maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(ops/machines): IPv6 setup for bugry

Browse source 
Adman (the hoster) have not provided an ETA for native v6 on bugry yet, so we
establish a public v6 connection through nevsky for now.

In traffic flows going West->East the overhead is minimal (a few ms), though I
guess it might be worse if you're in the middle (Yekaterinburg or something).

The prefix was chosen by the bugry public v4 address encoded in hex, and
appended to the nevsky prefix.

Change-Id: I133622c17bd02eade0a6febc6bdf97f403fed14c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12974
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
This commit is contained in:
Vincent Ambo 2025-01-12 15:25:44 +03:00 committed by clbot
parent dbdf211fe4
commit bf552f7a9b
7 changed files with 87 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

7
ops/glesys/dns-tvl-fyi.tf
View file

@ -74,6 +74,13 @@ resource "glesys_dnsdomain_record" "tvl_fyi_bugry_A" {
data = var.bugry_ipv4
}
resource "glesys_dnsdomain_record" "tvl_fyi_bugry_AAAA" {
domain = glesys_dnsdomain.tvl_fyi.id
host = "bugry"
type = "AAAA"
data = var.bugry_ipv6
}
resource "glesys_dnsdomain_record" "tvl_fyi_nixery-01_A" {
domain = glesys_dnsdomain.tvl_fyi.id
host = "nixery-01"

5
ops/glesys/main.tf
View file

@ -76,6 +76,11 @@ variable "bugry_ipv4" {
default = "91.199.149.239"
}
variable "bugry_ipv6" {
type = string
default = "2a03:6f00:2:514b:5bc7:95ef:0:2"
}
variable "sanduny_ipv4" {
type = string
default = "85.119.82.231"

24
ops/machines/bugry/default.nix
View file

@ -8,6 +8,7 @@ in
imports = [
(mod "tvl-cache.nix")
(mod "tvl-users.nix")
(depot.third_party.agenix.src + "/modules/age.nix")
];
hardware.cpu.intel.updateMicrocode = true;
@ -81,19 +82,40 @@ in
};
};
age.secrets = {
wg-privkey.file = depot.ops.secrets."wg-bugry.age";
};
networking = {
hostName = "bugry";
domain = "tvl.fyi";
hostId = "8425e349";
useDHCP = false;
interfaces.enp6s0.ipv6.addresses = [{
interfaces.enp6s0.ipv4.addresses = [{
address = "91.199.149.239";
prefixLength = 24;
}];
defaultGateway = "91.199.149.1";
wireguard.interfaces.wg-nevsky = {
ips = [ "2a03:6f00:2:514b:5bc7:95ef:0:2/96" ];
privateKeyFile = "/run/agenix/wg-privkey";
peers = [{
publicKey = "gLyIY+R/YG9S8W8jtqE6pEV6MTyzeUX/PalL6iyvu3g="; # nevsky
endpoint = "188.225.81.75:51820";
persistentKeepalive = 25;
allowedIPs = [ "::/0" ];
}];
allowedIPsAsRoutes = false; # used as default v6 gateway below
};
defaultGateway6.address = "2a03:6f00:2:514b:5bc7:95ef::1";
defaultGateway6.interface = "wg-nevsky";
nameservers = [
"8.8.8.8"
"8.8.4.4"

27
ops/machines/nevsky/default.nix
View file

@ -7,6 +7,7 @@ in
{
imports = [
(mod "tvl-users.nix")
(depot.third_party.agenix.src + "/modules/age.nix")
];
hardware.cpu.amd.updateMicrocode = true;
@ -83,6 +84,10 @@ in
};
};
age.secrets = {
wg-privkey.file = depot.ops.secrets."wg-nevsky.age";
};
networking = {
hostName = "nevsky";
domain = "tvl.fyi";
@ -106,12 +111,34 @@ in
interface = "enp1s0f0np0";
};
wireguard.interfaces.wg-bugry = {
ips = [ "2a03:6f00:2:514b:5bc7:95ef::1/96" ];
privateKeyFile = "/run/agenix/wg-privkey";
listenPort = 51820;
postSetup = ''
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s '2a03:6f00:2:514b:5bc7:95ef::1/96' -o enp1s0f0np0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s '2a03:6f00:2:514b:5bc7:95ef::1/96' -o enp1s0f0np0 -j MASQUERADE
'';
peers = [{
publicKey = "+vFeWLH99aaypitw7x1J8IypoTrva28LItb1v2VjOAg="; # bugry
allowedIPs = [ "2a03:6f00:2:514b:5bc7:95ef::/96" ];
}];
allowedIPsAsRoutes = true;
};
nameservers = [
"8.8.8.8"
"8.8.4.4"
];
firewall.allowedTCPPorts = [ 22 80 443 ];
firewall.allowedUDPPorts = [ 51820 ];
};
# Generate an immutable /etc/resolv.conf from the nameserver settings

11
ops/secrets/secrets.nix
View file

@ -30,10 +30,13 @@ let
nevsky = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQe7M+G8Id3ZD7j+I07TCUV1o12q1vpsOXHRlcPSEfa";
bugry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqG6sITyJ/UsQ/RtYqmmMvTT4r4sppadoQIz5SvA+5J";
admins = tazjin ++ aspen ++ sterni;
terraform.publicKeys = tazjin ++ aspen ++ sterni ++ flokli;
whitbyDefault.publicKeys = tazjin ++ aspen ++ sterni ++ [ whitby ];
allDefault.publicKeys = tazjin ++ aspen ++ sterni ++ [ sanduny whitby ];
sandunyDefault.publicKeys = tazjin ++ aspen ++ sterni ++ [ sanduny ];
whitbyDefault.publicKeys = admins ++ [ whitby ];
allDefault.publicKeys = admins ++ [ sanduny whitby ];
sandunyDefault.publicKeys = admins ++ [ sanduny ];
bugryDefault.publicKeys = admins ++ [ bugry ];
nevskyDefault.publicKeys = admins ++ [ nevsky ];
in
{
"besadii.age" = whitbyDefault;
@ -60,4 +63,6 @@ in
"tf-glesys.age" = terraform;
"tf-keycloak.age" = terraform;
"tvl-alerts-bot-telegram-token.age" = whitbyDefault;
"wg-bugry.age" = bugryDefault;
"wg-nevsky.age" = nevskyDefault;
}

BIN
ops/secrets/wg-bugry.age Normal file
View file

Binary file not shown.

17
ops/secrets/wg-nevsky.age Normal file
View file

@ -0,0 +1,17 @@
age-encryption.org/v1
-> ssh-ed25519 dcsaLw fAd2MnJBU3OG7KpHvd6rhRVQuMl5pGUOlx6zQ1HVpTU
hwoKpHUvpHp/gLFhtwTOyJLBeUyryrZAf8TzDsaoMUg
-> ssh-ed25519 zcCuhA B2ZIcHgTjg69iprbGkKPyGGExK+kP1l6MMYX4czpOVM
xomAnf6WhEM78GWvtAtCS/yw4UfeCT3Ph3evbLp0yQk
-> ssh-ed25519 1SxhRA uJNHTJFigivTGSKNzd4oqEhEIFF/aWwWQzovxwiVSHo
VAzriez/W6hZKicze7rOYs7YL8vxPxVoWzMe9yawyqA
-> ssh-ed25519 ch/9tw nBm9P9qvUkZSYI+CKN0kjXzSuD6sg+uMvTux9yTD7V0
Kt+R1s9tEPk+e5ZeskmZtBzEvm25B33KCQwmjnfuVNM
-> ssh-ed25519 CpJBgQ 6g8GbJ/zZkAb1pBpqA5Jm929aIAJlepe1sPNqhAuAWM
gYCkgAQw2nF0wcPMZruvhBqkC4a2BxYK8kWo+R9ll44
-> ssh-ed25519 aXKGcg rfGH2EO9/soo/duaZlt4hBic4KxMDR+tw8JJ1Un+u1U
FzyiK9NT7NUM+oQph/EB26PfuLsLQVYsKwqeBHGaRI8
-> ssh-ed25519 xR+E/Q 3w7vMdS+Iragj8garW5/F0ZL28orsyewbvp4i8szNl4
zuEEaHd2rTfMYuLvQ19TuHOX5UMmSZABD3grJjEnsG8
--- +e2kcaRvPwsUH/XG+ChROPjyZHLv4mfpSBmmJCr/4UM
>S1 :ÔŒuÎ5ܘ¢ªÇ‹Æù@Št) š ïOéQ7õõn^ ïY,µFMͤ6€^õ„»¯>»¬eÞÇ”+~]Ûù‚õÖ9<>ê.Z