Intra-AS211024 routing
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 19m5s

This commit is contained in:
Jack O'Sullivan 2023-12-20 01:30:27 +00:00
parent 21136e98b2
commit 68bf705e85
6 changed files with 63 additions and 10 deletions

View File

@ -268,6 +268,13 @@ rec {
assignedV6 = "2001:19f0:7402:128b:5400:04ff:feac:6e06";
};
tailscale = {
prefix = {
v4 = "100.64.0.0/10";
v6 = "fd7a:115c:a1e0::/48";
};
};
kelder = {
groups = {
storage = 2000;

View File

@ -83,6 +83,10 @@ in
networking = { inherit domain; };
systemd.network = {
config = {
routeTables.ts-extra = 1337;
};
links = {
"10-veth0" = {
matchConfig.PermanentMACAddress = "56:00:04:ac:6e:06";
@ -94,7 +98,7 @@ in
"20-veth0" = mkMerge [
(networkdAssignment "veth0" assignments.vultr)
{
address = [ assignedV6 ];
address = [ "${assignedV6}/64" ];
}
];
"90-l2mesh-as211024" = mkMerge [
@ -111,6 +115,20 @@ in
Destination = lib.my.c.home.prefixes.all.v4;
Gateway = lib.my.c.home.vips.as211024.v4;
}
{
# Just when routing traffic from Tailscale nodes, otherwise use WAN
Destination = lib.my.c.colony.prefixes.all.v6;
Gateway = allAssignments.estuary.as211024.ipv6.address;
Table = "ts-extra";
}
];
routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
{
IncomingInterface = "tailscale0";
To = lib.my.c.colony.prefixes.all.v6;
Table = "ts-extra";
}
];
}
];
@ -138,8 +156,6 @@ in
chain postrouting {
iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address}
iifname tailscale0 oifname veth0 snat ip6 to ${assignments.vultr.ipv6.address}
iifname tailscale0 oifname as211024 snat ip to ${assignments.as211024.ipv4.address}
iifname tailscale0 oifname as211024 snat ip6 to ${assignments.as211024.ipv6.address}
}
}
'';

View File

@ -43,10 +43,7 @@ in
db_type = "sqlite3";
db_path = "/var/lib/headscale/db.sqlite3";
noise.private_key_path = "/var/lib/headscale/noise_private.key";
ip_prefixes = [
"100.64.0.0/10"
"fd7a:115c:a1e0::/48"
];
ip_prefixes = with lib.my.c.tailscale.prefix; [ v4 v6 ];
dns_config = {
domains = [
domain

View File

@ -317,6 +317,21 @@ in
{
matchConfig.Name = "as211024";
networkConfig.IPv6AcceptRA = mkForce false;
routes = map (r: { routeConfig = r; }) [
{
Destination = lib.my.c.home.prefixes.all.v4;
Gateway = lib.my.c.home.vips.as211024.v4;
}
{
Destination = lib.my.c.tailscale.prefix.v4;
Gateway = allAssignments.britway.as211024.ipv4.address;
}
{
Destination = lib.my.c.tailscale.prefix.v6;
Gateway = allAssignments.britway.as211024.ipv6.address;
}
];
}
];
"95-kelder" = {
@ -418,7 +433,7 @@ in
ip6 daddr ${aa.git.internal.ipv6.address} tcp dport { http, https } dnat to ${aa.middleman.internal.ipv6.address}
}
chain postrouting {
ip saddr ${prefixes.all.v4} snat to ${assignments.internal.ipv4.address}
ip saddr ${prefixes.all.v4} oifname != as211024 snat to ${assignments.internal.ipv4.address}
}
}
'';

View File

@ -66,7 +66,7 @@ in
};
ipv6 = {
address = net.cidr.host ((1*65536*65536*65536) + index + 1) prefixes.as211024.v6;
gateway = net.cidr.host 1 prefixes.as211024.v6;
gateway = net.cidr.host ((2*65536*65536*65536) + 1) prefixes.as211024.v6;
};
};
};
@ -262,6 +262,21 @@ in
{
matchConfig.Name = "as211024";
networkConfig.IPv6AcceptRA = mkForce false;
routes = map (r: { routeConfig = r; }) [
{
Destination = lib.my.c.colony.prefixes.all.v4;
Gateway = allAssignments.estuary.as211024.ipv4.address;
}
{
Destination = lib.my.c.tailscale.prefix.v4;
Gateway = allAssignments.britway.as211024.ipv4.address;
}
{
Destination = lib.my.c.tailscale.prefix.v6;
Gateway = allAssignments.britway.as211024.ipv6.address;
}
];
}
];
}
@ -296,7 +311,7 @@ in
};
};
firewall = {
trustedInterfaces = [ "lan-hi" "lan-lo" ];
trustedInterfaces = [ "lan-hi" "lan-lo" "as211024" ];
udp.allowed = [ 5353 ];
tcp.allowed = [ 5353 ];
nat = {

View File

@ -477,6 +477,9 @@ in
];
})
(persistSimpleSvc "headscale")
(mkIf config.services.tailscale.enable {
my.tmproot.persistence.config.directories = [ "/var/lib/tailscale" ];
})
]))
]);