Intra-AS211024 routing
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 19m5s
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 19m5s
This commit is contained in:
parent
21136e98b2
commit
68bf705e85
@ -268,6 +268,13 @@ rec {
|
||||
assignedV6 = "2001:19f0:7402:128b:5400:04ff:feac:6e06";
|
||||
};
|
||||
|
||||
tailscale = {
|
||||
prefix = {
|
||||
v4 = "100.64.0.0/10";
|
||||
v6 = "fd7a:115c:a1e0::/48";
|
||||
};
|
||||
};
|
||||
|
||||
kelder = {
|
||||
groups = {
|
||||
storage = 2000;
|
||||
|
||||
@ -83,6 +83,10 @@ in
|
||||
networking = { inherit domain; };
|
||||
|
||||
systemd.network = {
|
||||
config = {
|
||||
routeTables.ts-extra = 1337;
|
||||
};
|
||||
|
||||
links = {
|
||||
"10-veth0" = {
|
||||
matchConfig.PermanentMACAddress = "56:00:04:ac:6e:06";
|
||||
@ -94,7 +98,7 @@ in
|
||||
"20-veth0" = mkMerge [
|
||||
(networkdAssignment "veth0" assignments.vultr)
|
||||
{
|
||||
address = [ assignedV6 ];
|
||||
address = [ "${assignedV6}/64" ];
|
||||
}
|
||||
];
|
||||
"90-l2mesh-as211024" = mkMerge [
|
||||
@ -111,6 +115,20 @@ in
|
||||
Destination = lib.my.c.home.prefixes.all.v4;
|
||||
Gateway = lib.my.c.home.vips.as211024.v4;
|
||||
}
|
||||
|
||||
{
|
||||
# Just when routing traffic from Tailscale nodes, otherwise use WAN
|
||||
Destination = lib.my.c.colony.prefixes.all.v6;
|
||||
Gateway = allAssignments.estuary.as211024.ipv6.address;
|
||||
Table = "ts-extra";
|
||||
}
|
||||
];
|
||||
routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
|
||||
{
|
||||
IncomingInterface = "tailscale0";
|
||||
To = lib.my.c.colony.prefixes.all.v6;
|
||||
Table = "ts-extra";
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
@ -138,8 +156,6 @@ in
|
||||
chain postrouting {
|
||||
iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address}
|
||||
iifname tailscale0 oifname veth0 snat ip6 to ${assignments.vultr.ipv6.address}
|
||||
iifname tailscale0 oifname as211024 snat ip to ${assignments.as211024.ipv4.address}
|
||||
iifname tailscale0 oifname as211024 snat ip6 to ${assignments.as211024.ipv6.address}
|
||||
}
|
||||
}
|
||||
'';
|
||||
|
||||
@ -43,10 +43,7 @@ in
|
||||
db_type = "sqlite3";
|
||||
db_path = "/var/lib/headscale/db.sqlite3";
|
||||
noise.private_key_path = "/var/lib/headscale/noise_private.key";
|
||||
ip_prefixes = [
|
||||
"100.64.0.0/10"
|
||||
"fd7a:115c:a1e0::/48"
|
||||
];
|
||||
ip_prefixes = with lib.my.c.tailscale.prefix; [ v4 v6 ];
|
||||
dns_config = {
|
||||
domains = [
|
||||
domain
|
||||
|
||||
@ -317,6 +317,21 @@ in
|
||||
{
|
||||
matchConfig.Name = "as211024";
|
||||
networkConfig.IPv6AcceptRA = mkForce false;
|
||||
routes = map (r: { routeConfig = r; }) [
|
||||
{
|
||||
Destination = lib.my.c.home.prefixes.all.v4;
|
||||
Gateway = lib.my.c.home.vips.as211024.v4;
|
||||
}
|
||||
|
||||
{
|
||||
Destination = lib.my.c.tailscale.prefix.v4;
|
||||
Gateway = allAssignments.britway.as211024.ipv4.address;
|
||||
}
|
||||
{
|
||||
Destination = lib.my.c.tailscale.prefix.v6;
|
||||
Gateway = allAssignments.britway.as211024.ipv6.address;
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
"95-kelder" = {
|
||||
@ -418,7 +433,7 @@ in
|
||||
ip6 daddr ${aa.git.internal.ipv6.address} tcp dport { http, https } dnat to ${aa.middleman.internal.ipv6.address}
|
||||
}
|
||||
chain postrouting {
|
||||
ip saddr ${prefixes.all.v4} snat to ${assignments.internal.ipv4.address}
|
||||
ip saddr ${prefixes.all.v4} oifname != as211024 snat to ${assignments.internal.ipv4.address}
|
||||
}
|
||||
}
|
||||
'';
|
||||
|
||||
@ -66,7 +66,7 @@ in
|
||||
};
|
||||
ipv6 = {
|
||||
address = net.cidr.host ((1*65536*65536*65536) + index + 1) prefixes.as211024.v6;
|
||||
gateway = net.cidr.host 1 prefixes.as211024.v6;
|
||||
gateway = net.cidr.host ((2*65536*65536*65536) + 1) prefixes.as211024.v6;
|
||||
};
|
||||
};
|
||||
};
|
||||
@ -262,6 +262,21 @@ in
|
||||
{
|
||||
matchConfig.Name = "as211024";
|
||||
networkConfig.IPv6AcceptRA = mkForce false;
|
||||
routes = map (r: { routeConfig = r; }) [
|
||||
{
|
||||
Destination = lib.my.c.colony.prefixes.all.v4;
|
||||
Gateway = allAssignments.estuary.as211024.ipv4.address;
|
||||
}
|
||||
|
||||
{
|
||||
Destination = lib.my.c.tailscale.prefix.v4;
|
||||
Gateway = allAssignments.britway.as211024.ipv4.address;
|
||||
}
|
||||
{
|
||||
Destination = lib.my.c.tailscale.prefix.v6;
|
||||
Gateway = allAssignments.britway.as211024.ipv6.address;
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
}
|
||||
@ -296,7 +311,7 @@ in
|
||||
};
|
||||
};
|
||||
firewall = {
|
||||
trustedInterfaces = [ "lan-hi" "lan-lo" ];
|
||||
trustedInterfaces = [ "lan-hi" "lan-lo" "as211024" ];
|
||||
udp.allowed = [ 5353 ];
|
||||
tcp.allowed = [ 5353 ];
|
||||
nat = {
|
||||
|
||||
@ -477,6 +477,9 @@ in
|
||||
];
|
||||
})
|
||||
(persistSimpleSvc "headscale")
|
||||
(mkIf config.services.tailscale.enable {
|
||||
my.tmproot.persistence.config.directories = [ "/var/lib/tailscale" ];
|
||||
})
|
||||
]))
|
||||
]);
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user