modules/krz-router: support VRRP

This adds VRRP support on a management L2 domain.

All of this is a bit insecure, we should at least aim to share a password or something.
This commit is contained in:
Raito Bezarius 2024-01-12 04:03:57 +01:00
parent 1a6f9ffb8f
commit fa0ce6b7ef

View file

@ -42,6 +42,20 @@ in
type = types.str; type = types.str;
description = "Real IP address of the router"; description = "Real IP address of the router";
}; };
routerId = mkOption {
type = types.int;
description = "Router ID for computing automatic IPs";
};
virtualRouterId = mkOption {
type = types.int;
description = "Virtual router ID for VRRP";
};
virtualPriority = mkOption {
type = types.int;
description = "Virtual router priority in the election";
# As recommended per RFC.
default = if cfg.enablePrimary then 100 else 50;
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -117,7 +131,7 @@ in
matchConfig.Name = "wgadmin"; matchConfig.Name = "wgadmin";
networkConfig = { networkConfig = {
Description = "VPN d'administration système de l'infrastructure"; Description = "VPN d'administration système de l'infrastructure";
Address = [ "fd81:fb3a:50cc::1/64" ]; Address = [ "fd81:fb3a:50cc::${toString cfg.routerId}/64" ];
# Give access to the rest of the network. # Give access to the rest of the network.
IPForward = "ipv6"; IPForward = "ipv6";
ConfigureWithoutCarrier = true; ConfigureWithoutCarrier = true;
@ -128,7 +142,7 @@ in
matchConfig.Name = "admin"; matchConfig.Name = "admin";
networkConfig = { networkConfig = {
Description = "VLAN d'administration système de l'infrastructure"; Description = "VLAN d'administration système de l'infrastructure";
Address = [ "fd81:fb3a:50cc:1::1/48" ]; Address = [ "fd81:fb3a:50cc:1::${toString cfg.routerId}/48" ];
# Give access to the rest of the network. # Give access to the rest of the network.
IPForward = "ipv6"; IPForward = "ipv6";
IPv6ProxyNDP = true; IPv6ProxyNDP = true;
@ -247,6 +261,7 @@ in
# FIXME: "free-dmz" - not ready yet, abandoned? # FIXME: "free-dmz" - not ready yet, abandoned?
# FIXME: "he-v6-pd" - require rework # FIXME: "he-v6-pd" - require rework
# FIXME: "mwan-v6-pd" - require rework # FIXME: "mwan-v6-pd" - require rework
"vrrp-router"
]; ];
}; };
# TODO: SIIT/NAT64/DNS64 component to avoid IPv4 dependency. # TODO: SIIT/NAT64/DNS64 component to avoid IPv4 dependency.
@ -317,6 +332,27 @@ in
ConfigureWithoutCarrier = true; ConfigureWithoutCarrier = true;
}; };
}; };
"20-vrrp-router" = {
matchConfig.Name = "vrrp-router";
networkConfig = {
Description = "VRRP router health network";
Address = [ "10.0.0.${toString cfg.routerId}/24" ];
KeepConfiguration = true;
};
};
};
};
services.keepalived = {
enable = true;
vrrpInstances.wan = {
interface = "vrrp-router";
state = if cfg.enablePrimary then "MASTER" else "BACKUP";
# We want to start in a stable state.
priority = cfg.virtualPriority;
virtualIps = [{ addr = "${cfg.vip}/24"; dev = "swp"; scope = "global"; }];
inherit (cfg) virtualRouterId;
noPreempt = !cfg.enablePrimary;
}; };
}; };
}; };