Simplify network configuration

lx commented

2023-03-24 12:03:41 +00:00

Owner

Done:

Get rid of outside nameserver (use local unbound daemon as a recursive resolver that checks DNSSEC, that's what it's made for)
Get rid of gateway address in firewall rule by replacing it with a port-based rule for IGD/UPnP
Match all network interfaces in network configuration, to avoid having to specify interface name (this makes it easier to transfer HDD from one machine to another when interface names changes)
IPv4: possiblility to use DHCP configuration, in which case nothing needs to be given (used for caribou, carcajou)
- Uses DHCP for automatic discovery of IP address, gateway
- No more need to specify prefix length, netmask is part of the given address
IPv6: possibility to use automated configuration (used for all staging nodes)
- Uses RA for automatic discovery of gateway
- No more need to specify prefix length, it's in the RA
- A static IPv6 may still be given for each node so that will not take any IP address in the advertised prefixes. If not given, the default address assignation mechanism is used
Default values for IPv4 and IPv6 prefix length which are used when no DHCP/no RA
General Nix configuration refactorings
Remove publicIPv4 config value and associated meta tag in Nomad and Consul
Fix Garage configuration to use ipv6 detected by DiploNAT instead of public_ipv6 value from node meta

Deployment status:

staging
- configuration adapted
- deployed
- deploy DiploNAT with automated public IP address discovery (Deuxfleurs/diplonat#20)
- deploy D53 that uses addresses discovered by DiploNAT (Deuxfleurs/D53#4)
prod
- configuration adapted
- deployed
  - neptune
  - orion
  - bespin
  - scorpio
- deploy DiploNAT with automated public IP address discovery
- deploy D53 that uses addresses discovered by DiploNAT

Concerning IPv6 in automated mode: the address is statically defined using the "Token=static" mechanism of systemd-networkd. This means that networkd will combine the upper bits from the prefixes advertised by RA with the lower bits of the specified address.

As long as there is an RA for the IP prefix of the statically defined IP, the node is guaranteed to take that IP address
If there are RAs for prefixes other than the one of the static IP defined for each node, the node will also take an IP in those prefixes (using the same end bits).
If the main IP prefix of the internet connection changes, most things should keep working. In particular, Diplonat will detect the new IPv6 addresses and then D53 will advertise them in the DNS records it manages.
- Some DNS records are still managed manually, those might break
- Garage depends on the node having exactly the IPv6 address that is specified in the config : it uses it as a bind address for the RPC socket to prevent traffic from going through wireguard. So Garage would probably stop working if the main IPv6 prefix changes.

Done: - [x] Get rid of outside nameserver (use local unbound daemon as a recursive resolver that checks DNSSEC, that's what it's made for) - [x] Get rid of gateway address in firewall rule by replacing it with a port-based rule for IGD/UPnP - [x] Match all network interfaces in network configuration, to avoid having to specify interface name (this makes it easier to transfer HDD from one machine to another when interface names changes) - [x] IPv4: possiblility to use DHCP configuration, in which case nothing needs to be given (used for caribou, carcajou) - Uses DHCP for automatic discovery of IP address, gateway - No more need to specify prefix length, netmask is part of the given address - [x] IPv6: possibility to use automated configuration (used for all staging nodes) - Uses RA for automatic discovery of gateway - No more need to specify prefix length, it's in the RA - A static IPv6 may still be given for each node so that will not take any IP address in the advertised prefixes. If not given, the default address assignation mechanism is used - [x] Default values for IPv4 and IPv6 prefix length which are used when no DHCP/no RA - [x] General Nix configuration refactorings - [ ] Remove `publicIPv4` config value and associated meta tag in Nomad and Consul - [x] Fix Garage configuration to use ipv6 detected by DiploNAT instead of `public_ipv6` value from node meta Deployment status: - `staging` - [x] configuration adapted - [x] deployed - [x] deploy DiploNAT with automated public IP address discovery (Deuxfleurs/diplonat#20) - [x] deploy D53 that uses addresses discovered by DiploNAT (Deuxfleurs/D53#4) - `prod` - [x] configuration adapted - [x] deployed - [x] neptune - [x] orion - [x] bespin - [x] scorpio - [x] deploy DiploNAT with automated public IP address discovery - [x] deploy D53 that uses addresses discovered by DiploNAT *Concerning IPv6 in automated mode:* the address is statically defined using the "Token=static" mechanism of systemd-networkd. This means that networkd will combine the upper bits from the prefixes advertised by RA with the lower bits of the specified address. - As long as there is an RA for the IP prefix of the statically defined IP, the node is guaranteed to take that IP address - If there are RAs for prefixes other than the one of the static IP defined for each node, the node will also take an IP in those prefixes (using the same end bits). - If the main IP prefix of the internet connection changes, most things should keep working. In particular, Diplonat will detect the new IPv6 addresses and then D53 will advertise them in the DNS records it manages. - Some DNS records are still managed manually, those might break - ~~Garage depends on the node having exactly the IPv6 address that is specified in the config : it uses it as a bind address for the RPC socket to prevent traffic from going through wireguard. So Garage would probably stop working if the main IPv6 prefix changes.~~

lx added 1 commit 2023-03-24 12:03:42 +00:00

a0db30ca26 Sanitize DNS configuration

- get rid of outside nameserver, unbound does the recursive resolving
  itself (and it checks DNSSEC)
- remove CAP_NET_BIND_SERVICE for Consul as it is no longer binding on
  port 53 (was already obsolete)
- make unbound config independant of LAN IPv4 address

lx force-pushed simplify-network-config from a555937407 to e2aea648cf

2023-03-24 13:42:40 +00:00

Compare

lx added 1 commit 2023-03-24 14:26:46 +00:00

96566ae523 refactor configuration syntax

lx added 1 commit 2023-03-24 14:35:30 +00:00

ecfab3c628 Merge branch 'main' into simplify-network-config

lx added 1 commit 2023-03-31 14:27:16 +00:00

a31c6d109e remove obsolete directives

lx added 1 commit 2023-03-31 14:37:06 +00:00

2add84963d use wgautomesh service definition from my nixpkgs PR

lx force-pushed simplify-network-config from 2add84963d to a31c6d109e