diff --git a/lib/constants.nix b/lib/constants.nix index 46356c7..bcaa034 100644 --- a/lib/constants.nix +++ b/lib/constants.nix @@ -142,6 +142,13 @@ rec { v4 = subnet 8 4 all.v4; }; + p2pTunnels = { + v4 = subnet 8 5 all.v4; + }; + hillcrest = { + v4 = subnet 6 0 p2pTunnels.v4; + }; + cust = { v4 = subnet 8 100 all.v4; # single ip for routing only v6 = "2a0e:97c0:4d2:2000::/56"; @@ -414,6 +421,11 @@ rec { ctrs.v4 = subnet 4 0 all.v4; }; }; + + hillcrest = { + vpn.port = 51822; + }; + sshKeyFiles = { me = ../.keys/me.pub; deploy = ../.keys/deploy.pub; diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index a4e24f0..3e646ac 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -171,6 +171,25 @@ in ]; }; } + { + "30-hillcrest" = { + netdevConfig = { + Name = "hillcrest"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = config.age.secrets."estuary/hillcrest-wg.key".path; + ListenPort = lib.my.c.hillcrest.vpn.port; + }; + wireguardPeers = [ + { + PublicKey = "+67Ks+ZRk1ssNCfg5BFKmIE9NtLasAxRE6XMqufx5GY="; + AllowedIPs = [ (net.cidr.host 2 prefixes.hillcrest.v4) ]; + PersistentKeepalive = 25; + } + ]; + }; + } ]; links = { @@ -349,6 +368,16 @@ in } ]; }; + "95-hillcrest" = { + matchConfig.Name = "hillcrest"; + address = [ (net.cidr.host 1 prefixes.hillcrest.v4) ]; + routes = [ + { + Destination = net.cidr.host 2 prefixes.hillcrest.v4; + Scope = "link"; + } + ]; + }; } ]; }; @@ -359,6 +388,9 @@ in "estuary/kelder-wg.key" = { owner = "systemd-network"; }; + "estuary/hillcrest-wg.key" = { + owner = "systemd-network"; + }; "l2mesh/as211024.key" = {}; }; }; @@ -370,7 +402,7 @@ in }; }; firewall = { - udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ]; + udp.allowed = [ 5353 lib.my.c.kelder.vpn.port lib.my.c.hillcrest.vpn.port ]; tcp.allowed = [ 5353 "bgp" ]; nat = { enable = true; @@ -435,7 +467,7 @@ in iifname { wan, as211024, $ixps } oifname base jump filter-routing oifname $ixps jump ixp iifname base oifname { base, wan, $ixps } accept - oifname { as211024, kelder } accept + oifname { as211024, kelder, hillcrest } accept } chain output { oifname ifog ether type != vlan reject @@ -447,6 +479,7 @@ in ${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"} } chain postrouting { + oifname hillcrest snat ip to ${net.cidr.host 1 prefixes.hillcrest.v4} ip saddr ${prefixes.all.v4} oifname != as211024 snat to ${assignments.internal.ipv4.address} } } diff --git a/secrets/estuary/hillcrest-wg.key.age b/secrets/estuary/hillcrest-wg.key.age new file mode 100644 index 0000000..8675ad4 --- /dev/null +++ b/secrets/estuary/hillcrest-wg.key.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBSN09X +Nkc3cVJrMGl0K3BVRjlWWXpkMzdoS0Y2RjFVQ2VOaWlEczlCQ1d3CldGcmtVdzg2 +dWR6WkRTOXFMeFRML2R3WFJPK2hpREVZS1FJdXJrVFRwOWcKLT4gWDI1NTE5IG0x +d29QalcweGhhWkYyUlNaeExmVXNZT0dlU21uamZYWkdTR1g5WnBPbkkKZXBZZmli +dEtMdHB5UlpkRFVzUUlnSnlCeFRiU3JuZzJWMTBnZVMwL2d0ZwotPiBgLWdyZWFz +ZSAwWSBjSmFnIDx2CjN1NVRpbnRJNHF3QlhheE9hL1RjemcvbjlBVnRTRmhlVXN1 +Nng2TWlseGhrQ3FselhFcUZjV2FRNnZyQml2OWkKYkc3dUw5MVZObGt3RHQ2U0Fz +eUVtUGR5Q2lVRnFCWGhHUVVaWTkwcEt5VnlVYkhXCi0tLSBiWVFUVUI5aGZHSG5o +bWIwdGR5YjdjWXZNYXRqSktFREkwWFNlY2xqcEZjChor89j+2SFeCpVkx7CsST7l +0z4z6EGD2gDl3rRXbfqi50gVoAWJud2psglnKkGeiSfW5pIaI1DC1Wt6bEFEo9Lw +GzbIa6gYGcKW3J+w +-----END AGE ENCRYPTED FILE-----