nixos: Implement estuary -> kelder tunnel
This commit is contained in:
@@ -87,6 +87,7 @@ in
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
ethtool
|
||||
wireguard-tools
|
||||
];
|
||||
};
|
||||
|
||||
@@ -143,6 +144,7 @@ in
|
||||
|
||||
#systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
|
||||
systemd.network = {
|
||||
wait-online.enable = false;
|
||||
config = {
|
||||
networkConfig = {
|
||||
ManageForeignRoutes = false;
|
||||
@@ -168,6 +170,28 @@ in
|
||||
(mkVLAN "nl-ix" 1845)
|
||||
(mkVLAN "fogixp" 1147)
|
||||
(mkVLAN "ifog-transit" 702)
|
||||
|
||||
{
|
||||
"30-kelder" = {
|
||||
netdevConfig = {
|
||||
Name = "kelder";
|
||||
Kind = "wireguard";
|
||||
};
|
||||
wireguardConfig = {
|
||||
PrivateKeyFile = config.age.secrets."estuary/kelder-wg.key".path;
|
||||
ListenPort = lib.my.kelder.vpn.port;
|
||||
};
|
||||
wireguardPeers = [
|
||||
{
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = "7N9YdQaCMWWIwAnW37vrthm9ZpbnG4Lx3gheHeRYz2E=";
|
||||
AllowedIPs = [ "${lib.my.kelder.vpn.start}2" ];
|
||||
PersistentKeepalive = 25;
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
links = {
|
||||
@@ -303,23 +327,35 @@ in
|
||||
];
|
||||
|
||||
"90-l2mesh-as211024" = {
|
||||
matchConfig.Name = "as211024";
|
||||
address = with assignments.as211024; [
|
||||
(with ipv4; "${address}/${toString mask}")
|
||||
(with ipv6; "${address}/${toString mask}")
|
||||
];
|
||||
networkConfig.IPv6AcceptRA = false;
|
||||
};
|
||||
"95-kelder" = {
|
||||
matchConfig.Name = "kelder";
|
||||
address = [ "${lib.my.kelder.vpn.start}1/30" ];
|
||||
};
|
||||
} ];
|
||||
};
|
||||
|
||||
my = {
|
||||
#deploy.generate.system.mode = "boot";
|
||||
secrets.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9up7pXu6M/OWCKufTOfSiGcxMUk4VqUe7fLuatNFFA";
|
||||
secrets = {
|
||||
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9up7pXu6M/OWCKufTOfSiGcxMUk4VqUe7fLuatNFFA";
|
||||
files = {
|
||||
"estuary/kelder-wg.key" = {
|
||||
owner = "systemd-network";
|
||||
};
|
||||
};
|
||||
};
|
||||
server.enable = true;
|
||||
|
||||
firewall = {
|
||||
trustedInterfaces = [ "base" "as211024" ];
|
||||
udp.allowed = [ 5353 ];
|
||||
udp.allowed = [ 5353 lib.my.kelder.vpn.port ];
|
||||
tcp.allowed = [ 5353 "bgp" ];
|
||||
nat = {
|
||||
enable = true;
|
||||
@@ -328,27 +364,33 @@ in
|
||||
forwardPorts = [
|
||||
{
|
||||
port = "http";
|
||||
dst = allAssignments.middleman.internal.ipv4.address + ":http";
|
||||
dst = allAssignments.middleman.internal.ipv4.address;
|
||||
}
|
||||
{
|
||||
port = "https";
|
||||
dst = allAssignments.middleman.internal.ipv4.address + ":https";
|
||||
dst = allAssignments.middleman.internal.ipv4.address;
|
||||
}
|
||||
{
|
||||
port = 8448;
|
||||
dst = allAssignments.middleman.internal.ipv4.address + ":8448";
|
||||
dst = allAssignments.middleman.internal.ipv4.address;
|
||||
}
|
||||
|
||||
{
|
||||
port = 2456;
|
||||
dst = allAssignments.valheim-oci.internal.ipv4.address + ":2456";
|
||||
dst = allAssignments.valheim-oci.internal.ipv4.address;
|
||||
proto = "udp";
|
||||
}
|
||||
{
|
||||
port = 2457;
|
||||
dst = allAssignments.valheim-oci.internal.ipv4.address + ":2457";
|
||||
dst = allAssignments.valheim-oci.internal.ipv4.address;
|
||||
proto = "udp";
|
||||
}
|
||||
|
||||
{
|
||||
port = 6922;
|
||||
dst = "${lib.my.kelder.vpn.start}2";
|
||||
dstPort = "ssh";
|
||||
}
|
||||
];
|
||||
};
|
||||
extraRules =
|
||||
|
||||
@@ -7,6 +7,8 @@
|
||||
configuration = { lib, pkgs, modulesPath, config, systems, assignments, allAssignments, ... }:
|
||||
let
|
||||
inherit (lib) mkIf mkMerge mkForce;
|
||||
|
||||
vpnTable = 51820;
|
||||
in
|
||||
{
|
||||
imports = [ ./boot.nix ];
|
||||
@@ -49,6 +51,12 @@
|
||||
};
|
||||
};
|
||||
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
wireguard-tools
|
||||
];
|
||||
};
|
||||
|
||||
services = {
|
||||
fstrim.enable = true;
|
||||
lvm = {
|
||||
@@ -69,6 +77,28 @@
|
||||
|
||||
systemd = {
|
||||
network = {
|
||||
netdevs = {
|
||||
"30-estuary" = {
|
||||
netdevConfig = {
|
||||
Name = "estuary";
|
||||
Kind = "wireguard";
|
||||
};
|
||||
wireguardConfig = {
|
||||
PrivateKeyFile = config.age.secrets."kelder/estuary-wg.key".path;
|
||||
RouteTable = vpnTable;
|
||||
};
|
||||
wireguardPeers = [
|
||||
{
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = "bP1XUNxp9i8NLOXhgPaIaRzRwi5APbam44/xjvYcyjU=";
|
||||
Endpoint = "estuary-vm.${lib.my.colony.domain}:${toString lib.my.kelder.vpn.port}";
|
||||
AllowedIPs = [ "0.0.0.0/0" ];
|
||||
PersistentKeepalive = 25;
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
links = {
|
||||
"10-et1g0" = {
|
||||
matchConfig.MACAddress = "74:d4:35:e9:a1:73";
|
||||
@@ -80,6 +110,17 @@
|
||||
matchConfig.Name = "et1g0";
|
||||
DHCP = "yes";
|
||||
};
|
||||
"95-estuary" = {
|
||||
matchConfig.Name = "estuary";
|
||||
address = [ "${lib.my.kelder.vpn.start}2/30" ];
|
||||
routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
|
||||
{
|
||||
From = "${lib.my.kelder.vpn.start}2";
|
||||
Table = vpnTable;
|
||||
Priority = 100;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
@@ -93,6 +134,11 @@
|
||||
deploy.node.hostname = "10.16.9.21";
|
||||
secrets = {
|
||||
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFvUdJshXkqmchEgkZDn5rgtZ1NO9vbd6Px+S6YioWi";
|
||||
files = {
|
||||
"kelder/estuary-wg.key" = {
|
||||
owner = "systemd-network";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
server.enable = true;
|
||||
|
||||
Reference in New Issue
Block a user