dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/britway: Add BGP
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 19m10s
Details

Browse Source
This commit is contained in:
Jack O'Sullivan 2023-12-19 15:51:16 +00:00
parent eda0cdbe0e
commit 9b05e7cd8d
4 changed files with 225 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/constants.nix
View File

@ -220,8 +220,13 @@ rec {
domain = "lon1.int.${pubDomain}"; domain = "lon1.int.${pubDomain}";
pubV4 = "45.76.141.188"; pubV4 = "45.76.141.188";
prefixes = { prefixes = {
vultr = {
v6 = "2001:19f0:7402:128b::/64";
};
inherit (colony.prefixes) as211024; inherit (colony.prefixes) as211024;
}; };
# Need to use this IP as the source address for BGP
assignedV6 = "2001:19f0:7402:128b:5400:04ff:feac:6e06";
}; };
kelder = { kelder = {

194
nixos/boxes/britway/bgp.nix Normal file
View File

@ -0,0 +1,194 @@
{ lib, pkgs, config, assignments, ... }:
let
inherit (lib.my.c.britway) assignedV6;
securebitSpace = "2a0e:97c0:4d0::/44";
intnet6 = "2a0e:97c0:4df::/48";
amsnet6 = "2a0e:97c0:4d2::/48";
homenet6 = "2a0e:97c0:4d0::/48";
in
{
config = {
my = {
secrets.files."britway/bgp-password-vultr.conf" = {
owner = "bird2";
group = "bird2";
};
};
environment.etc."bird/vultr-password.conf".source = config.age.secrets."britway/bgp-password-vultr.conf".path;
systemd = {
services.bird2.after = [ "systemd-networkd-wait-online@veth0.service" ];
network = {
config.networkConfig.ManageForeignRoutes = false;
};
};
services = {
bird2 = {
enable = true;
preCheckConfig = ''
echo '"dummy"' > vultr-password.conf
'';
# TODO: Clean up and modularise
config = ''
define OWNAS = 211024;
define OWNIP4 = ${assignments.vultr.ipv4.address};
define OWNNETSET4 = [ ${assignments.vultr.ipv4.address}/32 ];
define INTNET6 = ${intnet6};
define AMSNET6 = ${amsnet6};
define HOMENET6 = ${homenet6};
define OWNIP6 = ${assignments.vultr.ipv6.address};
define OWNNETSET6 = [ ${intnet6}, ${amsnet6}, ${homenet6} ];
#define TRANSSET6 = [ ::1/128 ];
define DUB1IP6 = ${lib.my.c.home.vips.as211024.v6};
define PREFIXP = 110;
define PREFPEER = 120;
filter bgp_import {
if net !~ OWNNETSET4 && net !~ OWNNETSET6 then accept; else reject;
}
filter bgp_export {
if net ~ OWNNETSET4 || net ~ OWNNETSET6 then accept; else reject;
}
router id from "veth0";
protocol device {}
protocol direct {
interface "veth0";
ipv4;
ipv6;
}
protocol static static4 {
ipv4 {
import all;
export none;
};
}
protocol static static6 {
# Special case: We have to do the routing on behalf of this _internal_ next-hop
route INTNET6 via "as211024";
route HOMENET6 via DUB1IP6;
ipv6 {
import all;
export none;
};
}
protocol kernel kernel4 {
ipv4 {
import none;
export none;
};
}
protocol kernel kernel6 {
ipv6 {
import none;
export none;
};
}
protocol bgp bgptools {
local as OWNAS;
multihop;
description "bgp.tools monitoring";
neighbor 2a0c:2f07:9459::b11 as 212232;
source address OWNIP6;
ipv4 {
import none;
export all;
add paths tx;
};
ipv6 {
import none;
export all;
add paths tx;
};
}
template bgp base_bgp4 {
local as OWNAS;
direct;
allow local as;
ipv4 {
import keep filtered;
export none;
};
}
template bgp upstream_bgp4 from base_bgp4 {
ipv4 {
#import none;
import filter bgp_import;
};
}
template bgp peer_bgp4 from base_bgp4 {
ipv4 {
import filter bgp_import;
preference PREFPEER;
};
}
template bgp ixp_bgp4 from base_bgp4 {
ipv4 {
import filter bgp_import;
preference PREFIXP;
};
}
template bgp base_bgp6 {
local ${assignedV6} as OWNAS;
direct;
# So we can see routes we announce from other routers
allow local as;
ipv6 {
import keep filtered;
export filter bgp_export;
};
}
template bgp upstream_bgp6 from base_bgp6 {
ipv6 {
#import none;
import filter bgp_import;
};
}
template bgp peer_bgp6 from base_bgp6 {
ipv6 {
import filter bgp_import;
preference PREFPEER;
};
}
template bgp ixp_bgp6 from base_bgp6 {
ipv6 {
import filter bgp_import;
preference PREFIXP;
};
}
protocol bgp upstream4_vultr from upstream_bgp4 {
description "Vultr transit (IPv4)";
neighbor 169.254.169.254 as 64515;
multihop 2;
password
include "vultr-password.conf";;
}
protocol bgp upstream6_vultr from upstream_bgp6 {
description "Vultr transit (IPv6)";
neighbor 2001:19f0:ffff::1 as 64515;
multihop 2;
password
include "vultr-password.conf";;
}
'';
};
};
};
}

19
nixos/boxes/britway/default.nix
View File

@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.c.britway) prefixes domain pubV4; inherit (lib.my.c.britway) prefixes domain pubV4 assignedV6;
in in
{ {
nixos.systems.britway = { nixos.systems.britway = {
@ -38,6 +38,7 @@ in
{ {
imports = [ imports = [
"${modulesPath}/profiles/qemu-guest.nix" "${modulesPath}/profiles/qemu-guest.nix"
./bgp.nix
]; ];
config = mkMerge [ config = mkMerge [
@ -69,7 +70,14 @@ in
}; };
}; };
services = { }; services = {
iperf3 = {
enable = true;
openFirewall = true;
};
};
networking = { inherit domain; };
systemd.network = { systemd.network = {
links = { links = {
@ -80,7 +88,12 @@ in
}; };
networks = { networks = {
"20-veth0" = networkdAssignment "veth0" assignments.vultr; "20-veth0" = mkMerge [
(networkdAssignment "veth0" assignments.vultr)
{
address = [ assignedV6 ];
}
];
"90-l2mesh-as211024" = mkMerge [ "90-l2mesh-as211024" = mkMerge [
(networkdAssignment "as211024" assignments.as211024) (networkdAssignment "as211024" assignments.as211024)
{ {

10
secrets/britway/bgp-password-vultr.conf.age Normal file
View File

@ -0,0 +1,10 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBsKzVa
TWhHZEVLaGRGK0NCRmdOQTFERHZYNE9kZk9yM0VFQk1yMThsdTNVCjlsOE9BS1VX
aW56TlJKTkw2VkQ0SkJpbzVmTExXYmxDRDhISDBMWno2OUUKLT4gWDI1NTE5IERn
dzNrcktvTk9pbEJiN1ppcktVN2RKaTBmR2JVd0U4Q1dWUVZRcmh6bk0KZ0tuZlc1
N2ZtaE9nWUFoS3VxZzhka1c3YkZCVnRXb1FlaWdFWEFnZUEzcwotPiB1LDl6QSkt
Z3JlYXNlIDY/aVoiQTdJIEZEdG48KiBaMkEgIl91Rwp4bWxXVEEKLS0tIERzT0I4
NE11UzRFaVhqeXVvZEFsbzJLdDFBWUUzeGlzSy9Wd0lzZmhIazQKtVqTPjM7O4+C
QQ9Nfk0O+TVxr1FH/IOoHVJ4R9v8HsuN0z5ZgLUjvIAmPLobUDTk37mu
-----END AGE ENCRYPTED FILE-----