nixos: Initial waffletail
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 20m52s
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 20m52s
This commit is contained in:
@@ -298,6 +298,15 @@ in
|
||||
Destination = prefixes.cust.v6;
|
||||
Gateway = allAssignments.colony.internal.ipv6.address;
|
||||
}
|
||||
|
||||
{
|
||||
Destination = lib.my.c.tailscale.prefix.v4;
|
||||
Gateway = allAssignments.colony.routing.ipv4.address;
|
||||
}
|
||||
{
|
||||
Destination = lib.my.c.tailscale.prefix.v6;
|
||||
Gateway = allAssignments.colony.internal.ipv6.address;
|
||||
}
|
||||
] ++
|
||||
(map (pName: [
|
||||
{
|
||||
@@ -322,15 +331,6 @@ in
|
||||
Destination = lib.my.c.home.prefixes.all.v4;
|
||||
Gateway = lib.my.c.home.vips.as211024.v4;
|
||||
}
|
||||
|
||||
{
|
||||
Destination = lib.my.c.tailscale.prefix.v4;
|
||||
Gateway = allAssignments.britway.as211024.ipv4.address;
|
||||
}
|
||||
{
|
||||
Destination = lib.my.c.tailscale.prefix.v6;
|
||||
Gateway = allAssignments.britway.as211024.ipv6.address;
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
@@ -395,11 +395,11 @@ in
|
||||
tcp dport ssh accept
|
||||
|
||||
${matchInet "tcp dport { http, https, 8448 } accept" "middleman"}
|
||||
${matchInet "udp dport { 2456-2457 } accept" "valheim-oci"}
|
||||
|
||||
return
|
||||
}
|
||||
chain routing-udp {
|
||||
ip6 daddr ${aa.valheim-oci.internal.ipv6.address} udp dport { 2456-2457 } accept
|
||||
ip6 daddr ${aa.waffletail.internal.ipv6.address} udp dport 41641 accept
|
||||
return
|
||||
}
|
||||
chain filter-routing {
|
||||
|
||||
@@ -7,5 +7,6 @@
|
||||
./jackflix
|
||||
./object.nix
|
||||
./toot.nix
|
||||
./waffletail.nix
|
||||
];
|
||||
}
|
||||
|
||||
100
nixos/boxes/colony/vms/shill/containers/waffletail.nix
Normal file
100
nixos/boxes/colony/vms/shill/containers/waffletail.nix
Normal file
@@ -0,0 +1,100 @@
|
||||
{ lib, ... }:
|
||||
let
|
||||
inherit (lib.my) net;
|
||||
inherit (lib.my.c.colony) domain prefixes;
|
||||
in
|
||||
{
|
||||
nixos.systems.waffletail = { config, ... }: {
|
||||
system = "x86_64-linux";
|
||||
nixpkgs = "mine";
|
||||
rendered = config.configuration.config.my.asContainer;
|
||||
|
||||
assignments = {
|
||||
internal = {
|
||||
name = "waffletail-ctr";
|
||||
inherit domain;
|
||||
ipv4.address = net.cidr.host 9 prefixes.ctrs.v4;
|
||||
ipv6 = {
|
||||
iid = "::9";
|
||||
address = net.cidr.host 9 prefixes.ctrs.v6;
|
||||
};
|
||||
};
|
||||
tailscale = with lib.my.c.tailscale; {
|
||||
ipv4 = {
|
||||
address = net.cidr.host 5 prefix.v4;
|
||||
mask = 32;
|
||||
gateway = null;
|
||||
};
|
||||
ipv6 = {
|
||||
address = net.cidr.host 5 prefix.v6;
|
||||
mask = 128;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
configuration = { lib, config, assignments, ... }:
|
||||
let
|
||||
inherit (lib) concatStringsSep mkMerge mkIf mkForce;
|
||||
inherit (lib.my) networkdAssignment;
|
||||
in
|
||||
{
|
||||
config = {
|
||||
my = {
|
||||
deploy.enable = false;
|
||||
server.enable = true;
|
||||
|
||||
secrets = {
|
||||
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZc88lcSQ9zzQzDITdE/T5ty++TxFQUAED7p9YfFBiR";
|
||||
files = {
|
||||
"tailscale-auth.key" = {};
|
||||
};
|
||||
};
|
||||
|
||||
firewall = {
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
extraRules = ''
|
||||
table inet filter {
|
||||
chain forward {
|
||||
iifname host0 oifname tailscale0 ip saddr ${prefixes.all.v4} accept
|
||||
iifname host0 oifname tailscale0 ip6 saddr ${prefixes.all.v6} accept
|
||||
}
|
||||
}
|
||||
table inet nat {
|
||||
chain postrouting {
|
||||
iifname tailscale0 ip daddr != ${prefixes.all.v4} snat to ${assignments.internal.ipv4.address}
|
||||
iifname tailscale0 ip6 daddr != ${prefixes.all.v6} snat ip6 to ${assignments.internal.ipv6.address}
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
systemd = {
|
||||
network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
|
||||
};
|
||||
|
||||
services = {
|
||||
tailscale =
|
||||
let
|
||||
advRoutes = concatStringsSep "," (with prefixes.all; [ v4 v6 ]);
|
||||
in
|
||||
{
|
||||
enable = true;
|
||||
authKeyFile = config.age.secrets."tailscale-auth.key".path;
|
||||
port = 41641;
|
||||
openFirewall = true;
|
||||
interfaceName = "tailscale0";
|
||||
extraUpFlags = [
|
||||
"--operator=${config.my.user.config.name}"
|
||||
"--login-server=https://ts.nul.ie"
|
||||
"--netfilter-mode=off"
|
||||
"--advertise-exit-node"
|
||||
"--advertise-routes=${advRoutes}"
|
||||
"--accept-routes=false"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -139,6 +139,16 @@ in
|
||||
ipv6PrefixConfig.Prefix = prefixes.ctrs.v6;
|
||||
}
|
||||
];
|
||||
routes = map (r: { routeConfig = r; }) [
|
||||
{
|
||||
Destination = lib.my.c.tailscale.prefix.v4;
|
||||
Gateway = allAssignments.waffletail.internal.ipv4.address;
|
||||
}
|
||||
{
|
||||
Destination = lib.my.c.tailscale.prefix.v6;
|
||||
Gateway = allAssignments.waffletail.internal.ipv6.address;
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
@@ -196,6 +206,7 @@ in
|
||||
};
|
||||
};
|
||||
toot = {};
|
||||
waffletail = {};
|
||||
};
|
||||
in
|
||||
mkMerge [
|
||||
|
||||
Reference in New Issue
Block a user