Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / a5b0c132283bdf8db95e678846e3bcd90b93ca79 / . / bgpwtf / machines / edge01.waw.bgp.wtf.nix
blob: e9d88e58ff393e4734cd5d9cbae77a1cbb10ee90 [file] [log] [blame]
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]1# Main configuration file for edge01.waw.bgp.wtf.
2# This includes everything needed to run the machine, except for hardware
3# configuration, which is defined in //bgpwtf/machines/
4# edge01.waw.bgp.wtf-hardware.nix.
5#
6# Any changes here can be tested in a local NixOS test by running the following:
7#
8# nix-build -A bgpwtf.machines.tests.edge01-waw
9#
10# To deploy changes, see //ops:machines.nix.
11
12{ config, pkgs, ... }:
13
14with builtins;
15
16let
17 passwords = import ./secrets/plain/passwords.nix;
18
19in rec {
20 networking.hostName = "edge01";
21 networking.domain = "waw.bgp.wtf";
22
23 imports = [
24 ./modules/router.nix
Bartosz Stebelc7267982020-12-10 15:38:29 +0100[diff] [blame]25 ./modules/anchorvm.nix
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]26 # Private configuration data - notably, customer data.
27 ./secrets/plain/edge01.waw.bgp.wtf-private.nix
28 ];
29
30 # TODO(q3k): make this generic, move to modules/router.nix.
31 services.unbound = {
32 enable = true;
33 interfaces = [
34 "185.236.240.1"
35 "2a0d:eb00:2137::1"
36 "127.0.0.1"
37 ];
38 allowedAccess = [
39 "185.236.240.0/22"
40 "2a0d:eb00::0/29"
41 "127.0.0.0/8"
42 ];
43 extraConfig = ''
44 outgoing-interface: 185.236.240.1
45 outgoing-interface: 2a0d:eb00:2137::1
46 cache-max-negative-ttl: 30
47
48 # Disable DoH in Firefox
49 local-zone: "use-application-dns.net" static
50
51 # Rejestr Stron Hazardowych.
52 # Populated by the rsh-unbound daemon.
53 include: "/var/lib/unbound/rsh.conf"
54 '';
55 };
56 hscloud.rsh = {
57 enable = true;
58 out = "/var/lib/unbound/rsh.conf";
59 };
60
Serge Bazanskia5b0c132021-10-07 18:47:51 +0000[diff] [blame^]61 networking.wireguard.interfaces = {
62 wg-camp = {
63 ips = [
64 "185.236.240.68/31"
65 "2a0d:eb00:2137:1::e/127"
66 ];
67 allowedIPsAsRoutes = false;
68 listenPort = 51820;
69 generatePrivateKeyFile = true;
70 privateKeyFile = "/root/camp-wg";
71 peers = [
72 {
73 publicKey = "TbXDHeHwT4/xQ1+l4HH9EzbYUUCU4Pk/r0nsGSw+qUc=";
74 allowedIPs = [
75 "185.236.240.69/32"
76 "185.236.241.0/24"
77 "2a0d:eb00:8007::/48"
78 "2a0d:eb00:2137:1::f/128"
79 ];
80 }
81 ];
82 };
83 };
84
85 hscloud.routing.static.v6.camp = {
86 table = "aggregate";
87 address = "2a0d:eb00:8007::";
88 prefixLength = 48;
89 via = "2a0d:eb00:2137:1::f";
90 };
91 hscloud.routing.static.v4.camp = {
92 table = "aggregate";
93 address = "185.236.241.0";
94 prefixLength = 24;
95 via = "185.236.240.69";
96 };
97
98
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]99 hscloud.renameInterfaces = {
100 # Link to Nitronet CPE.
101 e1-nnet.mac = "ac:1f:6b:1c:d7:ae";
102 # Link to HSWAW Customs.
103 e2-customs.mac = "ac:1f:6b:1c:d7:af";
104 # Link to management switch.
105 e3-mgmt.mac = "ac:1f:6b:1c:d7:b0";
106 # Link to oob1.
107 e4-oob.mac = "ac:1f:6b:1c:d7:b1";
108 e5.mac = "ac:1f:6b:1c:d7:b2";
109 e6.mac = "ac:1f:6b:1c:d7:b3";
110 # Link to dcsw01.hswaw.net
111 e7-dcsw.mac = "ac:1f:6b:1c:db:06";
112 e8.mac = "ac:1f:6b:1c:db:07";
113 };
114 networking.interfaces.e7-dcsw.mtu = 9000;
115
116 networking.vlans = {
117 "vl-globalmix" = { interface = "e1-nnet"; id = 466; };
118 "vl-polmix" = { interface = "e1-nnet"; id = 2486; };
119 "vl-openpeering" = { interface = "e1-nnet"; id = 992; };
120
121 "vl-dcsw-l3" = { interface = "e7-dcsw"; id = 4001; };
122 "vl-dist-l3" = { interface = "e7-dcsw"; id = 3006; };
123
124 # Extra vlans contained in //bgpwtf/machines/secrets/plain/edge01.waw.bgp.wtf-private.nix
125 };
126 networking.interfaces = {
127 lo = {
128 ipv4.addresses = [ { address = "185.236.240.1"; prefixLength = 32; } ];
129 ipv6.addresses = [ { address = "2a0d:eb00:2137::1"; prefixLength = 64; } ];
130 };
131 ## EPIX links via Nitronet.
132 "vl-globalmix" = {
133 ipv4.addresses = [ { address = "185.235.70.45"; prefixLength = 31; } ];
134 ipv6.addresses = [ { address = "2001:67c:778:fd40::b9eb:462d"; prefixLength = 127; } ];
135 };
136 "vl-polmix" = {
137 ipv4.addresses = [ { address = "94.246.185.175"; prefixLength = 31; } ];
138 ipv6.addresses = [ { address = "2001:67c:778:fa40::5ef6:b9af"; prefixLength = 127; } ];
139 };
140 "vl-openpeering" = {
141 ipv4.addresses = [ { address = "89.46.145.61"; prefixLength = 21; } ];
142 ipv6.addresses = [ { address = "2001:678:3ac::313"; prefixLength = 48; } ];
143 };
144
145 ## L3/mgmt links..
146 # To customs.hackerspace.pl.
147 "e2-customs" = {
148 ipv4.addresses = [ { address = "185.236.240.4"; prefixLength = 31; } ];
149 ipv6.addresses = [ { address = "2a0d:eb00:2137:1::2"; prefixLength = 127; } ];
150 };
151 # To mgmt.
152 "e3-mgmt" = {
153 ipv4.addresses = [ { address = "10.10.10.1"; prefixLength = 24; } ];
154 };
155 # To obb1.
156 "e4-oob" = {
157 ipv4.addresses = [ { address = "185.236.240.74"; prefixLength = 29; } ];
158 };
159 # To dcsw01, L3 (BGP).
160 "vl-dcsw-l3" = {
161 mtu = 9000;
162 ipv4.addresses = [ { address = "185.236.240.6"; prefixLength = 31; } ];
163 ipv6.addresses = [ { address = "2a0d:eb00:2137:1::6"; prefixLength = 127; } ];
164 };
165 # To dist02, L3 (BGP).
166 "vl-dist-l3" = {
167 ipv4.addresses = [ { address = "185.236.240.14"; prefixLength = 31; } ];
168 ipv6.addresses = [ { address = "2a0d:eb00:2137:1::a"; prefixLength = 127; } ];
169 };
Bartosz Stebelc7267982020-12-10 15:38:29 +0100[diff] [blame]170 # VM bridge
171 "br0" = {
172 ipv4.addresses = [ { address = "185.236.240.17"; prefixLength = 29; } ];
173 ipv6.addresses = [ { address = "2a0d:eb00:2137:3::1"; prefixLength = 64; } ];
174 };
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]175
176 # Extra interface configs contained in //bgpwtf/machines/secrets/plain/edge01.waw.bgp.wtf-private.nix
177 };
Bartosz Stebelc7267982020-12-10 15:38:29 +0100[diff] [blame]178 networking.bridges = {
179 "br0" = {
180 interfaces = [];
181 };
182 };
183 hscloud.anchorvm = {
184 bridge = "br0";
185 };
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]186
187 hscloud.routing.enable = true;
188 hscloud.routing.routerID = "185.236.240.1";
189 hscloud.routing.asn = 204880;
190 # Use default master4/master6 tables so that `birdc show route` works.
191 hscloud.routing.tables.master.program = true;
192 hscloud.routing.tables.master.programSourceV4 = "185.236.240.1";
193 hscloud.routing.tables.master.programSourceV6 = "2a0d:eb00:2137::1";
194
195 hscloud.routing.extra = ''
196 function net_martian_v4() {
197 return net ~ [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/16+, 10.0.0.0/8+,
198 127.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-, 0.0.0.0/0{25,32}, 0.0.0.0/0{0,7} ];
199 }
200 function net_as204480_waw_v4() {
201 return net ~ [ 185.236.240.0/23+ ];
202 }
203 function net_martian_v6() {
204 return net ~ [ fc00::/7+, fec0::/10+, ::/128-, ::/0{0,15}, ::/0{49,128} ];
205 }
206 function net_as204480_waw_v6() {
207 return net ~ [ 2a0d:eb00::/32 ];
208 }
209
210 '';
211 hscloud.routing.originate = {
212 # WAW prefixes, exposed into internet BGP table.
Serge Bazanskia5b0c132021-10-07 18:47:51 +0000[diff] [blame^]213 v4.waw = { table = "internet"; address = "185.236.240.0"; prefixLength = 23; };
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]214 v6.waw = { table = "internet"; address = "2a0d:eb00::"; prefixLength = 32; };
215
216 # Default gateway via us, exposed into aggregated table.
217 v4.default = { table = "aggregate"; address = "0.0.0.0"; prefixLength = 0; };
218 v6.default = { table = "aggregate"; address = "::"; prefixLength = 0; };
219 };
220 hscloud.routing.pipe = let
Serge Bazanskid9a63652020-10-16 19:07:41 +0200[diff] [blame]221 copySourcesToKernel = sources: table: extra: {
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]222 table = "master";
223 peerTable = table;
224 filterIn = ''
Serge Bazanskid9a63652020-10-16 19:07:41 +0200[diff] [blame]225 ${extra}
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]226 ${concatStringsSep "\n" (map (v: "if source = RTS_${v} then accept;") sources)}
227 reject;
228 '';
229 };
230 in {
Serge Bazanskid9a63652020-10-16 19:07:41 +0200[diff] [blame]231 v4."internet_to_kernel" = copySourcesToKernel ["BGP" "OSPF"] "internet" "";
Serge Bazanski81e7fba2021-09-08 23:29:52 +0200[diff] [blame]232 v4."aggregate_to_kernel" = copySourcesToKernel ["BGP" "OSPF"] "aggregate" ''
233 # Static v4 routes for customers.
234 if proto ~ "static_static_ipv4_customer_*" then accept;
235 '';
Serge Bazanskid9a63652020-10-16 19:07:41 +0200[diff] [blame]236 v6."internet_to_kernel" = copySourcesToKernel ["BGP" "OSPF"] "internet" "";
237 v6."aggregate_to_kernel" = copySourcesToKernel ["BGP" "OSPF"] "aggregate" ''
238 # Static v6 routes for customers.
239 if proto ~ "static_static_ipv6_customer_*" then accept;
240 '';
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]241 };
242
243 hscloud.routing.ospf.v6.main = {
244 area."0.0.0.0".interfaces = {
245 "e2-customs" = {
246 type = "bcast";
247 };
248 "e4-oob" = {
249 type = "bcast";
250 stub = true;
251 };
252 };
253 table = "aggregate";
254 filterIn = ''
255 # hswaw prefix from e2-customs
Serge Bazanskie9f2c9d2020-11-08 16:31:11 +0100[diff] [blame]256 if net ~ [ 2a0d:eb00:4242::/48+ ] then accept;
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]257 # e2-customs link
258 if net ~ [ 2a0d:eb00:2137:1::2/127+ ] then accept;
259 '';
260 };
261 hscloud.routing.ospf.v4.main = {
262 area."0.0.0.0".interfaces = {
263 "e4-oob" = {
264 type = "bcast";
265 stub = true;
266 };
267 };
268 table = "aggregate";
269 filterIn = ''
270 # e4-oob link
271 if net ~ [ 185.236.240.72/29+ ] then accept;
272 '';
273 };
274
275 hscloud.routing.bgpSessions.v4 = let
276 filterInUpstream = ''
277 if net_martian_v4() then reject;
278 if net_as204480_waw_v4() then reject;
279 accept;
280 '';
281 filterOutUpstream = ''
282 # Accept AS204880-announced prefixes.
283 if (net ~ [ 185.236.240.0/22+ ]) then accept;
284 reject;
285 '';
286 in {
287 "waw_globalmix" = {
288 description = "UPSTREAM EPIX.WAR GlobalMix";
289 table = "internet";
290 local = "185.235.70.45";
291 neighbors = [
292 { address = "185.235.70.44"; asn = 62081; }
293 ];
294 prepend = 2; pref = 100;
295 filterIn = filterInUpstream;
296 filterOut = filterOutUpstream;
297 };
298 "waw_polmix" = {
299 description = "UPSTREAM EPIX.WAR PolMix";
300 table = "internet";
301 local = "94.246.185.175";
302 neighbors = [
303 { address = "94.246.185.174"; asn = 201054; }
304 ];
305 prepend = 1; pref = 200;
306 filterIn = filterInUpstream;
307 filterOut = filterOutUpstream;
308 };
309 "waw_openpeering" = {
310 description = "IXP EPIX.WAR OpenPeering";
311 table = "internet";
312 local = "89.46.145.61";
313 neighbors = [
314 { address = "89.46.144.11"; asn = 48850; }
315 { address = "89.46.144.12"; asn = 48850; }
316 ];
317 prepend = 0; pref = 300;
318 filterIn = filterInUpstream;
319 filterOut = filterOutUpstream;
320 };
321 "waw_google" = {
322 description = "PEER Google AS15169 (EPIX)";
323 table = "internet";
324 local = "89.46.145.61";
325 neighbors = [
326 # TODO(q3k): secretify the password.
327 { address = "89.46.144.185"; asn = 15169; password = passwords."edge01.waw-bgp-google"; }
328 ];
329 prepend = 0; pref = 300;
330 filterIn = filterInUpstream;
331 filterOut = filterOutUpstream;
332 };
333 # hscloud spine switch (dcsw01.hswaw.net).
334 "waw_hscloud" = {
335 description = "AGGREGATE CUSTOMER hscloud/dcsw01";
336 table = "aggregate";
337 local = "185.236.240.6";
338 asn = 65000;
339 neighbors = [
340 { address = "185.236.240.7"; asn = 65001; }
341 ];
342 filterIn = ''
343 # wieloryb prefix
344 if net ~ [ 185.236.240.8/31+ ] then accept;
345 # dcsw01 l2 general purpose
346 if net ~ [ 185.236.240.24/29+ ] then accept;
347 # hscloud l2 general purpose
348 if net ~ [ 185.236.240.32/28+ ] then accept;
349 # k0 metallb pools
350 if net ~ [ 185.236.240.48/28+, 185.236.240.112/28+ ] then accept;
Serge Bazanski1c80bd72021-06-30 23:22:38 +0200[diff] [blame]351 # dcsw01.hswaw.net / dcr03sw48.hswaw.net
352 if net ~ [ 185.236.240.66/31 ] then accept;
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]353 reject;
354 '';
355 };
356 # bgp.wtf internet customer router on W2A, floor 3 (dist02.bgp.wtf).
357 "waw_dist02" = {
358 description = "AGGREGATE CUSTOMER bgpwtf/dist02";
359 table = "aggregate";
360 local = "185.236.240.14";
361 asn = 65000;
362 neighbors = [
363 { address = "185.236.240.15"; asn = 65002; }
364 ];
365 filterIn = ''
366 # dist02 customer routed
367 if net ~ [ 185.236.240.80/28+ ] then accept;
368 reject;
369 '';
370 };
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]371 # backup LTE link to edge01.fra
372 "fra_edge01" = {
373 description = "IBGP edge01.fra";
374 table = "internet";
375 local = "185.236.240.74";
376 direct = true;
377 neighbors = [
378 { address = "185.236.240.75"; asn = 204880; }
379 ];
380 pref = 50;
381 filterIn = filterInUpstream;
382 filterOut = filterOutUpstream;
383 };
384 };
385 hscloud.routing.bgpSessions.v6 = let
386 filterInUpstream = ''
387 if net_martian_v6() then reject;
388 if net_as204480_waw_v6() then reject;
389 accept;
390 '';
391 filterOutUpstream = ''
392 # Accept AS204880-announced prefixes.
393 if (net ~ [ 2a0d:eb00::/29+ ]) then accept;
394 reject;
395 '';
396 in {
397 "waw_globalmix" = {
398 description = "UPSTREAM EPIX.WAR GlobalMix";
399 table = "internet";
400 local = "2001:67c:778:fd40::b9eb:462d";
401 neighbors = [
402 { address = "2001:67c:778:fd40::b9eb:462c"; asn = 62081; }
403 ];
404 prepend = 2; pref = 100;
405 filterIn = filterInUpstream;
406 filterOut = filterOutUpstream;
407 };
408 "waw_polmix" = {
409 description = "UPSTREAM EPIX.WAR PolMix";
410 table = "internet";
411 local = "2001:67c:778:fa40::5ef6:b9af";
412 neighbors = [
413 { address = "2001:67c:778:fa40::5ef6:b9ae"; asn = 201054; }
414 ];
415 prepend = 1; pref = 200;
416 filterIn = filterInUpstream;
417 filterOut = filterOutUpstream;
418 };
419 "waw_openpeering" = {
420 description = "IXP EPIX.WAR OpenPeering";
421 table = "internet";
422 local = "2001:678:3ac::313";
423 neighbors = [
424 { address = "2001:678:3ac::11"; asn = 48850; }
425 { address = "2001:678:3ac::12"; asn = 48850; }
426 ];
427 prepend = 0; pref = 300;
428 filterIn = filterInUpstream;
429 filterOut = filterOutUpstream;
430 };
431 "waw_google" = {
432 description = "PEER Google AS15169 (EPIX)";
433 table = "internet";
434 local = "2001:678:3ac::313";
435 neighbors = [
436 { address = "2001:678:3ac::185"; asn = 15169; password = passwords."edge01.waw-bgp-google"; }
437 ];
438 prepend = 0; pref = 300;
439 filterIn = filterInUpstream;
440 filterOut = filterOutUpstream;
441 };
442 # hscloud spine switch (dcsw01.hswaw.net).
443 "waw_hscloud" = {
444 description = "AGGREGATE CUSTOMER dcsw01.hswaw.net";
445 table = "aggregate";
446 local = "2a0d:eb00:2137:1::6";
447 asn = 65000;
448 neighbors = [
449 { address = "2a0d:eb00:2137:1::7"; asn = 65001; }
450 ];
451 filterIn = ''
452 # dcsw01 l2 general purpose
453 if net ~ [ 2a0d:eb00:2137::/48+ ] then accept;
Serge Bazanski400e03f2021-07-20 17:57:49 +0200[diff] [blame]454 # customer
455 if net ~ [ 2a0d:eb00:8004::/48+ ] then accept;
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]456 reject;
457 '';
458 };
459 # bgp.wtf internet customer router on W2A, floor 3 (dist02.bgp.wtf).
460 "waw_dist02" = {
461 description = "AGGREGATE CUSTOMER dist02.bgp.wtf";
462 table = "aggregate";
463 local = "2a0d:eb00:2137:1::a";
464 asn = 65000;
465 neighbors = [
466 { address = "2a0d:eb00:2137:1::b"; asn = 65002; }
467 ];
468 filterIn = ''
469 # dist02 customers.
470 if net ~ [ 2a0d:eb00:8002::/48 ] then accept;
471 reject;
472 '';
473 };
474 };
475}