:2f07:9459::b11 as 212232; + source address OWNIP6; + ipv4 { + import none; + export all; + add paths tx; + }; + ipv6 { + import none; + export all; + add paths tx; + }; + } + + template bgp base_bgp4 { + local as OWNAS; + direct; + allow local as; + ipv4 { + import keep filtered; + export none; + }; + } + + template bgp upstream_bgp4 from base_bgp4 { + ipv4 { + #import none; + import filter bgp_import; + }; + } + template bgp peer_bgp4 from base_bgp4 { + ipv4 { + import filter bgp_import; + preference PREFPEER; + }; + } + template bgp ixp_bgp4 from base_bgp4 { + ipv4 { + import filter bgp_import; + preference PREFIXP; + }; + } + + template bgp base_bgp6 { + local ${assignedV6} as OWNAS; + direct; + # So we can see routes we announce from other routers + allow local as; + ipv6 { + import keep filtered; + export filter bgp_export; + }; + } + + template bgp upstream_bgp6 from base_bgp6 { + ipv6 { + #import none; + import filter bgp_import; + }; + } + template bgp peer_bgp6 from base_bgp6 { + ipv6 { + import filter bgp_import; + preference PREFPEER; + }; + } + template bgp ixp_bgp6 from base_bgp6 { + ipv6 { + import filter bgp_import; + preference PREFIXP; + }; + } + + protocol bgp upstream4_vultr from upstream_bgp4 { + description "Vultr transit (IPv4)"; + neighbor 169.254.169.254 as 64515; + multihop 2; + password + include "vultr-password.conf";; + } + protocol bgp upstream6_vultr from upstream_bgp6 { + description "Vultr transit (IPv6)"; + neighbor 2001:19f0:ffff::1 as 64515; + multihop 2; + password + include "vultr-password.conf";; + } + ''; + }; + }; + }; +} diff --git a/nixos/boxes/britway/default.nix b/nixos/boxes/britway/default.nix index 8201336..1eb267b 100644 --- a/nixos/boxes/britway/default.nix +++ b/nixos/boxes/britway/default.nix @@ -1,7 +1,7 @@ { lib, ... }: let inherit (lib.my) net; - inherit (lib.my.c.britway) prefixes domain pubV4; + inherit (lib.my.c.britway) prefixes domain pubV4 assignedV6; in { nixos.systems.britway = { @@ -38,6 +38,7 @@ in { imports = [ "${modulesPath}/profiles/qemu-guest.nix" + ./bgp.nix ]; config = mkMerge [ @@ -69,7 +70,14 @@ in }; }; - services = { }; + services = { + iperf3 = { + enable = true; + openFirewall = true; + }; + }; + + networking = { inherit domain; }; systemd.network = { links = { @@ -80,7 +88,12 @@ in }; networks = { - "20-veth0" = networkdAssignment "veth0" assignments.vultr; + "20-veth0" = mkMerge [ + (networkdAssignment "veth0" assignments.vultr) + { + address = [ assignedV6 ]; + } + ]; "90-l2mesh-as211024" = mkMerge [ (networkdAssignment "as211024" assignments.as211024) { diff --git a/secrets/britway/bgp-password-vultr.conf.age b/secrets/britway/bgp-password-vultr.conf.age new file mode 100644 index 0000000..ce61012 --- /dev/null +++ b/secrets/britway/bgp-password-vultr.conf.age @@ -0,0 +1,10 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBsKzVa +TWhHZEVLaGRGK0NCRmdOQTFERHZYNE9kZk9yM0VFQk1yMThsdTNVCjlsOE9BS1VX +aW56TlJKTkw2VkQ0SkJpbzVmTExXYmxDRDhISDBMWno2OUUKLT4gWDI1NTE5IERn +dzNrcktvTk9pbEJiN1ppcktVN2RKaTBmR2JVd0U4Q1dWUVZRcmh6bk0KZ0tuZlc1 +N2ZtaE9nWUFoS3VxZzhka1c3YkZCVnRXb1FlaWdFWEFnZUEzcwotPiB1LDl6QSkt +Z3JlYXNlIDY/aVoiQTdJIEZEdG48KiBaMkEgIl91Rwp4bWxXVEEKLS0tIERzT0I4 +NE11UzRFaVhqeXVvZEFsbzJLdDFBWUUzeGlzSy9Wd0lzZmhIazQKtVqTPjM7O4+C +QQ9Nfk0O+TVxr1FH/IOoHVJ4R9v8HsuN0z5ZgLUjvIAmPLobUDTk37mu +-----END AGE ENCRYPTED FILE-----