nixos/estuary: Announce and route internal / home prefixes
This commit is contained in:
@@ -1,7 +1,9 @@
|
||||
{ lib, pkgs, config, assignments, allAssignments, ... }:
|
||||
let
|
||||
securebitSpace = "2a0e:97c0:4d0::/44";
|
||||
intnet6 = "2a0e:97c0:4df::/48";
|
||||
amsnet6 = "2a0e:97c0:4d2::/48";
|
||||
homenet6 = "2a0e:97c0:4d0::/48";
|
||||
in
|
||||
{
|
||||
config = {
|
||||
@@ -14,12 +16,12 @@ in
|
||||
define OWNIP4 = ${assignments.internal.ipv4.address};
|
||||
define OWNNETSET4 = [ ${assignments.internal.ipv4.address}/32 ];
|
||||
|
||||
define INTNET6 = 2a0e:97c0:4df::/48;
|
||||
define INTNET6 = ${intnet6};
|
||||
define AMSNET6 = ${amsnet6};
|
||||
define HOMENET6 = 2a0e:97c0:4d0::/48;
|
||||
define HOMENET6 = ${homenet6};
|
||||
|
||||
define OWNIP6 = ${assignments.internal.ipv6.address};
|
||||
define OWNNETSET6 = [ ${amsnet6} ];
|
||||
define OWNNETSET6 = [ ${intnet6}, ${amsnet6}, ${homenet6} ];
|
||||
#define TRANSSET6 = [ ::1/128 ];
|
||||
|
||||
define DUB1IP6 = 2a0e:97c0:4df:0:2::1;
|
||||
@@ -45,9 +47,9 @@ in
|
||||
}
|
||||
protocol static {
|
||||
# Special case: We have to do the routing on behalf of this _internal_ next-hop
|
||||
#route INTNET6 via "devplayer0";
|
||||
route INTNET6 via "as211024";
|
||||
route AMSNET6 via "base";
|
||||
#route HOMENET6 via DUB1IP6;
|
||||
route HOMENET6 via DUB1IP6;
|
||||
ipv6 {
|
||||
import all;
|
||||
export none;
|
||||
@@ -68,6 +70,7 @@ in
|
||||
ipv6 {
|
||||
import none;
|
||||
export filter {
|
||||
if net = HOMENET6 then accept;
|
||||
if net ~ OWNNETSET6 then reject;
|
||||
krt_prefsrc = OWNIP6;
|
||||
accept;
|
||||
|
||||
@@ -1,4 +1,21 @@
|
||||
{ lib, ... }: {
|
||||
{ lib, ... }:
|
||||
let
|
||||
pubV4 = "94.142.240.44";
|
||||
in
|
||||
{
|
||||
nixos = {
|
||||
vpns = {
|
||||
l2 = {
|
||||
as211024 = {
|
||||
vni = 211024;
|
||||
peers = {
|
||||
estuary.addr = pubV4;
|
||||
home.addr = "109.255.1.83";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
nixos.systems.estuary = {
|
||||
system = "x86_64-linux";
|
||||
nixpkgs = "mine";
|
||||
@@ -10,7 +27,7 @@
|
||||
altNames = [ "fw" ];
|
||||
domain = lib.my.colony.domain;
|
||||
ipv4 = {
|
||||
address = "94.142.240.44";
|
||||
address = pubV4;
|
||||
mask = 24;
|
||||
gateway = "94.142.240.254";
|
||||
genPTR = false;
|
||||
@@ -31,6 +48,13 @@
|
||||
};
|
||||
ipv6.address = "${lib.my.colony.start.base.v6}1";
|
||||
};
|
||||
as211024 = {
|
||||
ipv4 = {
|
||||
address = "10.255.3.1";
|
||||
gateway = null;
|
||||
};
|
||||
ipv6.address = "2a0e:97c0:4df:0:3::1";
|
||||
};
|
||||
};
|
||||
|
||||
configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
|
||||
@@ -180,6 +204,14 @@
|
||||
]) [ "vms" "ctrs" "oci" ])));
|
||||
}
|
||||
];
|
||||
|
||||
"90-l2mesh-as211024" = {
|
||||
address = with assignments.as211024; [
|
||||
(with ipv4; "${address}/${toString mask}")
|
||||
(with ipv6; "${address}/${toString mask}")
|
||||
];
|
||||
networkConfig.IPv6AcceptRA = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -189,7 +221,7 @@
|
||||
server.enable = true;
|
||||
|
||||
firewall = {
|
||||
trustedInterfaces = [ "base" ];
|
||||
trustedInterfaces = [ "base" "as211024" ];
|
||||
udp.allowed = [ 5353 ];
|
||||
tcp.allowed = [ 5353 ];
|
||||
nat = {
|
||||
@@ -250,6 +282,7 @@
|
||||
}
|
||||
chain forward {
|
||||
iifname wan oifname base jump filter-routing
|
||||
oifname as211024 accept
|
||||
}
|
||||
}
|
||||
table inet nat {
|
||||
|
||||
Reference in New Issue
Block a user