diff --git a/flake/nixosConfigurations.nix b/flake/nixosConfigurations.nix
index be4df26..b00570c 100644
--- a/flake/nixosConfigurations.nix
+++ b/flake/nixosConfigurations.nix
@@ -52,6 +52,9 @@ let
{};
in
secrets;
+
+ # Enable clerie common config
+ profiles.clerie.common.enable = true;
})
# Config to be applied to every host
diff --git a/hosts/dn42-il-gw1/configuration.nix b/hosts/dn42-il-gw1/configuration.nix
index 47da03f..6eb8ea2 100644
--- a/hosts/dn42-il-gw1/configuration.nix
+++ b/hosts/dn42-il-gw1/configuration.nix
@@ -4,49 +4,41 @@
imports =
[
./hardware-configuration.nix
- ../../configuration/dn42
];
profiles.clerie.mercury-vm.enable = true;
+ profiles.clerie.common-networking.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
- networking.useDHCP = false;
- networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:1::1"; prefixLength = 64; } ];
- # VM Nat Netz mercury
- networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.23"; prefixLength = 24; } ];
- # OSPF Netz
- networking.interfaces.ens19 = {};
- # IPv6 Uplink
- networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffc9::7"; prefixLength = 64; } ];
-
- networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
- networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens20"; };
+ systemd.network.networks."10-wan" = {
+ matchConfig.Name = "ens20";
+ address = [
+ "2001:638:904:ffc9::7/64"
+ ];
+ routes = [
+ { Gateway = "2001:638:904:ffc9::1"; }
+ ];
+ linkConfig.RequiredForOnline = "routable";
+ };
+ systemd.network.networks."10-nat-netz-mercury" = {
+ matchConfig.Name = "ens18";
+ address = [
+ "192.168.10.23/24"
+ ];
+ routes = [
+ { Gateway = "192.168.10.1"; }
+ ];
+ linkConfig.RequiredForOnline = "routable";
+ };
+ systemd.network.networks."10-dn42-ospf-netz" = {
+ matchConfig.Name = "ens19";
+ linkConfig.RequiredForOnline = "no";
+ };
networking.wireguard.enable = true;
networking.wireguard.interfaces = {
- # n0emis
- wg0197 = {
- ips = [
- "fe80::42:1/128"
- # peer fe80::42:42:1/128
- ];
- postSetup = ''
- ip -6 route flush dev wg0197
- ip addr del dev wg0197 fe80::42:1/128 && ip addr add dev wg0197 fe80::42:1/128 peer fe80::42:42:1/128
- '';
- listenPort = 50197;
- allowedIPsAsRoutes = false;
- peers = [
- {
- allowedIPs = [ "fe80::/10" "fd00::/8" ];
- endpoint = "himalia.dn42.n0emis.eu:52574";
- publicKey = "ObF+xGC6DdddJer0IUw6nzC0RqzeKWwEiQU0ieowzhg=";
- }
- ];
- privateKeyFile = config.sops.secrets.wg0197.path;
- };
# e1mo
wg0565 = {
ips = [
@@ -126,27 +118,6 @@
];
privateKeyFile = config.sops.secrets.wg1280.path;
};
- # perflyst
- wg1302 = {
- ips = [
- "fe80::a14e/128"
- # peer fe80::a14d/128
- ];
- postSetup = ''
- ip -6 route flush dev wg1302
- ip addr del dev wg1302 fe80::a14e/128 && ip addr add dev wg1302 fe80::a14e/128 peer fe80::a14d/128
- '';
- listenPort = 51302;
- allowedIPsAsRoutes = false;
- peers = [
- {
- allowedIPs = [ "fe80::/10" "fd00::/8" ];
- endpoint = "[2a03:4000:6:f6ed::1]:22574";
- publicKey = "TSPvvpMY8dCFk6gd58aYtkibtqUn8EzIF6dXP52b3y8=";
- }
- ];
- privateKeyFile = config.sops.secrets.wg1302.path;
- };
# lutoma
wg4719 = {
ips = [
@@ -169,164 +140,65 @@
};
};
- petabyte.policyrouting = {
+ profiles.clerie.dn42-router = {
enable = true;
- rules6 = [
- { rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
- { rule = "from all to all lookup 2342"; prio = 10000; }
- { rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
- { rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
+ loopbackIp = "fd56:4902:eca0:1::1";
+ routerId = "192.168.10.23";
+
+ ospfInterfaces = [
+ "ens19"
+ ];
+
+ ibgpPeers = [
+ {
+ peerName = "gw5";
+ remoteAddress = "fd56:4902:eca0:5::1";
+ }
+ {
+ peerName = "gw6";
+ remoteAddress = "fd56:4902:eca0:6::1";
+ }
+ ];
+
+ wireguardPeers = [
+ {
+ peerName = "peer_0565";
+ remoteAddress = "fe80::565";
+ interfaceName = "wg0565";
+ remoteAsn = "4242420565";
+ localAddress = "fe80::2574";
+ }
+ {
+ peerName = "peer_1271_north";
+ remoteAddress = "fe80::2";
+ interfaceName = "wg1271";
+ remoteAsn = "4242421271";
+ localAddress = "fe80::1";
+ }
+ {
+ peerName = "peer_1271_south";
+ remoteAddress = "fe80::1:2";
+ interfaceName = "wg1272";
+ remoteAsn = "4242421271";
+ localAddress = "fe80::1:1";
+ }
+ {
+ peerName = "peer_1280_wg1";
+ remoteAddress = "fde3:4c0d:2836:ff00::20";
+ interfaceName = "wg1280";
+ remoteAsn = "4242421280";
+ localAddress = "fde3:4c0d:2836:ff00::21";
+ }
+ {
+ peerName = "peer_4719";
+ remoteAddress = "fe80::acab";
+ interfaceName = "wg4719";
+ remoteAsn = "64719";
+ localAddress = "fe80::1";
+ }
];
};
- services.bird.enable = true;
- services.bird.package = pkgs.bird2;
- services.bird.config = ''
- router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
-
- ipv6 table ospf6;
- ipv6 table bgp6;
-
- protocol direct {
- interface "lo";
- ipv6 {
- table ospf6;
- };
- }
-
- protocol static {
- ipv6 {
- table bgp6;
- };
- route fd56:4902:eca0::/48 via "lo";
- route fd56:4902:eca0::/52 via "lo";
- }
-
- protocol kernel {
- ipv6 {
- table ospf6;
- export filter {
- krt_prefsrc=fd56:4902:eca0:1::1;
- accept;
- };
- import none;
- };
- kernel table 1337;
- }
-
- protocol kernel {
- ipv6 {
- table bgp6;
- export filter {
- krt_prefsrc=fd56:4902:eca0:1::1;
- accept;
- };
- import none;
- };
- kernel table 2342;
- }
-
- protocol ospf v3 {
- ipv6 {
- table ospf6;
- import all;
- export all;
- };
- area 0 {
- interface "ens19" {
- cost 80;
- type broadcast;
- };
- };
- }
-
- protocol bgp gw5 {
- local as 4242422574;
- graceful restart on;
- neighbor fd56:4902:eca0:5::1 as 4242422574;
- source address fd56:4902:eca0:1::1;
- ipv6 {
- table bgp6;
- igp table ospf6;
- next hop self;
- import keep filtered;
- import all;
- export all;
- };
- }
-
- protocol bgp gw6 {
- local as 4242422574;
- graceful restart on;
- neighbor fd56:4902:eca0:6::1 as 4242422574;
- source address fd56:4902:eca0:1::1;
- ipv6 {
- table bgp6;
- igp table ospf6;
- next hop self;
- import keep filtered;
- import all;
- export all;
- };
- }
-
- template bgp bgp_peer {
- local as 4242422574;
- graceful restart on;
- ipv6 {
- table bgp6;
- next hop self;
- import keep filtered;
- import filter {
- if net ~ [fd00::/8{48,64}] then accept;
- reject;
- };
- export filter {
- if net ~ [fd00::/8{48,64}] then accept;
- reject;
- };
- };
- }
-
- protocol bgp peer_0197_himalia from bgp_peer {
- neighbor fe80::42:42:1%wg0197 as 4242420197;
- source address fe80::42:1;
- }
-
- protocol bgp peer_0565 from bgp_peer {
- neighbor fe80::565%wg0565 as 4242420565;
- source address fe80::2574;
- }
-
- protocol bgp peer_1271_north from bgp_peer {
- neighbor fe80::2%wg1271 as 4242421271;
- source address fe80::1;
- }
-
- protocol bgp peer_1271_south from bgp_peer {
- neighbor fe80::1:2%wg1272 as 4242421271;
- source address fe80::1:1;
- }
-
- protocol bgp peer_1280_wg1 from bgp_peer {
- neighbor fde3:4c0d:2836:ff00::20%wg1280 as 4242421280;
- source address fde3:4c0d:2836:ff00::21;
- }
-
- protocol bgp peer_1302 from bgp_peer {
- neighbor fe80::a14d%wg1302 as 4242421302;
- source address fe80::a14e;
- }
-
- protocol bgp peer_4719 from bgp_peer {
- neighbor fe80::acab%wg4719 as 64719;
- }
-
- protocol device {
- scan time 10;
- }
- '';
-
clerie.system-auto-upgrade = {
allowReboot = true;
autoUpgrade = true;
diff --git a/hosts/dn42-il-gw5/configuration.nix b/hosts/dn42-il-gw5/configuration.nix
index 7bad687..73c43e6 100644
--- a/hosts/dn42-il-gw5/configuration.nix
+++ b/hosts/dn42-il-gw5/configuration.nix
@@ -4,182 +4,108 @@
imports =
[
./hardware-configuration.nix
- ../../configuration/dn42
];
profiles.clerie.mercury-vm.enable = true;
+ profiles.clerie.common-networking.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
- networking.useDHCP = false;
- # VM Nat Netz mercury
- networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.25"; prefixLength = 24; } ];
- # OSPF Netz
- networking.interfaces.ens19 = {};
- # Lokales Netz
- networking.interfaces.ens20.ipv6.addresses = [ { address = "fd56:4902:eca0:5::1"; prefixLength = 64; } ];
- # IPv6 Uplink
- networking.interfaces.ens21.ipv6.addresses = [ { address = "2001:638:904:ffc9::a"; prefixLength = 64; } ];
- # Ildix
- networking.interfaces.ens22.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2574::5"; prefixLength = 64; } ];
-
- networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
- networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens21"; };
-
- petabyte.policyrouting = {
- enable = true;
- rules6 = [
- { rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
- { rule = "from all to all lookup 2342"; prio = 10000; }
- { rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
- { rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
+ systemd.network.networks."10-wan" = {
+ matchConfig.Name = "ens21";
+ address = [
+ "2001:638:904:ffc9::a/64"
];
+ routes = [
+ { Gateway = "2001:638:904:ffc9::1"; }
+ ];
+ linkConfig.RequiredForOnline = "routable";
+ };
+ systemd.network.networks."10-nat-netz-mercury" = {
+ matchConfig.Name = "ens18";
+ address = [
+ "192.168.10.25/24"
+ ];
+ routes = [
+ { Gateway = "192.168.10.1"; }
+ ];
+ linkConfig.RequiredForOnline = "routable";
+ };
+ systemd.network.networks."10-dn42-ospf-netz" = {
+ matchConfig.Name = "ens19";
+ linkConfig.RequiredForOnline = "no";
+ };
+ systemd.network.networks."10-dn42-lokales-netz" = {
+ # Aktuell nicht verwendet, da in lo-dn42 umgezogen
+ matchConfig.Name = "ens20";
+ linkConfig.RequiredForOnline = "no";
+ };
+ systemd.network.networks."10-dn42-ildix" = {
+ matchConfig.Name = "ens22";
+ address = [
+ "fd81:edb3:71d8:ffff:2574::5/64"
+ ];
+ linkConfig.RequiredForOnline = "no";
};
- services.bird.enable = true;
- services.bird.package = pkgs.bird2;
- services.bird.config = ''
- router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
+ profiles.clerie.dn42-router = {
+ enable = true;
+ loopbackIp = "fd56:4902:eca0:5::1";
+ routerId = "192.168.10.25";
- ipv6 table ospf6;
- ipv6 table bgp6;
+ ospfInterfaces = [
+ "ens19"
+ ];
- protocol direct {
- interface "ens20";
- ipv6 {
- table ospf6;
- };
- }
+ ibgpPeers = [
+ {
+ peerName = "gw1";
+ remoteAddress = "fd56:4902:eca0:1::1";
+ }
+ {
+ peerName = "gw6";
+ remoteAddress = "fd56:4902:eca0:6::1";
+ }
+ ];
- protocol static {
- ipv6 {
- table bgp6;
+ bgpPeers = [
+ {
+ peerName = "peer_ildix_clerie";
+ localAddress = "fd81:edb3:71d8:ffff:2574::5";
+ remoteAddress = "fd81:edb3:71d8:ffff::13";
+ remoteAsn = "4242422953";
+ }
+ {
+ peerName = "peer_ildix_nex";
+ localAddress = "fd81:edb3:71d8:ffff:2574::5";
+ remoteAddress = "fd81:edb3:71d8:ffff::14";
+ remoteAsn = "4242422953";
+ }
+ ];
+
+ birdExtraConfig = ''
+ # Internal
+ protocol bgp peer_2953_dn42_ildix_service {
+ local as 4242422574;
+ neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
+ source address fd81:edb3:71d8:ffff:2574::5;
+ multihop 64;
+ ipv6 {
+ table bgp6;
+ igp table ospf6;
+ next hop keep;
+ add paths tx;
+ import filter {
+ reject;
};
- route fd56:4902:eca0::/48 via "lo";
- route fd56:4902:eca0::/52 via "lo";
- }
-
- protocol kernel {
- ipv6 {
- table ospf6;
- export filter {
- krt_prefsrc=fd56:4902:eca0:5::1;
- accept;
- };
- import none;
- };
- kernel table 1337;
- }
-
- protocol kernel {
- ipv6 {
- table bgp6;
- export filter {
- krt_prefsrc=fd56:4902:eca0:5::1;
- accept;
- };
- import none;
+ export filter {
+ accept;
};
- kernel table 2342;
- }
-
- protocol ospf v3 {
- ipv6 {
- table ospf6;
- import all;
- export all;
- };
- area 0 {
- interface "ens19" {
- cost 80;
- type broadcast;
- };
- };
- }
-
- protocol bgp gw1 {
- local as 4242422574;
- graceful restart on;
- neighbor fd56:4902:eca0:1::1 as 4242422574;
- source address fd56:4902:eca0:5::1;
- ipv6 {
- table bgp6;
- igp table ospf6;
- next hop self;
- import keep filtered;
- import all;
- export all;
- };
- }
-
- protocol bgp gw6 {
- local as 4242422574;
- graceful restart on;
- neighbor fd56:4902:eca0:6::1 as 4242422574;
- source address fd56:4902:eca0:5::1;
- ipv6 {
- table bgp6;
- igp table ospf6;
- next hop self;
- import keep filtered;
- import all;
- export all;
- };
- }
-
- template bgp ildix {
- local as 4242422574;
- graceful restart on;
- source address fd81:edb3:71d8:ffff:2574::5;
- ipv6 {
- table bgp6;
- igp table ospf6;
- next hop self;
- import keep filtered;
- import filter {
- if net ~ [fd00::/8{8,64}] then accept;
- reject;
- };
- export filter {
- if net ~ [fd00::/8{8,64}] then accept;
- reject;
- };
- };
- }
-
- protocol bgp peer_ildix_clerie from ildix {
- neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
- }
-
- protocol bgp peer_ildix_nex from ildix {
- neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
- }
-
- # Internal
- protocol bgp peer_2953_dn42_ildix_service {
- local as 4242422574;
- neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
- source address fd81:edb3:71d8:ffff:2574::5;
- multihop 64;
- ipv6 {
- table bgp6;
- igp table ospf6;
- next hop keep;
- add paths tx;
- import filter {
- reject;
- };
- export filter {
- accept;
- };
- };
- }
-
- protocol device {
- scan time 10;
- }
- '';
+ };
+ }
+ '';
+ };
clerie.system-auto-upgrade = {
allowReboot = true;
diff --git a/hosts/dn42-il-gw6/configuration.nix b/hosts/dn42-il-gw6/configuration.nix
index 1eb5193..1615e77 100644
--- a/hosts/dn42-il-gw6/configuration.nix
+++ b/hosts/dn42-il-gw6/configuration.nix
@@ -4,182 +4,103 @@
imports =
[
./hardware-configuration.nix
- ../../configuration/dn42
];
profiles.clerie.cybercluster-vm.enable = true;
+ profiles.clerie.common-networking.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
- networking.useDHCP = false;
- networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:6::1"; prefixLength = 64; } ];
- # IPv6 Uplink
- networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc9::9"; prefixLength = 64; } ];
- # Ildix
- networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2574::6"; prefixLength = 64; } ];
- # VM Nat Netz mercury
- networking.interfaces.ens20.ipv4.addresses = [ { address = "192.168.10.26"; prefixLength = 24; } ];
- # OSPF Netz
- networking.interfaces.ens21 = {};
-
-
- networking.defaultGateway = { address = "192.168.10.1"; interface = "ens20"; };
- networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens18"; };
-
- petabyte.policyrouting = {
- enable = true;
- rules6 = [
- { rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
- { rule = "from all to all lookup 2342"; prio = 10000; }
- { rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
- { rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
+ systemd.network.networks."10-wan" = {
+ matchConfig.Name = "ens18";
+ address = [
+ "2001:638:904:ffc9::9/64"
];
+ routes = [
+ { Gateway = "2001:638:904:ffc9::1"; }
+ ];
+ linkConfig.RequiredForOnline = "routable";
+ };
+ systemd.network.networks."10-nat-netz-mercury" = {
+ matchConfig.Name = "ens20";
+ address = [
+ "192.168.10.26/24"
+ ];
+ routes = [
+ { Gateway = "192.168.10.1"; }
+ ];
+ linkConfig.RequiredForOnline = "routable";
+ };
+ systemd.network.networks."10-dn42-ospf-netz" = {
+ matchConfig.Name = "ens21";
+ linkConfig.RequiredForOnline = "no";
+ };
+ systemd.network.networks."10-dn42-ildix" = {
+ matchConfig.Name = "ens19";
+ address = [
+ "fd81:edb3:71d8:ffff:2574::6/64"
+ ];
+ linkConfig.RequiredForOnline = "no";
};
- services.bird.enable = true;
- services.bird.package = pkgs.bird2;
- services.bird.config = ''
- router id ${ (lib.head config.networking.interfaces.ens20.ipv4.addresses).address };
+ profiles.clerie.dn42-router = {
+ enable = true;
+ loopbackIp = "fd56:4902:eca0:6::1";
+ routerId = "192.168.10.26";
- ipv6 table ospf6;
- ipv6 table bgp6;
+ ospfInterfaces = [
+ "ens21"
+ ];
- protocol direct {
- interface "lo";
- ipv6 {
- table ospf6;
- };
- }
+ ibgpPeers = [
+ {
+ peerName = "gw1";
+ remoteAddress = "fd56:4902:eca0:1::1";
+ }
+ {
+ peerName = "gw5";
+ remoteAddress = "fd56:4902:eca0:5::1";
+ }
+ ];
- protocol static {
- ipv6 {
- table bgp6;
+ bgpPeers = [
+ {
+ peerName = "peer_ildix_clerie";
+ localAddress = "fd81:edb3:71d8:ffff:2574::6";
+ remoteAddress = "fd81:edb3:71d8:ffff::13";
+ remoteAsn = "4242422953";
+ }
+ {
+ peerName = "peer_ildix_nex";
+ localAddress = "fd81:edb3:71d8:ffff:2574::6";
+ remoteAddress = "fd81:edb3:71d8:ffff::14";
+ remoteAsn = "4242422953";
+ }
+ ];
+
+ birdExtraConfig = ''
+ # Internal
+ protocol bgp peer_2953_dn42_ildix_service {
+ local as 4242422574;
+ neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
+ source address fd81:edb3:71d8:ffff:2574::6;
+ multihop 64;
+ ipv6 {
+ table bgp6;
+ igp table ospf6;
+ next hop keep;
+ add paths tx;
+ import filter {
+ reject;
};
- #route fd56:4902:eca0::/48 via "lo";
- #route fd56:4902:eca0::/52 via "lo";
- }
-
- protocol kernel {
- ipv6 {
- table ospf6;
- export filter {
- krt_prefsrc=fd56:4902:eca0:6::1;
- accept;
- };
- import none;
+ export filter {
+ accept;
};
- kernel table 1337;
- }
-
- protocol kernel {
- ipv6 {
- table bgp6;
- export filter {
- krt_prefsrc=fd56:4902:eca0:6::1;
- accept;
- };
- import none;
- };
- kernel table 2342;
- }
-
- protocol ospf v3 {
- ipv6 {
- table ospf6;
- import all;
- export all;
- };
- area 0 {
- interface "ens21" {
- cost 80;
- type broadcast;
- };
- };
- }
-
- protocol bgp gw1 {
- local as 4242422574;
- graceful restart on;
- neighbor fd56:4902:eca0:1::1 as 4242422574;
- source address fd56:4902:eca0:6::1;
- ipv6 {
- table bgp6;
- igp table ospf6;
- next hop self;
- import keep filtered;
- import all;
- export all;
- };
- }
-
- protocol bgp gw5 {
- local as 4242422574;
- graceful restart on;
- neighbor fd56:4902:eca0:5::1 as 4242422574;
- source address fd56:4902:eca0:6::1;
- ipv6 {
- table bgp6;
- igp table ospf6;
- next hop self;
- import keep filtered;
- import all;
- export all;
- };
- }
-
- template bgp ildix {
- local as 4242422574;
- graceful restart on;
- source address fd81:edb3:71d8:ffff:2574::6;
- ipv6 {
- table bgp6;
- igp table ospf6;
- next hop self;
- import keep filtered;
- import filter {
- if net ~ [fd00::/8{8,64}] then accept;
- reject;
- };
- export filter {
- if net ~ [fd00::/8{8,64}] then accept;
- reject;
- };
- };
- }
-
- protocol bgp peer_ildix_clerie from ildix {
- neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
- }
-
- protocol bgp peer_ildix_nex from ildix {
- neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
- }
-
- # Internal
- protocol bgp peer_2953_dn42_ildix_service {
- local as 4242422574;
- neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
- source address fd81:edb3:71d8:ffff:2574::6;
- multihop 64;
- ipv6 {
- table bgp6;
- igp table ospf6;
- next hop keep;
- add paths tx;
- import filter {
- reject;
- };
- export filter {
- accept;
- };
- };
- }
-
- protocol device {
- scan time 10;
- }
- '';
+ };
+ }
+ '';
+ };
clerie.system-auto-upgrade = {
allowReboot = true;
diff --git a/profiles/common-dns/default.nix b/profiles/common-dns/default.nix
new file mode 100644
index 0000000..c3d4a15
--- /dev/null
+++ b/profiles/common-dns/default.nix
@@ -0,0 +1,22 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+ options.profiles.clerie.common-dns = {
+ enable = mkEnableOption "Common dns config";
+ };
+
+ config = mkIf config.profiles.clerie.common-dns.enable {
+
+ # Use systemd-resolved everywhere
+ services.resolved.enable = true;
+
+ # Do not use any DNS servers as fallback
+ services.resolved.fallbackDns = [];
+
+ networking.networkmanager.dns = "systemd-networkd";
+
+ };
+}
diff --git a/profiles/common/default.nix b/profiles/common/default.nix
new file mode 100644
index 0000000..7cf3a64
--- /dev/null
+++ b/profiles/common/default.nix
@@ -0,0 +1,19 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+ options.profiles.clerie.common = {
+ enable = mkEnableOption "Cleries common config";
+ };
+
+ config = mkIf config.profiles.clerie.common.enable {
+
+ profiles.clerie.common-dns.enable = true;
+
+ # Disabled while we are still in transition
+ #profiles.clerie.common-network.enable = true;
+
+ };
+}
diff --git a/profiles/default.nix b/profiles/default.nix
index 56cb944..087804c 100644
--- a/profiles/default.nix
+++ b/profiles/default.nix
@@ -3,8 +3,11 @@
{
imports = [
+ ./common
+ ./common-dns
./common-networking
./cybercluster-vm
+ ./dn42-router
./fem-net
./hetzner-cloud
./mercury-vm
diff --git a/profiles/dn42-router/default.nix b/profiles/dn42-router/default.nix
new file mode 100644
index 0000000..463e552
--- /dev/null
+++ b/profiles/dn42-router/default.nix
@@ -0,0 +1,291 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+
+ cfg = config.profiles.clerie.dn42-router;
+
+ myAsn = 4242422574;
+ ospf6Table = 1337;
+ bgp6Table = 2342;
+
+in {
+
+ options.profiles.clerie.dn42-router = {
+ enable = mkEnableOption "DN42 router base config";
+ loopbackIp = mkOption {
+ type = types.str;
+ description = "IPv6 lookback IP";
+ };
+ routerId = mkOption {
+ type = types.str;
+ description = "IPv6 lookback IP";
+ };
+ ospfInterfaces = mkOption {
+ type = with types; listOf str;
+ default = [];
+ };
+ ibgpPeers = mkOption {
+ type = with types; listOf (submodule ({ ... }: {
+ options = {
+ remoteAddress = mkOption {
+ type = types.str;
+ };
+ peerName = mkOption {
+ type = types.str;
+ };
+ };
+ }));
+ default = [];
+ description = "External bgp peers";
+ };
+ bgpPeers = mkOption {
+ type = with types; listOf (submodule ({ ... }: {
+ options = {
+ localAddress = mkOption {
+ type = types.str;
+ };
+ remoteAddress = mkOption {
+ type = types.str;
+ };
+ peerName = mkOption {
+ type = types.str;
+ };
+ remoteAsn = mkOption {
+ type = types.str;
+ };
+ };
+ }));
+ default = [];
+ description = "External bgp peers";
+ };
+ wireguardPeers = mkOption {
+ type = with types; listOf (submodule ({ ... }: {
+ options = {
+ interfaceName = mkOption {
+ type = types.str;
+ };
+ localAddress = mkOption {
+ type = types.str;
+ };
+ #localAddressPrefixlen = ;
+ remoteAddress = mkOption {
+ type = types.str;
+ };
+ #remoteAddressPrefixlen = ;
+ #localPrivateKey = ;
+ #remotePublicKey = ;
+ #localListenPort = ;
+ #remoteEnpoint = ;
+ peerName = mkOption {
+ type = types.str;
+ };
+ remoteAsn = mkOption {
+ type = types.str;
+ };
+ };
+ }));
+ default = [];
+ description = "External bgp peers connected via wireguard";
+ };
+ birdExtraConfig = mkOption {
+ type = types.str;
+ default = "";
+ };
+ };
+
+ config = mkIf config.profiles.clerie.dn42-router.enable {
+
+ systemd.network.config.routeTables = {
+ bgp6 = bgp6Table;
+ ospf6 = ospf6Table;
+ };
+ systemd.network.config.addRouteTablesToIPRoute2 = true;
+
+ environment.systemPackages = with pkgs; [
+ wireguard-tools
+ ];
+
+ boot.kernel.sysctl = {
+ "net.ipv4.ip_forward" = true;
+ "net.ipv6.conf.all.forwarding" = true;
+ };
+
+ networking.firewall.checkReversePath = false;
+
+ # Open Firewall for BGP
+ networking.firewall.allowedTCPPorts = [ 179 ];
+ # Open Fireall for OSPF
+ networking.firewall.extraCommands = ''
+ ip6tables -A INPUT -p ospfigp -j ACCEPT
+ iptables -A INPUT -p ospfigp -j ACCEPT
+ '';
+
+ systemd.network.netdevs."10-lo-dn42" = {
+ netdevConfig = {
+ Kind = "dummy";
+ Name = "lo-dn42";
+ };
+ };
+
+ systemd.network.networks."10-lo-dn42" = {
+ matchConfig.Name = "lo-dn42";
+ address = [ "${ cfg.loopbackIp }/128" ];
+ linkConfig.RequiredForOnline = "no";
+ routingPolicyRules = [
+ {
+ Priority = 10000;
+ Family = "ipv6";
+ To = "fd56:4902:eca0::/48";
+ Table = "ospf6";
+ }
+ {
+ Priority = 11000;
+ Family = "ipv6";
+ Table = "bgp6";
+ }
+ {
+ Priority = 15000;
+ Family = "ipv6";
+ From = "fd56:4902:eca0::/48";
+ Type = "unreachable";
+ }
+ {
+ Priority = 16000;
+ Family = "ipv6";
+ To = "fd56:4902:eca0::/48";
+ Type = "unreachable";
+ }
+ {
+ Priority = 20000;
+ Family = "both";
+ Table = "main";
+ }
+ ];
+ };
+
+ services.bird.enable = true;
+ services.bird.package = pkgs.bird2;
+ services.bird.config = ''
+ router id ${ cfg.routerId };
+
+ ipv6 table ospf6;
+ ipv6 table bgp6;
+
+ protocol direct {
+ interface "lo-dn42";
+ ipv6 {
+ table ospf6;
+ };
+ }
+
+ protocol static {
+ ipv6 {
+ table bgp6;
+ };
+ route fd56:4902:eca0::/48 via "lo-dn42";
+ }
+
+ protocol kernel {
+ ipv6 {
+ table ospf6;
+ export filter {
+ krt_prefsrc=${ cfg.loopbackIp };
+ accept;
+ };
+ import none;
+ };
+ kernel table ${ toString ospf6Table };
+ }
+
+ protocol kernel {
+ ipv6 {
+ table bgp6;
+ export filter {
+ krt_prefsrc=${ cfg.loopbackIp };
+ accept;
+ };
+ import none;
+ };
+ kernel table ${ toString bgp6Table };
+ }
+
+ protocol device {
+ scan time 10;
+ }
+
+ protocol ospf v3 {
+ ipv6 {
+ table ospf6;
+ import all;
+ export all;
+ };
+ area 0 {
+ ${ concatMapStringsSep "\n" (interfaceName: ''
+ interface "${interfaceName}" {
+ cost 80;
+ type broadcast;
+ };
+ '') cfg.ospfInterfaces}
+ };
+ }
+
+ template bgp ibgp_peer {
+ local as ${ toString myAsn };
+ graceful restart on;
+ source address ${ cfg.loopbackIp};
+ ipv6 {
+ table bgp6;
+ igp table ospf6;
+ next hop self;
+ import keep filtered;
+ import all;
+ export all;
+ };
+ }
+
+ ${concatMapStringsSep "\n" ( peerConfig: ''
+ protocol bgp ${peerConfig.peerName} from ibgp_peer {
+ neighbor ${peerConfig.remoteAddress} as ${ toString myAsn };
+ }
+ '') cfg.ibgpPeers}
+
+ template bgp bgp_peer {
+ local as ${ toString myAsn };
+ graceful restart on;
+ ipv6 {
+ table bgp6;
+ next hop self;
+ import keep filtered;
+ import filter {
+ if net ~ [fd00::/8{48,64}] then accept;
+ reject;
+ };
+ export filter {
+ if net ~ [fd00::/8{48,64}] then accept;
+ reject;
+ };
+ };
+ }
+
+ ${concatMapStringsSep "\n" ( peerConfig: ''
+ protocol bgp ${peerConfig.peerName} from bgp_peer {
+ neighbor ${peerConfig.remoteAddress} as ${peerConfig.remoteAsn};
+ source address ${peerConfig.localAddress};
+ }
+ '') cfg.bgpPeers}
+
+ ${concatMapStringsSep "\n" ( peerConfig: ''
+ protocol bgp ${peerConfig.peerName} from bgp_peer {
+ neighbor ${peerConfig.remoteAddress}%${peerConfig.interfaceName} as ${peerConfig.remoteAsn};
+ source address ${peerConfig.localAddress};
+ }
+ '') cfg.wireguardPeers}
+
+ ${ cfg.birdExtraConfig }
+
+ '';
+
+ };
+}