| # Main configuration file for edge01.waw.bgp.wtf. |
| # This includes everything needed to run the machine, except for hardware |
| # configuration, which is defined in //bgpwtf/machines/ |
| # edge01.waw.bgp.wtf-hardware.nix. |
| # |
| # Any changes here can be tested in a local NixOS test by running the following: |
| # |
| # nix-build -A bgpwtf.machines.tests.edge01-waw |
| # |
| # To deploy changes, see //ops:machines.nix. |
| |
| { config, pkgs, ... }: |
| |
| with builtins; |
| |
| let |
| passwords = import ./secrets/plain/passwords.nix; |
| |
| in rec { |
| networking.hostName = "edge01"; |
| networking.domain = "waw.bgp.wtf"; |
| |
| imports = [ |
| ./modules/router.nix |
| |
| # Private configuration data - notably, customer data. |
| ./secrets/plain/edge01.waw.bgp.wtf-private.nix |
| ]; |
| |
| # TODO(q3k): make this generic, move to modules/router.nix. |
| services.unbound = { |
| enable = true; |
| interfaces = [ |
| "185.236.240.1" |
| "2a0d:eb00:2137::1" |
| "127.0.0.1" |
| ]; |
| allowedAccess = [ |
| "185.236.240.0/22" |
| "2a0d:eb00::0/29" |
| "127.0.0.0/8" |
| ]; |
| extraConfig = '' |
| outgoing-interface: 185.236.240.1 |
| outgoing-interface: 2a0d:eb00:2137::1 |
| cache-max-negative-ttl: 30 |
| |
| # Disable DoH in Firefox |
| local-zone: "use-application-dns.net" static |
| |
| # Rejestr Stron Hazardowych. |
| # Populated by the rsh-unbound daemon. |
| include: "/var/lib/unbound/rsh.conf" |
| ''; |
| }; |
| hscloud.rsh = { |
| enable = true; |
| out = "/var/lib/unbound/rsh.conf"; |
| }; |
| |
| hscloud.renameInterfaces = { |
| # Link to Nitronet CPE. |
| e1-nnet.mac = "ac:1f:6b:1c:d7:ae"; |
| # Link to HSWAW Customs. |
| e2-customs.mac = "ac:1f:6b:1c:d7:af"; |
| # Link to management switch. |
| e3-mgmt.mac = "ac:1f:6b:1c:d7:b0"; |
| # Link to oob1. |
| e4-oob.mac = "ac:1f:6b:1c:d7:b1"; |
| e5.mac = "ac:1f:6b:1c:d7:b2"; |
| e6.mac = "ac:1f:6b:1c:d7:b3"; |
| # Link to dcsw01.hswaw.net |
| e7-dcsw.mac = "ac:1f:6b:1c:db:06"; |
| e8.mac = "ac:1f:6b:1c:db:07"; |
| }; |
| networking.interfaces.e7-dcsw.mtu = 9000; |
| |
| networking.vlans = { |
| "vl-globalmix" = { interface = "e1-nnet"; id = 466; }; |
| "vl-polmix" = { interface = "e1-nnet"; id = 2486; }; |
| "vl-openpeering" = { interface = "e1-nnet"; id = 992; }; |
| |
| "vl-dcsw-l3" = { interface = "e7-dcsw"; id = 4001; }; |
| "vl-dist-l3" = { interface = "e7-dcsw"; id = 3006; }; |
| |
| # Extra vlans contained in //bgpwtf/machines/secrets/plain/edge01.waw.bgp.wtf-private.nix |
| }; |
| networking.interfaces = { |
| lo = { |
| ipv4.addresses = [ { address = "185.236.240.1"; prefixLength = 32; } ]; |
| ipv6.addresses = [ { address = "2a0d:eb00:2137::1"; prefixLength = 64; } ]; |
| }; |
| ## EPIX links via Nitronet. |
| "vl-globalmix" = { |
| ipv4.addresses = [ { address = "185.235.70.45"; prefixLength = 31; } ]; |
| ipv6.addresses = [ { address = "2001:67c:778:fd40::b9eb:462d"; prefixLength = 127; } ]; |
| }; |
| "vl-polmix" = { |
| ipv4.addresses = [ { address = "94.246.185.175"; prefixLength = 31; } ]; |
| ipv6.addresses = [ { address = "2001:67c:778:fa40::5ef6:b9af"; prefixLength = 127; } ]; |
| }; |
| "vl-openpeering" = { |
| ipv4.addresses = [ { address = "89.46.145.61"; prefixLength = 21; } ]; |
| ipv6.addresses = [ { address = "2001:678:3ac::313"; prefixLength = 48; } ]; |
| }; |
| |
| ## L3/mgmt links.. |
| # To customs.hackerspace.pl. |
| "e2-customs" = { |
| ipv4.addresses = [ { address = "185.236.240.4"; prefixLength = 31; } ]; |
| ipv6.addresses = [ { address = "2a0d:eb00:2137:1::2"; prefixLength = 127; } ]; |
| }; |
| # To mgmt. |
| "e3-mgmt" = { |
| ipv4.addresses = [ { address = "10.10.10.1"; prefixLength = 24; } ]; |
| }; |
| # To obb1. |
| "e4-oob" = { |
| ipv4.addresses = [ { address = "185.236.240.74"; prefixLength = 29; } ]; |
| }; |
| # To dcsw01, L3 (BGP). |
| "vl-dcsw-l3" = { |
| mtu = 9000; |
| ipv4.addresses = [ { address = "185.236.240.6"; prefixLength = 31; } ]; |
| ipv6.addresses = [ { address = "2a0d:eb00:2137:1::6"; prefixLength = 127; } ]; |
| }; |
| # To dist02, L3 (BGP). |
| "vl-dist-l3" = { |
| ipv4.addresses = [ { address = "185.236.240.14"; prefixLength = 31; } ]; |
| ipv6.addresses = [ { address = "2a0d:eb00:2137:1::a"; prefixLength = 127; } ]; |
| }; |
| |
| # Extra interface configs contained in //bgpwtf/machines/secrets/plain/edge01.waw.bgp.wtf-private.nix |
| }; |
| |
| hscloud.routing.enable = true; |
| hscloud.routing.routerID = "185.236.240.1"; |
| hscloud.routing.asn = 204880; |
| # Use default master4/master6 tables so that `birdc show route` works. |
| hscloud.routing.tables.master.program = true; |
| hscloud.routing.tables.master.programSourceV4 = "185.236.240.1"; |
| hscloud.routing.tables.master.programSourceV6 = "2a0d:eb00:2137::1"; |
| |
| hscloud.routing.extra = '' |
| function net_martian_v4() { |
| return net ~ [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/16+, 10.0.0.0/8+, |
| 127.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-, 0.0.0.0/0{25,32}, 0.0.0.0/0{0,7} ]; |
| } |
| function net_as204480_waw_v4() { |
| return net ~ [ 185.236.240.0/23+ ]; |
| } |
| function net_martian_v6() { |
| return net ~ [ fc00::/7+, fec0::/10+, ::/128-, ::/0{0,15}, ::/0{49,128} ]; |
| } |
| function net_as204480_waw_v6() { |
| return net ~ [ 2a0d:eb00::/32 ]; |
| } |
| |
| ''; |
| hscloud.routing.originate = { |
| # WAW prefixes, exposed into internet BGP table. |
| v4.waw = { table = "internet"; address = "185.236.240.0"; prefixLength = 23; }; |
| v6.waw = { table = "internet"; address = "2a0d:eb00::"; prefixLength = 32; }; |
| |
| # Default gateway via us, exposed into aggregated table. |
| v4.default = { table = "aggregate"; address = "0.0.0.0"; prefixLength = 0; }; |
| v6.default = { table = "aggregate"; address = "::"; prefixLength = 0; }; |
| }; |
| hscloud.routing.pipe = let |
| copySourcesToKernel = sources: table: extra: { |
| table = "master"; |
| peerTable = table; |
| filterIn = '' |
| ${extra} |
| ${concatStringsSep "\n" (map (v: "if source = RTS_${v} then accept;") sources)} |
| reject; |
| ''; |
| }; |
| in { |
| v4."internet_to_kernel" = copySourcesToKernel ["BGP" "OSPF"] "internet" ""; |
| v4."aggregate_to_kernel" = copySourcesToKernel ["BGP" "OSPF"] "aggregate" ""; |
| v6."internet_to_kernel" = copySourcesToKernel ["BGP" "OSPF"] "internet" ""; |
| v6."aggregate_to_kernel" = copySourcesToKernel ["BGP" "OSPF"] "aggregate" '' |
| # Static v6 routes for customers. |
| if proto ~ "static_static_ipv6_customer_*" then accept; |
| ''; |
| }; |
| |
| hscloud.routing.ospf.v6.main = { |
| area."0.0.0.0".interfaces = { |
| "e2-customs" = { |
| type = "bcast"; |
| }; |
| "e4-oob" = { |
| type = "bcast"; |
| stub = true; |
| }; |
| }; |
| table = "aggregate"; |
| filterIn = '' |
| # hswaw prefix from e2-customs |
| if net ~ [ 2a0d:eb00:4242::/48+ ] then accept; |
| # e2-customs link |
| if net ~ [ 2a0d:eb00:2137:1::2/127+ ] then accept; |
| ''; |
| }; |
| hscloud.routing.ospf.v4.main = { |
| area."0.0.0.0".interfaces = { |
| "e4-oob" = { |
| type = "bcast"; |
| stub = true; |
| }; |
| }; |
| table = "aggregate"; |
| filterIn = '' |
| # e4-oob link |
| if net ~ [ 185.236.240.72/29+ ] then accept; |
| ''; |
| }; |
| |
| hscloud.routing.bgpSessions.v4 = let |
| filterInUpstream = '' |
| if net_martian_v4() then reject; |
| if net_as204480_waw_v4() then reject; |
| accept; |
| ''; |
| filterOutUpstream = '' |
| # Accept AS204880-announced prefixes. |
| if (net ~ [ 185.236.240.0/22+ ]) then accept; |
| reject; |
| ''; |
| in { |
| "waw_globalmix" = { |
| description = "UPSTREAM EPIX.WAR GlobalMix"; |
| table = "internet"; |
| local = "185.235.70.45"; |
| neighbors = [ |
| { address = "185.235.70.44"; asn = 62081; } |
| ]; |
| prepend = 2; pref = 100; |
| filterIn = filterInUpstream; |
| filterOut = filterOutUpstream; |
| }; |
| "waw_polmix" = { |
| description = "UPSTREAM EPIX.WAR PolMix"; |
| table = "internet"; |
| local = "94.246.185.175"; |
| neighbors = [ |
| { address = "94.246.185.174"; asn = 201054; } |
| ]; |
| prepend = 1; pref = 200; |
| filterIn = filterInUpstream; |
| filterOut = filterOutUpstream; |
| }; |
| "waw_openpeering" = { |
| description = "IXP EPIX.WAR OpenPeering"; |
| table = "internet"; |
| local = "89.46.145.61"; |
| neighbors = [ |
| { address = "89.46.144.11"; asn = 48850; } |
| { address = "89.46.144.12"; asn = 48850; } |
| ]; |
| prepend = 0; pref = 300; |
| filterIn = filterInUpstream; |
| filterOut = filterOutUpstream; |
| }; |
| "waw_google" = { |
| description = "PEER Google AS15169 (EPIX)"; |
| table = "internet"; |
| local = "89.46.145.61"; |
| neighbors = [ |
| # TODO(q3k): secretify the password. |
| { address = "89.46.144.185"; asn = 15169; password = passwords."edge01.waw-bgp-google"; } |
| ]; |
| prepend = 0; pref = 300; |
| filterIn = filterInUpstream; |
| filterOut = filterOutUpstream; |
| }; |
| # hscloud spine switch (dcsw01.hswaw.net). |
| "waw_hscloud" = { |
| description = "AGGREGATE CUSTOMER hscloud/dcsw01"; |
| table = "aggregate"; |
| local = "185.236.240.6"; |
| asn = 65000; |
| neighbors = [ |
| { address = "185.236.240.7"; asn = 65001; } |
| ]; |
| filterIn = '' |
| # wieloryb prefix |
| if net ~ [ 185.236.240.8/31+ ] then accept; |
| # dcsw01 l2 general purpose |
| if net ~ [ 185.236.240.24/29+ ] then accept; |
| # hscloud l2 general purpose |
| if net ~ [ 185.236.240.32/28+ ] then accept; |
| # k0 metallb pools |
| if net ~ [ 185.236.240.48/28+, 185.236.240.112/28+ ] then accept; |
| reject; |
| ''; |
| }; |
| # bgp.wtf internet customer router on W2A, floor 3 (dist02.bgp.wtf). |
| "waw_dist02" = { |
| description = "AGGREGATE CUSTOMER bgpwtf/dist02"; |
| table = "aggregate"; |
| local = "185.236.240.14"; |
| asn = 65000; |
| neighbors = [ |
| { address = "185.236.240.15"; asn = 65002; } |
| ]; |
| filterIn = '' |
| # dist02 customer routed |
| if net ~ [ 185.236.240.80/28+ ] then accept; |
| reject; |
| ''; |
| }; |
| # backup LTE link to edge01.fra |
| "fra_edge01" = { |
| description = "IBGP edge01.fra"; |
| table = "internet"; |
| local = "185.236.240.74"; |
| direct = true; |
| neighbors = [ |
| { address = "185.236.240.75"; asn = 204880; } |
| ]; |
| pref = 50; |
| filterIn = filterInUpstream; |
| filterOut = filterOutUpstream; |
| }; |
| }; |
| hscloud.routing.bgpSessions.v6 = let |
| filterInUpstream = '' |
| if net_martian_v6() then reject; |
| if net_as204480_waw_v6() then reject; |
| accept; |
| ''; |
| filterOutUpstream = '' |
| # Accept AS204880-announced prefixes. |
| if (net ~ [ 2a0d:eb00::/29+ ]) then accept; |
| reject; |
| ''; |
| in { |
| "waw_globalmix" = { |
| description = "UPSTREAM EPIX.WAR GlobalMix"; |
| table = "internet"; |
| local = "2001:67c:778:fd40::b9eb:462d"; |
| neighbors = [ |
| { address = "2001:67c:778:fd40::b9eb:462c"; asn = 62081; } |
| ]; |
| prepend = 2; pref = 100; |
| filterIn = filterInUpstream; |
| filterOut = filterOutUpstream; |
| }; |
| "waw_polmix" = { |
| description = "UPSTREAM EPIX.WAR PolMix"; |
| table = "internet"; |
| local = "2001:67c:778:fa40::5ef6:b9af"; |
| neighbors = [ |
| { address = "2001:67c:778:fa40::5ef6:b9ae"; asn = 201054; } |
| ]; |
| prepend = 1; pref = 200; |
| filterIn = filterInUpstream; |
| filterOut = filterOutUpstream; |
| }; |
| "waw_openpeering" = { |
| description = "IXP EPIX.WAR OpenPeering"; |
| table = "internet"; |
| local = "2001:678:3ac::313"; |
| neighbors = [ |
| { address = "2001:678:3ac::11"; asn = 48850; } |
| { address = "2001:678:3ac::12"; asn = 48850; } |
| ]; |
| prepend = 0; pref = 300; |
| filterIn = filterInUpstream; |
| filterOut = filterOutUpstream; |
| }; |
| "waw_google" = { |
| description = "PEER Google AS15169 (EPIX)"; |
| table = "internet"; |
| local = "2001:678:3ac::313"; |
| neighbors = [ |
| { address = "2001:678:3ac::185"; asn = 15169; password = passwords."edge01.waw-bgp-google"; } |
| ]; |
| prepend = 0; pref = 300; |
| filterIn = filterInUpstream; |
| filterOut = filterOutUpstream; |
| }; |
| # hscloud spine switch (dcsw01.hswaw.net). |
| "waw_hscloud" = { |
| description = "AGGREGATE CUSTOMER dcsw01.hswaw.net"; |
| table = "aggregate"; |
| local = "2a0d:eb00:2137:1::6"; |
| asn = 65000; |
| neighbors = [ |
| { address = "2a0d:eb00:2137:1::7"; asn = 65001; } |
| ]; |
| filterIn = '' |
| # dcsw01 l2 general purpose |
| if net ~ [ 2a0d:eb00:2137::/48+ ] then accept; |
| reject; |
| ''; |
| }; |
| # bgp.wtf internet customer router on W2A, floor 3 (dist02.bgp.wtf). |
| "waw_dist02" = { |
| description = "AGGREGATE CUSTOMER dist02.bgp.wtf"; |
| table = "aggregate"; |
| local = "2a0d:eb00:2137:1::a"; |
| asn = 65000; |
| neighbors = [ |
| { address = "2a0d:eb00:2137:1::b"; asn = 65002; } |
| ]; |
| filterIn = '' |
| # dist02 customers. |
| if net ~ [ 2a0d:eb00:8002::/48 ] then accept; |
| reject; |
| ''; |
| }; |
| }; |
| } |