dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Intra-AS211024 routing
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 19m5s
Details

Browse Source
This commit is contained in:
Jack O'Sullivan 2023-12-20 01:30:27 +00:00
parent 21136e98b2
commit 68bf705e85
6 changed files with 63 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
lib/constants.nix
View File

@ -268,6 +268,13 @@ rec {
assignedV6 = "2001:19f0:7402:128b:5400:04ff:feac:6e06"; assignedV6 = "2001:19f0:7402:128b:5400:04ff:feac:6e06";
}; };
tailscale = {
prefix = {
v4 = "100.64.0.0/10";
v6 = "fd7a:115c:a1e0::/48";
};
};
kelder = { kelder = {
groups = { groups = {
storage = 2000; storage = 2000;

22
nixos/boxes/britway/default.nix
View File

@ -83,6 +83,10 @@ in
networking = { inherit domain; }; networking = { inherit domain; };
systemd.network = { systemd.network = {
config = {
routeTables.ts-extra = 1337;
};
links = { links = {
"10-veth0" = { "10-veth0" = {
matchConfig.PermanentMACAddress = "56:00:04:ac:6e:06"; matchConfig.PermanentMACAddress = "56:00:04:ac:6e:06";
@ -94,7 +98,7 @@ in
"20-veth0" = mkMerge [ "20-veth0" = mkMerge [
(networkdAssignment "veth0" assignments.vultr) (networkdAssignment "veth0" assignments.vultr)
{ {
address = [ assignedV6 ]; address = [ "${assignedV6}/64" ];
} }
]; ];
"90-l2mesh-as211024" = mkMerge [ "90-l2mesh-as211024" = mkMerge [
@ -111,6 +115,20 @@ in
Destination = lib.my.c.home.prefixes.all.v4; Destination = lib.my.c.home.prefixes.all.v4;
Gateway = lib.my.c.home.vips.as211024.v4; Gateway = lib.my.c.home.vips.as211024.v4;
} }
{
# Just when routing traffic from Tailscale nodes, otherwise use WAN
Destination = lib.my.c.colony.prefixes.all.v6;
Gateway = allAssignments.estuary.as211024.ipv6.address;
Table = "ts-extra";
}
];
routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
{
IncomingInterface = "tailscale0";
To = lib.my.c.colony.prefixes.all.v6;
Table = "ts-extra";
}
]; ];
} }
]; ];
@ -138,8 +156,6 @@ in
chain postrouting { chain postrouting {
iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address} iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address}
iifname tailscale0 oifname veth0 snat ip6 to ${assignments.vultr.ipv6.address} iifname tailscale0 oifname veth0 snat ip6 to ${assignments.vultr.ipv6.address}
iifname tailscale0 oifname as211024 snat ip to ${assignments.as211024.ipv4.address}
iifname tailscale0 oifname as211024 snat ip6 to ${assignments.as211024.ipv6.address}
} }
} }
''; '';

5
nixos/boxes/britway/tailscale.nix
View File

@ -43,10 +43,7 @@ in
db_type = "sqlite3"; db_type = "sqlite3";
db_path = "/var/lib/headscale/db.sqlite3"; db_path = "/var/lib/headscale/db.sqlite3";
noise.private_key_path = "/var/lib/headscale/noise_private.key"; noise.private_key_path = "/var/lib/headscale/noise_private.key";
ip_prefixes = [ ip_prefixes = with lib.my.c.tailscale.prefix; [ v4 v6 ];
"100.64.0.0/10"
"fd7a:115c:a1e0::/48"
];
dns_config = { dns_config = {
domains = [ domains = [
domain domain

17
nixos/boxes/colony/vms/estuary/default.nix
View File

@ -317,6 +317,21 @@ in
{ {
matchConfig.Name = "as211024"; matchConfig.Name = "as211024";
networkConfig.IPv6AcceptRA = mkForce false; networkConfig.IPv6AcceptRA = mkForce false;
routes = map (r: { routeConfig = r; }) [
{
Destination = lib.my.c.home.prefixes.all.v4;
Gateway = lib.my.c.home.vips.as211024.v4;
}
{
Destination = lib.my.c.tailscale.prefix.v4;
Gateway = allAssignments.britway.as211024.ipv4.address;
}
{
Destination = lib.my.c.tailscale.prefix.v6;
Gateway = allAssignments.britway.as211024.ipv6.address;
}
];
} }
]; ];
"95-kelder" = { "95-kelder" = {
@ -418,7 +433,7 @@ in
ip6 daddr ${aa.git.internal.ipv6.address} tcp dport { http, https } dnat to ${aa.middleman.internal.ipv6.address} ip6 daddr ${aa.git.internal.ipv6.address} tcp dport { http, https } dnat to ${aa.middleman.internal.ipv6.address}
} }
chain postrouting { chain postrouting {
ip saddr ${prefixes.all.v4} snat to ${assignments.internal.ipv4.address} ip saddr ${prefixes.all.v4} oifname != as211024 snat to ${assignments.internal.ipv4.address}
} }
} }
''; '';

19
nixos/boxes/home/routing-common/default.nix
View File

@ -66,7 +66,7 @@ in
}; };
ipv6 = { ipv6 = {
address = net.cidr.host ((1*65536*65536*65536) + index + 1) prefixes.as211024.v6; address = net.cidr.host ((1*65536*65536*65536) + index + 1) prefixes.as211024.v6;
gateway = net.cidr.host 1 prefixes.as211024.v6; gateway = net.cidr.host ((2*65536*65536*65536) + 1) prefixes.as211024.v6;
}; };
}; };
}; };
@ -262,6 +262,21 @@ in
{ {
matchConfig.Name = "as211024"; matchConfig.Name = "as211024";
networkConfig.IPv6AcceptRA = mkForce false; networkConfig.IPv6AcceptRA = mkForce false;
routes = map (r: { routeConfig = r; }) [
{
Destination = lib.my.c.colony.prefixes.all.v4;
Gateway = allAssignments.estuary.as211024.ipv4.address;
}
{
Destination = lib.my.c.tailscale.prefix.v4;
Gateway = allAssignments.britway.as211024.ipv4.address;
}
{
Destination = lib.my.c.tailscale.prefix.v6;
Gateway = allAssignments.britway.as211024.ipv6.address;
}
];
} }
]; ];
} }
@ -296,7 +311,7 @@ in
}; };
}; };
firewall = { firewall = {
trustedInterfaces = [ "lan-hi" "lan-lo" ]; trustedInterfaces = [ "lan-hi" "lan-lo" "as211024" ];
udp.allowed = [ 5353 ]; udp.allowed = [ 5353 ];
tcp.allowed = [ 5353 ]; tcp.allowed = [ 5353 ];
nat = { nat = {

3
nixos/modules/tmproot.nix
View File

@ -477,6 +477,9 @@ in
]; ];
}) })
(persistSimpleSvc "headscale") (persistSimpleSvc "headscale")
(mkIf config.services.tailscale.enable {
my.tmproot.persistence.config.directories = [ "/var/lib/tailscale" ];
})
])) ]))
]); ]);