about summary refs log tree commit diff
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2025-01-12T12·25+0300
committerclbot <clbot@tvl.fyi>2025-01-14T16·44+0000
commitbf552f7a9ba3c0abe8bb5e3f803241bffcde5fea (patch)
treee43351a7031f72d91355a43fb1df24ad4fb5fa91
parentdbdf211fe49d6d401a2ce5bf59773b9a92072c41 (diff)
feat(ops/machines): IPv6 setup for bugry r/9090
Adman (the hoster) have not provided an ETA for native v6 on bugry yet, so we
establish a public v6 connection through nevsky for now.

In traffic flows going West->East the overhead is minimal (a few ms), though I
guess it might be worse if you're in the middle (Yekaterinburg or something).

The prefix was chosen by the bugry public v4 address encoded in hex, and
appended to the nevsky prefix.

Change-Id: I133622c17bd02eade0a6febc6bdf97f403fed14c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12974
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Diffstat
-rw-r--r--ops/glesys/dns-tvl-fyi.tf7
-rw-r--r--ops/glesys/main.tf5
-rw-r--r--ops/machines/bugry/default.nix24
-rw-r--r--ops/machines/nevsky/default.nix27
-rw-r--r--ops/secrets/secrets.nix11
-rw-r--r--ops/secrets/wg-bugry.agebin0 -> 917 bytes
-rw-r--r--ops/secrets/wg-nevsky.age17
7 files changed, 87 insertions, 4 deletions
diff --git a/ops/glesys/dns-tvl-fyi.tf b/ops/glesys/dns-tvl-fyi.tf
index 600b4ed54a96..2edef3a45fa9 100644
--- a/ops/glesys/dns-tvl-fyi.tf
+++ b/ops/glesys/dns-tvl-fyi.tf
@@ -74,6 +74,13 @@ resource "glesys_dnsdomain_record" "tvl_fyi_bugry_A" {
   data   = var.bugry_ipv4
 }
 
+resource "glesys_dnsdomain_record" "tvl_fyi_bugry_AAAA" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "bugry"
+  type   = "AAAA"
+  data   = var.bugry_ipv6
+}
+
 resource "glesys_dnsdomain_record" "tvl_fyi_nixery-01_A" {
   domain = glesys_dnsdomain.tvl_fyi.id
   host   = "nixery-01"
diff --git a/ops/glesys/main.tf b/ops/glesys/main.tf
index d675987f1313..eef612027b32 100644
--- a/ops/glesys/main.tf
+++ b/ops/glesys/main.tf
@@ -76,6 +76,11 @@ variable "bugry_ipv4" {
   default = "91.199.149.239"
 }
 
+variable "bugry_ipv6" {
+  type    = string
+  default = "2a03:6f00:2:514b:5bc7:95ef:0:2"
+}
+
 variable "sanduny_ipv4" {
   type    = string
   default = "85.119.82.231"
diff --git a/ops/machines/bugry/default.nix b/ops/machines/bugry/default.nix
index 2f28b39f89ef..fe581b421b96 100644
--- a/ops/machines/bugry/default.nix
+++ b/ops/machines/bugry/default.nix
@@ -8,6 +8,7 @@ in
   imports = [
     (mod "tvl-cache.nix")
     (mod "tvl-users.nix")
+    (depot.third_party.agenix.src + "/modules/age.nix")
   ];
 
   hardware.cpu.intel.updateMicrocode = true;
@@ -81,19 +82,40 @@ in
     };
   };
 
+  age.secrets = {
+    wg-privkey.file = depot.ops.secrets."wg-bugry.age";
+  };
+
   networking = {
     hostName = "bugry";
     domain = "tvl.fyi";
     hostId = "8425e349";
     useDHCP = false;
 
-    interfaces.enp6s0.ipv6.addresses = [{
+    interfaces.enp6s0.ipv4.addresses = [{
       address = "91.199.149.239";
       prefixLength = 24;
     }];
 
     defaultGateway = "91.199.149.1";
 
+    wireguard.interfaces.wg-nevsky = {
+      ips = [ "2a03:6f00:2:514b:5bc7:95ef:0:2/96" ];
+      privateKeyFile = "/run/agenix/wg-privkey";
+
+      peers = [{
+        publicKey = "gLyIY+R/YG9S8W8jtqE6pEV6MTyzeUX/PalL6iyvu3g="; # nevsky
+        endpoint = "188.225.81.75:51820";
+        persistentKeepalive = 25;
+        allowedIPs = [ "::/0" ];
+      }];
+
+      allowedIPsAsRoutes = false; # used as default v6 gateway below
+    };
+
+    defaultGateway6.address = "2a03:6f00:2:514b:5bc7:95ef::1";
+    defaultGateway6.interface = "wg-nevsky";
+
     nameservers = [
       "8.8.8.8"
       "8.8.4.4"
diff --git a/ops/machines/nevsky/default.nix b/ops/machines/nevsky/default.nix
index 2f3a0f7ae246..fd656c058a06 100644
--- a/ops/machines/nevsky/default.nix
+++ b/ops/machines/nevsky/default.nix
@@ -7,6 +7,7 @@ in
 {
   imports = [
     (mod "tvl-users.nix")
+    (depot.third_party.agenix.src + "/modules/age.nix")
   ];
 
   hardware.cpu.amd.updateMicrocode = true;
@@ -83,6 +84,10 @@ in
     };
   };
 
+  age.secrets = {
+    wg-privkey.file = depot.ops.secrets."wg-nevsky.age";
+  };
+
   networking = {
     hostName = "nevsky";
     domain = "tvl.fyi";
@@ -106,12 +111,34 @@ in
       interface = "enp1s0f0np0";
     };
 
+    wireguard.interfaces.wg-bugry = {
+      ips = [ "2a03:6f00:2:514b:5bc7:95ef::1/96" ];
+      privateKeyFile = "/run/agenix/wg-privkey";
+      listenPort = 51820;
+
+      postSetup = ''
+        ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s '2a03:6f00:2:514b:5bc7:95ef::1/96' -o enp1s0f0np0 -j MASQUERADE
+      '';
+
+      postShutdown = ''
+        ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s '2a03:6f00:2:514b:5bc7:95ef::1/96' -o enp1s0f0np0 -j MASQUERADE
+      '';
+
+      peers = [{
+        publicKey = "+vFeWLH99aaypitw7x1J8IypoTrva28LItb1v2VjOAg="; # bugry
+        allowedIPs = [ "2a03:6f00:2:514b:5bc7:95ef::/96" ];
+      }];
+
+      allowedIPsAsRoutes = true;
+    };
+
     nameservers = [
       "8.8.8.8"
       "8.8.4.4"
     ];
 
     firewall.allowedTCPPorts = [ 22 80 443 ];
+    firewall.allowedUDPPorts = [ 51820 ];
   };
 
   # Generate an immutable /etc/resolv.conf from the nameserver settings
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index b9824534dd9f..a8b3675ed487 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -30,10 +30,13 @@ let
   nevsky = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQe7M+G8Id3ZD7j+I07TCUV1o12q1vpsOXHRlcPSEfa";
   bugry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqG6sITyJ/UsQ/RtYqmmMvTT4r4sppadoQIz5SvA+5J";
 
+  admins = tazjin ++ aspen ++ sterni;
   terraform.publicKeys = tazjin ++ aspen ++ sterni ++ flokli;
-  whitbyDefault.publicKeys = tazjin ++ aspen ++ sterni ++ [ whitby ];
-  allDefault.publicKeys = tazjin ++ aspen ++ sterni ++ [ sanduny whitby ];
-  sandunyDefault.publicKeys = tazjin ++ aspen ++ sterni ++ [ sanduny ];
+  whitbyDefault.publicKeys = admins ++ [ whitby ];
+  allDefault.publicKeys = admins ++ [ sanduny whitby ];
+  sandunyDefault.publicKeys = admins ++ [ sanduny ];
+  bugryDefault.publicKeys = admins ++ [ bugry ];
+  nevskyDefault.publicKeys = admins ++ [ nevsky ];
 in
 {
   "besadii.age" = whitbyDefault;
@@ -60,4 +63,6 @@ in
   "tf-glesys.age" = terraform;
   "tf-keycloak.age" = terraform;
   "tvl-alerts-bot-telegram-token.age" = whitbyDefault;
+  "wg-bugry.age" = bugryDefault;
+  "wg-nevsky.age" = nevskyDefault;
 }
diff --git a/ops/secrets/wg-bugry.age b/ops/secrets/wg-bugry.age
new file mode 100644
index 000000000000..c2b0a68e6f9d
--- /dev/null
+++ b/ops/secrets/wg-bugry.age
Binary files differdiff --git a/ops/secrets/wg-nevsky.age b/ops/secrets/wg-nevsky.age
new file mode 100644
index 000000000000..a5011004ee53
--- /dev/null
+++ b/ops/secrets/wg-nevsky.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw fAd2MnJBU3OG7KpHvd6rhRVQuMl5pGUOlx6zQ1HVpTU
+hwoKpHUvpHp/gLFhtwTOyJLBeUyryrZAf8TzDsaoMUg
+-> ssh-ed25519 zcCuhA B2ZIcHgTjg69iprbGkKPyGGExK+kP1l6MMYX4czpOVM
+xomAnf6WhEM78GWvtAtCS/yw4UfeCT3Ph3evbLp0yQk
+-> ssh-ed25519 1SxhRA uJNHTJFigivTGSKNzd4oqEhEIFF/aWwWQzovxwiVSHo
+VAzriez/W6hZKicze7rOYs7YL8vxPxVoWzMe9yawyqA
+-> ssh-ed25519 ch/9tw nBm9P9qvUkZSYI+CKN0kjXzSuD6sg+uMvTux9yTD7V0
+Kt+R1s9tEPk+e5ZeskmZtBzEvm25B33KCQwmjnfuVNM
+-> ssh-ed25519 CpJBgQ 6g8GbJ/zZkAb1pBpqA5Jm929aIAJlepe1sPNqhAuAWM
+gYCkgAQw2nF0wcPMZruvhBqkC4a2BxYK8kWo+R9ll44
+-> ssh-ed25519 aXKGcg rfGH2EO9/soo/duaZlt4hBic4KxMDR+tw8JJ1Un+u1U
+FzyiK9NT7NUM+oQph/EB26PfuLsLQVYsKwqeBHGaRI8
+-> ssh-ed25519 xR+E/Q 3w7vMdS+Iragj8garW5/F0ZL28orsyewbvp4i8szNl4
+zuEEaHd2rTfMYuLvQ19TuHOX5UMmSZABD3grJjEnsG8
+--- +e2kcaRvPwsUH/XG+ChROPjyZHLv4mfpSBmmJCr/4UM
+>S1	:Ԍu5ܘNj@t)OQ7n^Y,FMͤ6^>eǔ+~]9.Z
\ No newline at end of file
generated by cgit-pink 1.4.1 (git 2.44.2) at 2025-02-04T17·55+0000