From d9a6365f8b14a9b44550e5b53204274c5834d1d0 Mon Sep 17 00:00:00 2001
From: Serge Bazanski <q3k@hackerspace.pl>
Date: Fri, 16 Oct 2020 19:07:41 +0200
Subject: [PATCH] bgpwtf: add static v6 routes via bird

A customer was missing a static v6 route via their router. Since we
don't want to add them to networking.interfaces.routes.* (as this
restarts the whole scripted network stack in NixOS), we add them to
bird. This requires implementing hscloud.routing.static.

Change-Id: I0a205ed1e1f17a86de43aaf72ab6c2694a069112
---
 bgpwtf/machines/edge01.waw.bgp.wtf.nix        | 14 ++-
 bgpwtf/machines/modules/routing.nix           | 50 ++++++++++
 .../cipher/edge01.waw.bgp.wtf-private.nix     | 93 ++++++++++---------
 3 files changed, 106 insertions(+), 51 deletions(-)

diff --git a/bgpwtf/machines/edge01.waw.bgp.wtf.nix b/bgpwtf/machines/edge01.waw.bgp.wtf.nix
index ec459389..0f754f15 100644
--- a/bgpwtf/machines/edge01.waw.bgp.wtf.nix
+++ b/bgpwtf/machines/edge01.waw.bgp.wtf.nix
@@ -167,19 +167,23 @@ in rec {
     v6.default = { table = "aggregate"; address = "::"; prefixLength = 0; };
   };
   hscloud.routing.pipe = let
-    copySourcesToKernel = sources: table: {
+    copySourcesToKernel = sources: table: extra: {
       table = "master";
       peerTable = table;
       filterIn = ''
+        ${extra}
         ${concatStringsSep "\n" (map (v: "if source = RTS_${v} then accept;") sources)}
         reject;
       '';
     };
   in {
-    v4."internet_to_kernel" = copySourcesToKernel ["BGP" "OSPF"] "internet";
-    v4."aggregate_to_kernel" = copySourcesToKernel ["BGP" "OSPF"] "aggregate";
-    v6."internet_to_kernel" = copySourcesToKernel ["BGP" "OSPF"] "internet";
-    v6."aggregate_to_kernel" = copySourcesToKernel ["BGP" "OSPF"] "aggregate";
+    v4."internet_to_kernel" = copySourcesToKernel ["BGP" "OSPF"] "internet" "";
+    v4."aggregate_to_kernel" = copySourcesToKernel ["BGP" "OSPF"] "aggregate" "";
+    v6."internet_to_kernel" = copySourcesToKernel ["BGP" "OSPF"] "internet" "";
+    v6."aggregate_to_kernel" = copySourcesToKernel ["BGP" "OSPF"] "aggregate" ''
+      # Static v6 routes for customers.
+      if proto ~ "static_static_ipv6_customer_*" then accept;
+    '';
   };
 
   hscloud.routing.ospf.v6.main = {
diff --git a/bgpwtf/machines/modules/routing.nix b/bgpwtf/machines/modules/routing.nix
index e87ab9d7..50f5ff83 100644
--- a/bgpwtf/machines/modules/routing.nix
+++ b/bgpwtf/machines/modules/routing.nix
@@ -14,6 +14,50 @@ with lib;
 let
   cfg = config.hscloud.routing;
 
+  staticType = af: let
+    v4 = af == "ipv4";
+    v6 = af == "ipv6";
+    pretty = if v4 then "IPv4" else "IPv6";
+  in with types; mkOption {
+    type = attrsOf (submodule {
+      options = {
+        table = mkOption {
+          type = nullOr str;
+          description = "BIRD table to which session should be connected.";
+        };
+        address = mkOption {
+          type = str;
+          description = "Address part of prefix to announce.";
+        };
+        prefixLength = mkOption {
+          type = int;
+          description = "Prefix length to announce.";
+        };
+        via = mkOption {
+          type = str;
+          description = "Target address for static route.";
+        };
+      };
+    });
+    default = {};
+    description = "${pretty} static routes to inject into a table.";
+  };
+
+  staticRender = af: n: v: let
+    name = "static_static_${af}_${n}";
+    ip = if af == "ipv4" then "4" else "6";
+  in ''
+    protocol static ${name} {
+      ${af} {
+        table ${v.table}${ip};
+        import all;
+        export none;
+      };
+
+      route ${v.address}/${toString v.prefixLength} via ${v.via};
+    }
+  '';
+
   originateType = af: let
     v4 = af == "ipv4";
     v6 = af == "ipv6";
@@ -351,6 +395,10 @@ in {
       v4 = originateType "ipv4";
       v6 = originateType "ipv6";
     };
+    static = {
+      v4 = staticType "ipv4";
+      v6 = staticType "ipv6";
+    };
     pipe = {
       v4 = pipeType "ipv4";
       v6 = pipeType "ipv6";
@@ -430,6 +478,8 @@ in {
       ${concatStringsSep "\n" (mapAttrsToList (bgpSessionRender "ipv6") cfg.bgpSessions.v6)}
       ${concatStringsSep "\n" (mapAttrsToList (originateRender "ipv4") cfg.originate.v4)}
       ${concatStringsSep "\n" (mapAttrsToList (originateRender "ipv6") cfg.originate.v6)}
+      ${concatStringsSep "\n" (mapAttrsToList (staticRender "ipv4") cfg.static.v4)}
+      ${concatStringsSep "\n" (mapAttrsToList (staticRender "ipv6") cfg.static.v6)}
       ${concatStringsSep "\n" (mapAttrsToList (pipeRender "ipv4") cfg.pipe.v4)}
       ${concatStringsSep "\n" (mapAttrsToList (pipeRender "ipv6") cfg.pipe.v6)}
       ${concatStringsSep "\n" (mapAttrsToList (ospfRender "ipv4") cfg.ospf.v4)}
diff --git a/bgpwtf/machines/secrets/cipher/edge01.waw.bgp.wtf-private.nix b/bgpwtf/machines/secrets/cipher/edge01.waw.bgp.wtf-private.nix
index 9fe6c17b..f97f1eb5 100644
--- a/bgpwtf/machines/secrets/cipher/edge01.waw.bgp.wtf-private.nix
+++ b/bgpwtf/machines/secrets/cipher/edge01.waw.bgp.wtf-private.nix
@@ -1,49 +1,50 @@
 -----BEGIN PGP MESSAGE-----
 
-hQEMAzhuiT4RC8VbAQf/dgcFRI145r2/uIszqB6q0yTbR4co4iEQ6u8c+MTeC7Xp
-B+G6ZOzfzWQFhjlf85w93gNJLVuLFfg/7NJAzvJxsev4yWkwfzP3zewVvHaq/jHo
-CEWA1xkGps+LR4AzrQF+jFvFKyen/Q3twRBu9zRKPKuoe0p6ppsi598wp5GhkCaU
-7QHHRJEAPdk6s80un1aF7lIjz8OZlMq+a/gKPYD9+UmiGG/pDV/opdQMU5LscPCM
-wRe97n1GxzPnX9pVZbhPewB+qHUF5W+deJ3iN17arg6eQfc8qSM7e8EAkf0/H5aj
-5+K0m0M41iV+3qVJb93L0KRe5GIlywiqrHJkUvXoG4UBDANcG2tp6fXqvgEH/12S
-VF8cspQDmmSMogk71Vr8I9mdcg9xOZaRAeDoZqew0gdgylKKtKOWBeO5smjmOi1Q
-IB4FYfUwlZ6QUcTG7ZL26TPkHfyz+DWP/dMaTCo8eFstgRcty0U8IVpb3se0zFAI
-urgoBvBKJjaBJqak9WfOGoMV6pw5UcfRLQZV2QkUza4ieSB7PbcodnX98VKQpe5d
-I1nC5vYb/UzCc3E2yzHaZbll8RqFaXGlWIG1GVj/CPyuknsbtwd4ayRmK5zKmubd
-aXK+wqRqKvkUUl0zw+ieEvfdExiTJOzrDSETV+6r7EVstpxFgl1KNryiuEzQ9YGr
-m0gT0cXMkBvbyEUJfQGFAgwDodoT8VqRl4UBD/4hbYes1onfdmvrcqJb6qTpEQV7
-Sqa64u0q/3WtPmQUvMGRUeWkj8XfiIhs26jaLet2bV0XGfeM7Qh8ocJ0cprjfm/p
-CkFnw8T8DWhRj5CYVQduW2chOMyyGNSe2QLfRhsSBNDtrE7jSSrH42oTLJLA4jlH
-uZ5h0TqqeQguNXdU/sG+Y1kwakcF7btdpTo3b3ZcYMcCbmjDE/i76mGYblKZVHgn
-kop1iJOL9mv/Xjhd9++vJ2HEXdnAk6ELSZxF9URBL4M2GSKnOetZXfqhvnVkF3He
-0LcSZ0i/opymXAur9OYdoufPRZFgS1neghws9lRUp62ig4gpRlMHI/LAvWQ/YGbb
-Cc63LjRpBhxWQy8PZegB02Vwty7rUJVRtXXy3CTUmJuJmJDmOulHMqJhkCHuyGVt
-3zQBiMHPpVirGDWLHCKYBa9oZSLN/SyvmD+VP4ROZHzDAsTqwABuPfEz4d+y4Erm
-mxOPUfqS441WaaPTjezCpXsJrskRRps1UNBJp5Zmx+TOFFueqqIRmCASkURiqI5F
-fIGGIEp1O3AayhVVuEiwuKCUGIEcvJhd/nZl6pLZCP2GJWcKrAkEBd6B7GyeqY/k
-Eu/Y4/tkoyoUEnybPSD7OvG2V/pbFd6iqDG3l7hwbSuzuUozQ750d0nfudbJkhyY
-r4m7pkTHMt3Tx306roUCDAPiA8lOXOuz7wEP/0Y/3YPuNZRhtfUbKbaCpLXsD4oT
-OdgEWFealaXfn0uOy33YBLWLPdtuvyOh+zj5Rl6ll3fyV3jQ1KHEVyL32stLVTag
-Z/i9JxJ5DYunMqhmkx3K+SUEzHeD1lz2yLznnllNeiDUOFWpu+tErz5qBa5dDQUQ
-S7nP8SXCQwrpsUvKQZ4Ac1ARjX83GyToMI4ID/G+2yRQCmQQvZ+PGk5gjTvwJ8sC
-ljC0qJ8lQt+3XYOFjt9Yc+N94bqINgE5Pv/68jvCs5KeuR9gShA1VhkwZ2Qz/yki
-zT272PttGpz+39/euRIe18+mh+iwx7ra9dVP6+i4OUcy8T1sTYhL/Bzg8ZXgopj/
-7cIDfUWD4adt2+ZVtnpuLJaQpZbWquPp1R7eC4D1xhibkzluKKU8WDo3DHDtDvXP
-GoINbDxnyejuvLsvriKWk3QMRa9e0xnYpPQAZX6wCin5Twt3FVPjTzcVI4NoeMRP
-2GUFJG+cAI0TaQxaapQ/RUcM/+NgK5XoqJzTGOfvxrx7WA8IBjUx+RRB6mrKPbUS
-s2xo3l+cDrv4ncipK32+StBun1Ng68ty5dplSkrVnm6ZuOOf2j+H+//H1+UyNa1U
-1ASknTSR4aG5wPrq/Go1TNgiRNvlkdUPKqqOlI900PSFMnC++g623LBA9bShJtvx
-DuyS5J/7keXpBWER0ukBLlH13vqbfswDWOdTX3p9T1evxUZ6bjDwzGO0Ut0Hdv2o
-FyEZTj1szmYI+UnSfI1dy8Ca+86A/KwMXVtSmUK4p+2kIUIx8FgtPWOdJzog/BhS
-UAqgoMN/g9x/FMoHu83ECsHlNPPELnW6UpFPyrhxI2EtaqsDP5JTRy0R61kMG4e9
-3HA6zwy+BsZ4tJqi7fXPhsClppITPfhMREfngG3Pj+TOF0EEbi1dxX3p8u6NO53p
-kd/Orv2IcCdNxTnVxzwkHdVeM16Vn5F9a9yK3OKbMKKqesj0C8tNgLIzSE6UXYF2
-a0IKjvCaqGPBcGeFEibqKHW/hlpiXL6lMrEuA0RkpNlUG+dvXpOfIbgGmOB63yZT
-0roGX4gU8LWIWT+8D3eR1iTtOxs+Ve2KfHI0upsIg2pAWXuhag6v9H/tlxblcc/K
-lZCM8wYbsPr0koRKuokFD0WZOVx5HYGE5Dn3JZ4zTCV0KTo3I0LBuJ1t3OMeQBVr
-64bsm3cCkfZcAZHDNt7BXJqjw9dF/of6GWyWivdOPnzi71js77q9whS1Fatto4hk
-ZbsSR38Dhewu2p9VLurk4rpg1PcBAiaGKvGbXTuKQL3Ia9I9CU3X4ay6GunR4PAI
-Dqeaxv+xZZN6MWC+jyTb9NnOsLLaqABK5QcSiYn2AcGUO3QwNBaovkm58UEtiBsD
-MZ/1vrhwOkOdDIh5spJJKXwYpBUivr/XLaQ=
-=b7js
+hQEMAzhuiT4RC8VbAQf+La/HpIwKtvmb8ZNhG9lDxmAxibz3G1WgDS5SMMuP3BnO
+IK+sOR5MOfae+Cry82f4Nlg24cJDe4963vNq0g+MiLnGpxmLHb+plQxkf5S2yU55
++dKwa/usTJZLa97yqsh8+vdfAnA+C3BaLhhDOO5sgZkArpgMGQ6trUsn+6vmhAmZ
+LLw0rlQjz/IvLu8WW8RqZL17ruXOov4qF0NB6yroZAN4j5spGpq65J2puAZb+rI3
+ZGTm8ie6zb7IlW8RWG96TWk48KcYgLnivxVJwll+zn9Mb0g2AzJWyN7bOy1t1wHs
+yYz5xyB8H/Nqhv2dLfHUtXjQF9uh0ivWewWgzzggjIUBDANcG2tp6fXqvgEH/iz7
+OYsZ+Mj42CYjNntwauHCfmGrvSJwVgco+hzfNmAT2wCHwoZKdktLq1oUuyRrPPwK
+nSe/L249Q7Ick47Lk+NrCIjCFsz03ZzTrEeuY3Yav5m9hzifwLJaeTDy+A+jde2D
+zg3gxuAeaaXfrFmKXwfhpf5/t2LCVFtmdmMg+1ButhgWKMDJL6wQVX5EZjHF6PU0
+n2X+XkXFa807FrZ4sI29pxEmakKtFQHsPlP9G2ydBrz2EmcrSgN+uKorAqEtwUBJ
+zuT7Qg4Ewb2hcPTOR4xLV/DCY80IQyWKEcSj1Hjtes3OA5osDlJWeZvoNUFlXSli
+Wc8S087+7fqmRIohU7+FAgwDodoT8VqRl4UBD/9OivAOdH/LxU0WpT7Bofcyw6iA
+QQZ9kN5SLAY6S9pT274QwHkF/sQGt90Gjq0kIMjm4gc5Cx4kAYoT59Ep/R6HmHC7
+u7D+GuByyiSgAa/YEk3tIAI6/gOeVx5BbG6QNL+ysI8XgRrpRWaEfz8OOpBIALgC
+oBSKBaqxApCejkdO4K3P+lT3jJQ2uOT1i72eBhKOpBA1Vz4BWM/w9HFkhw37sWXc
+i34yrlXdldVpJxbKXMyg4f5hz9OrDCTkLce/dwlZpFGFF+JArFLJ2iLytlFOlTDX
+g5yZLSfziw/B5q1mBevJoSFRgZys3z8xmVD/ETS+1DehJjQsLKo/QlpLqx2dj2qd
+9R5OVGMc2s9YmEAee5aoy8z+egZwo0n48Y10LKwro4XCev2ozy73m3nx7uydIwI6
+jl4qYk6qYASJVK9qrBeB//chxrATLS2PgJqO4oKl8EBvmWeUYR4qaOE/p8QlcLLQ
+Vm5Fm+iITPsSNZgK3AGI0S8CoRLPi/o3C5VvAlEt+bfEuTpR8zzeZLfDqOJ94kOp
+4vKaoQTRzHk8itMkdMeBNBAIGh7fEMqiu3kqtlMunp74uKoY/uzh2rhjBzE7quKB
+x3gTgAPnGTiIFvP1ZaNMjsW9OCsOU2Fkv9syLrpkMuGOfCOLSULQG3GYxG4kybzo
+8w6SQ/y/fDermA+6+YUCDAPiA8lOXOuz7wEP/AmhfKpJoizMTULib/Xf7+A9x34K
+eeLsLPnoRZFdO2pTv7ZtNryOmzVPsXjiuwgO9ULrW31WDeb9KNmLk9JyWji6iED1
+wbbSkFT0yzsMD1BjmxNdd9WHK55sxvtX+yH2MHLIepLXAU0emfIBsW9kMuJ01965
+JlCV+TtYJnUGARoLCBnUzvk1VpjnwD3ed0E5atrwk0kRNIPoM1N2DAIxaIua4CX1
+XCylBgMuNW/D86lLpCMHE3LA1FPqNyFe7eyspWGwkDTRK/YZbq6zUGXrNhftK2vV
+8CA0E2dKIbi+TsrvJVb2X5T3Mf4EsTd2oqclVGWttfbXYs5Rv0vf63Z01VsiWL7A
+sSZJlfVnCuKYvZnB3Am1vZtlk6mHqQRJ3DZM0vp/AkjZ5x6rPwy8wRaKpVD06yZO
+N3h4XLsidnteUZBbamQEKjfZoo0zw27TG+gqT+MGIaQWieuCMBm5amiwUJvRsfH0
+S/M50nuikiXl67xEd+vNYGiacH2tfOorUKzoAebEM2EkB3xb97kU3X+OyImre1S6
+Gs5TC1QH6dtd6yKQAPoQZtK0EQI6B+Rw+zH9IAQgPz5C9oUgRd62GJzgonYOJzFH
+jzOARKKSRen+bsrm3jldfJ4sPl6sRWRHWVLsWh4AJYK8iAqhu88dYOc1nksslmGn
+fOV80T8Acty1wshO0ukB34maKPBSF+rs1oJ/IHmqXHfx5mfjsdof56tgAyQ/rIUE
+ulpDR8ytvoviXzH550Ydf3w+bFrEPHkEq0IBXi31BpM7PUiN1xryibdY81ukAjSS
+KRQV5RFS6lwdJOGAFkE0gJ7xES8P7FiC+wKHE78WdvNm0trZiiaJNrMebkitw6K4
+rJMpZj0mhCtKryYmz3L857QFYeUJ9M95Y4/Ib6aM7dn/fJMOeUOVtv0wESQ44dwQ
+CPDjfQdBXrshRWOYMZBsJjI0J0oBc0BRrbHo60LNixqL36CKWyCRNKNVKyZfv23G
+sBeoSpFOHxiiATzlgobufJyhwgU4k8idMt8+lMl783FN/0gRYs14ziYdKNYP2ctG
+Bci38D19tWoLidIuyR9l96IGWmzxey/wQI6UaRFFQR5Y9Po40WCq6XZIbeT3wDRF
+0ynTxlQ0TP6802iglC93S26tLL3QN/nF22gOxKIEC/tGMtv1vJRWfC1svPitDMD+
+Y91xJS+rnzzcEMeDvZmgA5JRGn4YCL0RK1AWgMmQB1zBmPEXpIpFGjQiWF/s2Cg4
+l21wEMmVO8mTVk2Rygaf6wvyf2TmblGPTbb2zfrq7lKtrYFR34oIB9FY9nqJoqDz
+g2OZhq59qIjTgbvPjkPdvqqi0Vg7CQ4zBz+zhOLrb5U0NPHvMtvwZn1bW4dzSFQr
+IBIk63tVMLrfMvNScOAviyK7QoHOhHXElSofTBSUtlMBAE8vusHE/mYic92BVlsu
+TofitNVONyJHKst3jKVU68O3pWHp2+7CyA8gzf6ieH33UQU=
+=1q6K
 -----END PGP MESSAGE-----