From 39a6ea69f64dee26259610b042d01dd6f47005fb Mon Sep 17 00:00:00 2001 From: Sebastien Bourdeauducq Date: Thu, 13 Jul 2023 13:56:10 +0800 Subject: [PATCH] nixbld: altnet setup --- nixbld-etc-nixos/configuration.nix | 94 +++++++++++++++++++ .../named/200-29.98.206.103.in-addr.arpa | 17 ++++ nixbld-etc-nixos/named/m-labs.hk | 6 +- 3 files changed, 116 insertions(+), 1 deletion(-) create mode 100644 nixbld-etc-nixos/named/200-29.98.206.103.in-addr.arpa diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix index c4c20ba1..5908bcc6 100644 --- a/nixbld-etc-nixos/configuration.nix +++ b/nixbld-etc-nixos/configuration.nix @@ -104,6 +104,15 @@ in address = "2001:470:f891:1::"; prefixLength = 64; }]; + # https://unix.stackexchange.com/questions/423502/iproute2-inherit-or-copy-table + # we just copy what matters here. Ugly but easier. + ipv4.routes = [ + { + address = "192.168.1.0"; + prefixLength = 24; + options.table = "1"; + } + ]; }; interfaces."${netifWifi}" = { ipv4.addresses = [{ @@ -161,12 +170,80 @@ in addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }]; routes = [{ address = "::"; prefixLength = 0; }]; }; + greTunnels.alt0 = { + dev = netifWan; + remote = "103.206.98.1"; + local = "94.190.212.123"; + ttl = 255; + type = "tun"; + }; + interfaces.alt0 = { + ipv4.addresses = [ + { + address = "103.206.98.227"; + prefixLength = 31; + } + ]; + ipv4.routes = [ + { + address = "0.0.0.0"; + prefixLength = 0; + via = "103.206.98.226"; + options.table = "1"; + } + ]; + }; + vlans = { + vlan0 = { + id = 2; + interface = netifLan; + }; + }; + interfaces.vlan0 = { + ipv4.addresses = [{ + address = "103.206.98.200"; + prefixLength = 29; + }]; + }; }; boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1"; boot.kernel.sysctl."net.ipv6.conf.default.forwarding" = "1"; boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0"; boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0"; + services.strongswan-swanctl.enable = true; + services.strongswan-swanctl.swanctl.connections.altnet = { + local_addrs = [ "94.190.212.123" ]; + remote_addrs = [ "103.206.98.1" ]; + local.main = { + auth = "pubkey"; + id = "fqdn:m-labs.hk"; + pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ]; + }; + remote.main = { + auth = "pubkey"; + id = "fqdn:igw0.hkg.as150788.net"; + pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ]; + }; + children.alt0 = { + mode = "transport"; + ah_proposals = [ "sha256-curve25519" ]; + remote_ts = [ "103.206.98.1[gre]" ]; + local_ts = [ "94.190.212.123[gre]" ]; + start_action = "start"; + }; + }; + + systemd.services.custom-network-setup = { + wantedBy = [ "network.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.iproute2}/bin/ip rule add from 103.206.98.200/29 table 1"; + ExecStop = "${pkgs.iproute2}/bin/ip rule del table 1"; + }; + }; + # https://kb.isc.org/docs/dnssec-key-and-signing-policy # chown named.named /etc/nixos/named services.bind = { @@ -212,6 +289,23 @@ in "216.218.133.2" "2001:470:600::2" # slave.dns.he.net ]; }; + "200-29.98.206.103.in-addr.arpa" = { + name = "200-29.98.206.103.in-addr.arpa"; + master = true; + file = "/etc/nixos/named/200-29.98.206.103.in-addr.arpa"; + extraConfig = + '' + dnssec-policy "default"; + inline-signing yes; + notify explicit; + also-notify { + 216.218.130.2; # ns1.he.net + }; + ''; + slaves = [ + "216.218.133.2" "2001:470:600::2" # slave.dns.he.net + ]; + }; }; extraConfig = '' zone "mil." IN { diff --git a/nixbld-etc-nixos/named/200-29.98.206.103.in-addr.arpa b/nixbld-etc-nixos/named/200-29.98.206.103.in-addr.arpa new file mode 100644 index 00000000..0d86ace4 --- /dev/null +++ b/nixbld-etc-nixos/named/200-29.98.206.103.in-addr.arpa @@ -0,0 +1,17 @@ +$TTL 7200 + +@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. ( + 2023071303 + 7200 + 3600 + 86400 + 600) + + + NS NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. + NS ns1.he.net. + +200 PTR router.alt.m-labs.hk. +201 PTR stewardship1.alt.m-labs.hk. +202 PTR stewardship2.alt.m-labs.hk. + diff --git a/nixbld-etc-nixos/named/m-labs.hk b/nixbld-etc-nixos/named/m-labs.hk index 9093d243..639d8610 100644 --- a/nixbld-etc-nixos/named/m-labs.hk +++ b/nixbld-etc-nixos/named/m-labs.hk @@ -1,7 +1,7 @@ $TTL 7200 @ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. ( - 2023040501 + 2023071301 7200 3600 86400 @@ -51,3 +51,7 @@ hestia AAAA 2001:470:f891:1:881c:f409:a090:8401 vulcan AAAA 2001:470:f891:1:105d:3f15:bd53:c5ac aux A 42.200.147.171 + +router.alt A 103.206.98.200 +stewardship1.alt A 103.206.98.201 +stewardship2.alt A 103.206.98.202