diff --git a/lib/constants.nix b/lib/constants.nix index 151cd6d..0469934 100644 --- a/lib/constants.nix +++ b/lib/constants.nix @@ -268,6 +268,13 @@ rec { assignedV6 = "2001:19f0:7402:128b:5400:04ff:feac:6e06"; }; + tailscale = { + prefix = { + v4 = "100.64.0.0/10"; + v6 = "fd7a:115c:a1e0::/48"; + }; + }; + kelder = { groups = { storage = 2000; diff --git a/nixos/boxes/britway/default.nix b/nixos/boxes/britway/default.nix index 956c04d..0180df9 100644 --- a/nixos/boxes/britway/default.nix +++ b/nixos/boxes/britway/default.nix @@ -83,6 +83,10 @@ in networking = { inherit domain; }; systemd.network = { + config = { + routeTables.ts-extra = 1337; + }; + links = { "10-veth0" = { matchConfig.PermanentMACAddress = "56:00:04:ac:6e:06"; @@ -94,7 +98,7 @@ in "20-veth0" = mkMerge [ (networkdAssignment "veth0" assignments.vultr) { - address = [ assignedV6 ]; + address = [ "${assignedV6}/64" ]; } ]; "90-l2mesh-as211024" = mkMerge [ @@ -111,6 +115,20 @@ in Destination = lib.my.c.home.prefixes.all.v4; Gateway = lib.my.c.home.vips.as211024.v4; } + + { + # Just when routing traffic from Tailscale nodes, otherwise use WAN + Destination = lib.my.c.colony.prefixes.all.v6; + Gateway = allAssignments.estuary.as211024.ipv6.address; + Table = "ts-extra"; + } + ]; + routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [ + { + IncomingInterface = "tailscale0"; + To = lib.my.c.colony.prefixes.all.v6; + Table = "ts-extra"; + } ]; } ]; @@ -138,8 +156,6 @@ in chain postrouting { iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address} iifname tailscale0 oifname veth0 snat ip6 to ${assignments.vultr.ipv6.address} - iifname tailscale0 oifname as211024 snat ip to ${assignments.as211024.ipv4.address} - iifname tailscale0 oifname as211024 snat ip6 to ${assignments.as211024.ipv6.address} } } ''; diff --git a/nixos/boxes/britway/tailscale.nix b/nixos/boxes/britway/tailscale.nix index 306f31c..ac315bd 100644 --- a/nixos/boxes/britway/tailscale.nix +++ b/nixos/boxes/britway/tailscale.nix @@ -43,10 +43,7 @@ in db_type = "sqlite3"; db_path = "/var/lib/headscale/db.sqlite3"; noise.private_key_path = "/var/lib/headscale/noise_private.key"; - ip_prefixes = [ - "100.64.0.0/10" - "fd7a:115c:a1e0::/48" - ]; + ip_prefixes = with lib.my.c.tailscale.prefix; [ v4 v6 ]; dns_config = { domains = [ domain diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index f40923e..9515236 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -317,6 +317,21 @@ in { matchConfig.Name = "as211024"; networkConfig.IPv6AcceptRA = mkForce false; + routes = map (r: { routeConfig = r; }) [ + { + Destination = lib.my.c.home.prefixes.all.v4; + Gateway = lib.my.c.home.vips.as211024.v4; + } + + { + Destination = lib.my.c.tailscale.prefix.v4; + Gateway = allAssignments.britway.as211024.ipv4.address; + } + { + Destination = lib.my.c.tailscale.prefix.v6; + Gateway = allAssignments.britway.as211024.ipv6.address; + } + ]; } ]; "95-kelder" = { @@ -418,7 +433,7 @@ in ip6 daddr ${aa.git.internal.ipv6.address} tcp dport { http, https } dnat to ${aa.middleman.internal.ipv6.address} } chain postrouting { - ip saddr ${prefixes.all.v4} snat to ${assignments.internal.ipv4.address} + ip saddr ${prefixes.all.v4} oifname != as211024 snat to ${assignments.internal.ipv4.address} } } ''; diff --git a/nixos/boxes/home/routing-common/default.nix b/nixos/boxes/home/routing-common/default.nix index bcc7011..f02d827 100644 --- a/nixos/boxes/home/routing-common/default.nix +++ b/nixos/boxes/home/routing-common/default.nix @@ -66,7 +66,7 @@ in }; ipv6 = { address = net.cidr.host ((1*65536*65536*65536) + index + 1) prefixes.as211024.v6; - gateway = net.cidr.host 1 prefixes.as211024.v6; + gateway = net.cidr.host ((2*65536*65536*65536) + 1) prefixes.as211024.v6; }; }; }; @@ -262,6 +262,21 @@ in { matchConfig.Name = "as211024"; networkConfig.IPv6AcceptRA = mkForce false; + routes = map (r: { routeConfig = r; }) [ + { + Destination = lib.my.c.colony.prefixes.all.v4; + Gateway = allAssignments.estuary.as211024.ipv4.address; + } + + { + Destination = lib.my.c.tailscale.prefix.v4; + Gateway = allAssignments.britway.as211024.ipv4.address; + } + { + Destination = lib.my.c.tailscale.prefix.v6; + Gateway = allAssignments.britway.as211024.ipv6.address; + } + ]; } ]; } @@ -296,7 +311,7 @@ in }; }; firewall = { - trustedInterfaces = [ "lan-hi" "lan-lo" ]; + trustedInterfaces = [ "lan-hi" "lan-lo" "as211024" ]; udp.allowed = [ 5353 ]; tcp.allowed = [ 5353 ]; nat = { diff --git a/nixos/modules/tmproot.nix b/nixos/modules/tmproot.nix index 7e5c9d1..0fa2128 100644 --- a/nixos/modules/tmproot.nix +++ b/nixos/modules/tmproot.nix @@ -477,6 +477,9 @@ in ]; }) (persistSimpleSvc "headscale") + (mkIf config.services.tailscale.enable { + my.tmproot.persistence.config.directories = [ "/var/lib/tailscale" ]; + }) ])) ]);