dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/estuary: Add hillcrest WireGuard
All checks were successful
CI / Check, build and cache nixfiles (push) Successful in 2h27m17s
Details

Browse Source
This commit is contained in:
Jack O'Sullivan
2025-09-27 02:24:35 +01:00
parent 7db5e18974
commit 7bfe9ad697
3 changed files with 60 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
lib/constants.nix
View File

@@ -142,6 +142,13 @@ rec {
v4 = subnet 8 4 all.v4;
};
p2pTunnels = {
v4 = subnet 8 5 all.v4;
};
hillcrest = {
v4 = subnet 6 0 p2pTunnels.v4;
};
cust = {
v4 = subnet 8 100 all.v4; # single ip for routing only
v6 = "2a0e:97c0:4d2:2000::/56";
@@ -414,6 +421,11 @@ rec {
ctrs.v4 = subnet 4 0 all.v4;
};
};
hillcrest = {
vpn.port = 51822;
};
sshKeyFiles = {
me = ../.keys/me.pub;
deploy = ../.keys/deploy.pub;

37
nixos/boxes/colony/vms/estuary/default.nix
View File

@@ -171,6 +171,25 @@ in
];
};
}
{
"30-hillcrest" = {
netdevConfig = {
Name = "hillcrest";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."estuary/hillcrest-wg.key".path;
ListenPort = lib.my.c.hillcrest.vpn.port;
};
wireguardPeers = [
{
PublicKey = "+67Ks+ZRk1ssNCfg5BFKmIE9NtLasAxRE6XMqufx5GY=";
AllowedIPs = [ (net.cidr.host 2 prefixes.hillcrest.v4) ];
PersistentKeepalive = 25;
}
];
};
}
];
links = {
@@ -349,6 +368,16 @@ in
}
];
};
"95-hillcrest" = {
matchConfig.Name = "hillcrest";
address = [ (net.cidr.host 1 prefixes.hillcrest.v4) ];
routes = [
{
Destination = net.cidr.host 2 prefixes.hillcrest.v4;
Scope = "link";
}
];
};
} ];
};
@@ -359,6 +388,9 @@ in
"estuary/kelder-wg.key" = {
owner = "systemd-network";
};
"estuary/hillcrest-wg.key" = {
owner = "systemd-network";
};
"l2mesh/as211024.key" = {};
};
};
@@ -370,7 +402,7 @@ in
};
};
firewall = {
udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ];
udp.allowed = [ 5353 lib.my.c.kelder.vpn.port lib.my.c.hillcrest.vpn.port ];
tcp.allowed = [ 5353 "bgp" ];
nat = {
enable = true;
@@ -435,7 +467,7 @@ in
iifname { wan, as211024, $ixps } oifname base jump filter-routing
oifname $ixps jump ixp
iifname base oifname { base, wan, $ixps } accept
oifname { as211024, kelder } accept
oifname { as211024, kelder, hillcrest } accept
}
chain output {
oifname ifog ether type != vlan reject
@@ -447,6 +479,7 @@ in
${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"}
}
chain postrouting {
oifname hillcrest snat ip to ${net.cidr.host 1 prefixes.hillcrest.v4}
ip saddr ${prefixes.all.v4} oifname != as211024 snat to ${assignments.internal.ipv4.address}
}
}

13
secrets/estuary/hillcrest-wg.key.age Normal file
View File

@@ -0,0 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBSN09X
Nkc3cVJrMGl0K3BVRjlWWXpkMzdoS0Y2RjFVQ2VOaWlEczlCQ1d3CldGcmtVdzg2
dWR6WkRTOXFMeFRML2R3WFJPK2hpREVZS1FJdXJrVFRwOWcKLT4gWDI1NTE5IG0x
d29QalcweGhhWkYyUlNaeExmVXNZT0dlU21uamZYWkdTR1g5WnBPbkkKZXBZZmli
dEtMdHB5UlpkRFVzUUlnSnlCeFRiU3JuZzJWMTBnZVMwL2d0ZwotPiBgLWdyZWFz
ZSAwWSBjSmFnIDx2CjN1NVRpbnRJNHF3QlhheE9hL1RjemcvbjlBVnRTRmhlVXN1
Nng2TWlseGhrQ3FselhFcUZjV2FRNnZyQml2OWkKYkc3dUw5MVZObGt3RHQ2U0Fz
eUVtUGR5Q2lVRnFCWGhHUVVaWTkwcEt5VnlVYkhXCi0tLSBiWVFUVUI5aGZHSG5o
bWIwdGR5YjdjWXZNYXRqSktFREkwWFNlY2xqcEZjChor89j+2SFeCpVkx7CsST7l
0z4z6EGD2gDl3rRXbfqi50gVoAWJud2psglnKkGeiSfW5pIaI1DC1Wt6bEFEo9Lw
GzbIa6gYGcKW3J+w
-----END AGE ENCRYPTED FILE-----