diff options
| author | Max Audron <audron@cocaine.farm> | 2023-10-05 14:42:50 +0200 |
|---|---|---|
| committer | Max Audron <audron@cocaine.farm> | 2023-10-05 14:42:50 +0200 |
| commit | 0d18a3a441a5465a6a1775576bb0815419643aa9 (patch) | |
| tree | 9188b8313d38ec4b6880a1f280854045b8c99267 | |
| parent | deploy teamspeak and quassel (diff) | |
deploy powerdns and bgp config
| -rw-r--r-- | flake.lock | 6 | ||||
| -rw-r--r-- | flake.nix | 8 | ||||
| -rw-r--r-- | machines/ettves/default.nix | 3 | ||||
| -rw-r--r-- | machines/fra01/default.nix | 2 | ||||
| -rw-r--r-- | machines/nyc01/default.nix | 2 | ||||
| -rw-r--r-- | machines/sin01/default.nix | 2 | ||||
| -rw-r--r-- | modules/bgp/default.nix | 105 | ||||
| -rw-r--r-- | modules/default.nix | 1 | ||||
| -rw-r--r-- | modules/postgresql/default.nix | 6 | ||||
| -rw-r--r-- | modules/powerdns/default.nix | 66 | ||||
| -rw-r--r-- | modules/powerdns/pdns-primary.conf | 18 | ||||
| -rw-r--r-- | modules/powerdns/pdns-secondary.conf | 7 |
12 files changed, 198 insertions, 28 deletions
@@ -42,11 +42,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1691577770, - "narHash": "sha256-fVY5VSbFJN9pXDTpBeOx6zeoeSnUGIMniY9jrsWCBaA=", + "lastModified": 1696458398, + "narHash": "sha256-z8qTV8uDEH7RH4wPFU/URH6PM0SIbjgwGMM++I0pMlQ=", "owner": "maxaudron", "repo": "nixinate", - "rev": "9a0fdbbbcd41c47ef9403794aafc35215dc1a224", + "rev": "455204cc06f156350c40731469cb8e0b931ac9cc", "type": "github" }, "original": { @@ -29,11 +29,11 @@ nixosConfigurations = with self.nixosModules; { # vultr-image = mkSystem [ common users image vultr ]; - ettves = mkSystem [ (import ./machines/ettves) common users wireguard crypto kubernetes zfs ]; + ettves = mkSystem [ (import ./machines/ettves) common users wireguard crypto kubernetes zfs teamspeak postgresql quassel powerdns ]; phaenn = mkSystem [ (import ./machines/phaenn) common users wireguard crypto kubernetes zfs ]; - fra01 = mkSystem [ (import ./machines/fra01) common users wireguard crypto kubernetes vultr bgp ]; - nyc01 = mkSystem [ (import ./machines/nyc01) common users wireguard crypto kubernetes vultr bgp ]; - sin01 = mkSystem [ (import ./machines/sin01) common users wireguard crypto kubernetes vultr bgp ]; + fra01 = mkSystem [ (import ./machines/fra01) common users wireguard crypto kubernetes vultr bgp powerdns ]; + nyc01 = mkSystem [ (import ./machines/nyc01) common users wireguard crypto kubernetes vultr bgp powerdns ]; + sin01 = mkSystem [ (import ./machines/sin01) common users wireguard crypto kubernetes vultr bgp powerdns ]; }; }; systems = [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ]; diff --git a/machines/ettves/default.nix b/machines/ettves/default.nix index 5a4a8c0..cf3fe23 100644 --- a/machines/ettves/default.nix +++ b/machines/ettves/default.nix @@ -116,6 +116,8 @@ in { advertiseAddress = endpoint; }; + services.powerdns.role = "primary"; + wireguard = { enable = true; roaming = true; @@ -131,5 +133,6 @@ in { buildOn = "remote"; substituteOnTarget = true; hermetic = false; + nixOptions = [ "--show-trace" ]; }; } diff --git a/machines/fra01/default.nix b/machines/fra01/default.nix index 059e082..6e2f80f 100644 --- a/machines/fra01/default.nix +++ b/machines/fra01/default.nix @@ -19,6 +19,8 @@ in }; }; + services.powerdns.role = "secondary"; + wireguard = { enable = true; inherit endpoint; diff --git a/machines/nyc01/default.nix b/machines/nyc01/default.nix index b745897..ef81a57 100644 --- a/machines/nyc01/default.nix +++ b/machines/nyc01/default.nix @@ -19,6 +19,8 @@ in }; }; + services.powerdns.role = "secondary"; + wireguard = { enable = true; inherit endpoint; diff --git a/machines/sin01/default.nix b/machines/sin01/default.nix index 267981f..4b168fc 100644 --- a/machines/sin01/default.nix +++ b/machines/sin01/default.nix @@ -19,6 +19,8 @@ in }; }; + services.powerdns.role = "secondary"; + wireguard = { enable = true; inherit endpoint; diff --git a/modules/bgp/default.nix b/modules/bgp/default.nix index 712f003..5a5f88a 100644 --- a/modules/bgp/default.nix +++ b/modules/bgp/default.nix @@ -1,25 +1,90 @@ { config, lib, pkgs, ... }: { - networking.interfaces.eth0.ipv4.addresses = [ - { - address = "217.163.29.14"; - prefixLength = 32; - } - { - address = "209.250.238.254"; - prefixLength = 32; - } - ]; + networking.interfaces.lo = { + ipv4.addresses = [ + { + address = "217.163.29.14"; + prefixLength = 32; + } + { + address = "209.250.238.254"; + prefixLength = 32; + } + ]; + ipv6.addresses = [ + { + address = "2a0f:9400:8020::200"; + prefixLength = 128; + } + { + address = "2a0f:9400:8020::100"; + prefixLength = 128; + } + { + address = "2a0f:9400:8020::"; + prefixLength = 48; + } + ]; + }; - networking.interfaces.eth0.ipv6.addresses = [ - { - address = "2a0f:9400:8020::200"; - prefixLength = 128; - } - { - address = "2a0f:9400:8020::100"; - prefixLength = 128; - } - ]; + services.frr = { + bgp = { + enable = true; + config = '' + router bgp 64716 + bgp ebgp-requires-policy + no bgp default ipv4-unicast + no bgp network import-check + + neighbor V4 peer-group + neighbor V4 remote-as 64515 + neighbor V4 ebgp-multihop 2 + neighbor 169.254.169.254 peer-group V4 + neighbor 169.254.169.254 password IpXzIJIsJxABeNdi4mPBbt7XD + + neighbor V6 peer-group + neighbor V6 remote-as 64515 + neighbor V6 ebgp-multihop 2 + neighbor 2001:19f0:ffff::1 peer-group V6 + neighbor 2001:19f0:ffff::1 password IpXzIJIsJxABeNdi4mPBbt7XD + ! + address-family ipv4 unicast + network 209.250.238.254/32 + network 217.163.29.14/32 + neighbor V4 activate + neighbor V4 route-map IMPORT in + neighbor V4 route-map EXPORT out + neighbor V6 activate + neighbor V6 route-map IMPORT in + neighbor V6 route-map EXPORT out + exit-address-family + ! + address-family ipv6 unicast + network 2a0f:9400:8020::/48 + neighbor V4 activate + neighbor V4 route-map IMPORT in + neighbor V4 route-map EXPORT out + neighbor V6 activate + neighbor V6 route-map IMPORT in + neighbor V6 route-map EXPORT out + exit-address-family + ! + ip prefix-list internal seq 5 permit 209.250.238.254/32 + ip prefix-list internal seq 10 permit 217.163.29.14/32 + ipv6 prefix-list external seq 5 permit 2a0f:9400:8020::/48 + ! + route-map EXPORT deny 100 + ! + route-map EXPORT permit 2 + match ipv6 address prefix-list external + ! + route-map EXPORT permit 1 + match ip address prefix-list internal + ! + route-map IMPORT deny 1 + ! + ''; + }; + }; } diff --git a/modules/default.nix b/modules/default.nix index bf9787e..2e48583 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -15,4 +15,5 @@ teamspeak = import ./teamspeak; postgresql = import ./postgresql; quassel = import ./quassel; + powerdns = import ./powerdns; } diff --git a/modules/postgresql/default.nix b/modules/postgresql/default.nix index 98169a0..a02e6ce 100644 --- a/modules/postgresql/default.nix +++ b/modules/postgresql/default.nix @@ -3,13 +3,17 @@ { services.postgresql = { enable = true; - ensureDatabases = [ "quassel" ]; + ensureDatabases = [ "quassel" "pdns" ]; ensureUsers = [ { name = "quassel"; ensurePermissions = { "DATABASE quassel" = "ALL PRIVILEGES"; }; } { + name = "pdns"; + ensurePermissions = { "DATABASE pdns" = "ALL PRIVILEGES"; }; + } + { name = "audron"; ensureClauses.superuser = true; } diff --git a/modules/powerdns/default.nix b/modules/powerdns/default.nix new file mode 100644 index 0000000..ae9b497 --- /dev/null +++ b/modules/powerdns/default.nix @@ -0,0 +1,66 @@ +{ config, lib, pkgs, ... }: + +let + primary = '' + allow-axfr-ips = 10.0.0.0/8,127.0.0.0/8 + allow-dnsupdate-from = 10.0.0.0/8,127.0.0.0/8 + also-notify = 10.10.0.3 10.10.0.4 10.10.0.5 + only-notify = + + default-soa-content = primary.ns.vapor.systems hostmaster.@ 0 10800 3600 604800 3600 + + gpgsql-dbname = pdns + gpgsql-host = /var/run/postgresql + gpgsql-port = 5432 + gpgsql-user = pdns + launch = gpgsql + + api = yes + local-address = 0.0.0.0 [::] + primary = yes + webserver = yes + webserver-address = 10.10.0.1 + webserver-allow-from = 10.0.0.0/8,127.0.0.0/8 + ''; + + autoprimary = pkgs.writeText "autoprimary.conf" '' + 10.10.0.1 + ''; + + bind = pkgs.writeText "named.conf" '' + include "/var/lib/pdns/named-autosecondary.conf"; + ''; + + secondary = '' + autosecondary = yes + bind-config = ${bind} + bind-supermaster-config = /var/lib/pdns/named-autosecondary.conf + bind-supermaster-destdir = /var/lib/pdns/zones + bind-supermasters = ${autoprimary} + guardian = yes + launch = bind + local-address = 0.0.0.0 [::] + secondary = yes + + allow-notify-from = 10.10.0.1/32 + ''; +in +{ + options.services.powerdns = { + role = lib.mkOption { + type = lib.types.enum [ "primary" "secondary" ]; + }; + }; + + config = { + environment.systemPackages = [ pkgs.powerdns ]; + services.powerdns = { + enable = true; + extraConfig = + if config.services.powerdns.role == "primary" + then primary + else secondary; + secretFile = null; + }; + }; +} diff --git a/modules/powerdns/pdns-primary.conf b/modules/powerdns/pdns-primary.conf new file mode 100644 index 0000000..0d76e7a --- /dev/null +++ b/modules/powerdns/pdns-primary.conf @@ -0,0 +1,18 @@ +allow-axfr-ips = 10.0.0.0/8,127.0.0.0/8 +allow-dnsupdate-from = 10.0.0.0/8,127.0.0.0/8 +also-notify = + +default-soa-content = primary.ns.vapor.systems hostmaster.@ 0 10800 3600 604800 3600 + +gpgsql-dbname = pdns +gpgsql-host = /var/run/postgresql +gpgsql-port = 5432 +gpgsql-user = pdns +launch = gpgsql + +api = yes +local-address = 0.0.0.0 [::] +primary = yes +webserver = yes +webserver-address = 10.10.0.1 +webserver-allow-from = 10.0.0.0/8,127.0.0.0/8 diff --git a/modules/powerdns/pdns-secondary.conf b/modules/powerdns/pdns-secondary.conf new file mode 100644 index 0000000..5c9c769 --- /dev/null +++ b/modules/powerdns/pdns-secondary.conf @@ -0,0 +1,7 @@ +autosecondary = yes +bind-supermaster-config = /var/lib/pdns/named-autosecondary.conf +bind-supermasters = /var/lib/pdns/autoprimary.conf +guardian = yes +launch = bind +local-address = 0.0.0.0 [::] +secondary = yes |