Konarak
01a77e65a6
- update flake.nix to reflect new structure - update modules/default.nix imports - update modules/network.nix and wireguard.nix - remove config/configuration.nix and hardware-configuration.nix - remove modules/access.nix from this module's scope
188 lines
5.1 KiB
Nix
188 lines
5.1 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
with lib;
|
|
|
|
let cfg = config.sixnix;
|
|
in {
|
|
options.sixnix = {
|
|
enable = mkEnableOption "sixnix networking configuration";
|
|
|
|
hostname = mkOption {
|
|
type = types.str;
|
|
description = "Server hostname";
|
|
};
|
|
|
|
domain = mkOption {
|
|
type = types.str;
|
|
default = "notwork.in";
|
|
description = "Domain name";
|
|
};
|
|
|
|
interface = mkOption {
|
|
type = types.str;
|
|
default = "enp0s3";
|
|
description = "Network interface name";
|
|
};
|
|
|
|
dns = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [ "9.9.9.9" "2620:fe::fe" ];
|
|
description = "DNS resolvers for systemd-networkd";
|
|
};
|
|
|
|
ipv4 = {
|
|
address = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
description = "IPv4 address with CIDR (documentation only - using DHCP)";
|
|
};
|
|
|
|
gateway = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
description = "IPv4 gateway (documentation only - using DHCP)";
|
|
};
|
|
};
|
|
|
|
ipv6 = {
|
|
address = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
description = "IPv6 address with CIDR (documentation only - using SLAAC)";
|
|
};
|
|
|
|
gateway = mkOption {
|
|
type = types.str;
|
|
default = "fe80::1";
|
|
description = "IPv6 gateway (documentation only - using SLAAC)";
|
|
};
|
|
};
|
|
|
|
bgp = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = "Enable BGP/FRR for shared IP failover";
|
|
};
|
|
|
|
peers = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [];
|
|
example = [ "2001:db8::1" "2001:db8::2" "2001:db8::3" "2001:db8::4" ];
|
|
description = "List of BGP peer addresses (e.g., Linode route servers)";
|
|
};
|
|
|
|
advertisedSubnets = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [];
|
|
example = [ "2001:db8:1234::/56" ];
|
|
description = "List of IPv6 subnets to advertise via BGP";
|
|
};
|
|
|
|
routeMap = mkOption {
|
|
type = types.enum [ "primary" "secondary" ];
|
|
description = "BGP route map type (primary/secondary for HA)";
|
|
};
|
|
};
|
|
|
|
wireguard = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = "Enable WireGuard configuration";
|
|
};
|
|
};
|
|
};
|
|
|
|
imports = [ ./wireguard.nix ];
|
|
|
|
config = mkIf cfg.enable {
|
|
networking.hostName = cfg.hostname;
|
|
networking.domain = cfg.domain;
|
|
networking.nftables.enable = true;
|
|
|
|
# Enable systemd-networkd
|
|
systemd.network.enable = true;
|
|
networking.useNetworkd = true;
|
|
|
|
# Tools for monitoring/key generation
|
|
environment.systemPackages = with pkgs; [ wireguard-tools tcpdump ];
|
|
|
|
# Configure network interface - pure SLAAC/DHCP
|
|
systemd.network.networks."10-egress" = {
|
|
matchConfig.Name = cfg.interface;
|
|
networkConfig = {
|
|
DHCP = "yes"; # Enable both IPv4 and IPv6 DHCP
|
|
IPv6AcceptRA = "yes";
|
|
IPv6PrivacyExtensions = "no";
|
|
IPv6Forwarding = "yes";
|
|
};
|
|
|
|
dns = cfg.dns;
|
|
};
|
|
|
|
# Add blackhole routes for advertised subnets on loopback
|
|
systemd.network.networks."10-loopback" = mkIf cfg.bgp.enable {
|
|
matchConfig.Name = "lo";
|
|
routes = map (subnet: {
|
|
Destination = subnet;
|
|
Type = "blackhole";
|
|
}) cfg.bgp.advertisedSubnets;
|
|
};
|
|
|
|
# Create dummy interface for shared WireGuard endpoint IP (HA setup)
|
|
systemd.network.netdevs."20-shared-dummy" = mkIf cfg.bgp.enable {
|
|
netdevConfig = {
|
|
Kind = "dummy";
|
|
Name = "shared0";
|
|
};
|
|
};
|
|
|
|
systemd.network.networks."20-shared-dummy" = mkIf cfg.bgp.enable {
|
|
matchConfig.Name = "shared0";
|
|
address = [ "2600:3c08:e002:6cff::1/128" ];
|
|
};
|
|
|
|
boot.kernel.sysctl = {
|
|
"net.ipv6.conf.all.forwarding" = 1;
|
|
"net.ipv6.conf.${cfg.interface}.accept_ra" = 2;
|
|
# Accept prefix info
|
|
"net.ipv6.conf.${cfg.interface}.accept_ra_pinfo" = 1;
|
|
# Accept default router
|
|
"net.ipv6.conf.${cfg.interface}.accept_ra_defrtr" = 1;
|
|
};
|
|
|
|
# BGP configuration
|
|
# Reference: https://techdocs.akamai.com/cloud-computing/docs/configuring-ip-failover-over-bgp-using-frr-advanced
|
|
services.frr.bgpd.enable = cfg.bgp.enable;
|
|
services.frr.config = mkIf cfg.bgp.enable (let
|
|
peerConfig = concatMapStringsSep "\n" (peer: " neighbor ${peer} peer-group RS") cfg.bgp.peers;
|
|
networkConfig = concatMapStringsSep "\n" (subnet: " network ${subnet} route-map ${cfg.bgp.routeMap}") cfg.bgp.advertisedSubnets;
|
|
in ''
|
|
hostname ${cfg.hostname}
|
|
|
|
router bgp 65001
|
|
no bgp ebgp-requires-policy
|
|
coalesce-time 1000
|
|
bgp bestpath as-path multipath-relax
|
|
neighbor RS peer-group
|
|
neighbor RS remote-as external
|
|
neighbor RS ebgp-multihop 10
|
|
neighbor RS capability extended-nexthop
|
|
${peerConfig}
|
|
|
|
address-family ipv6 unicast
|
|
${networkConfig}
|
|
redistribute static
|
|
neighbor RS activate
|
|
exit-address-family
|
|
|
|
route-map primary permit 10
|
|
set community 65000:1
|
|
route-map secondary permit 10
|
|
set community 65000:2
|
|
|
|
ipv6 nht resolve-via-default
|
|
'');
|
|
};
|
|
} |