diff --git a/lib/constants.nix b/lib/constants.nix index 2e34d6e..7c2f425 100644 --- a/lib/constants.nix +++ b/lib/constants.nix @@ -148,6 +148,9 @@ rec { hillcrest = { v4 = subnet 6 0 p2pTunnels.v4; }; + john-valorant = { + v4 = subnet 6 1 p2pTunnels.v4; + }; cust = { v4 = subnet 8 100 all.v4; # single ip for routing only @@ -446,6 +449,10 @@ rec { vpn.port = 51822; }; + john-valorant = { + vpn.port = 51823; + }; + sshKeyFiles = { me = ../.keys/me.pub; deploy = ../.keys/deploy.pub; diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index e6ebc52..5eb13d6 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -188,6 +188,25 @@ in ]; }; } + { + "30-john-valorant" = { + netdevConfig = { + Name = "john-valorant"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = config.age.secrets."estuary/john-valorant-wg.key".path; + ListenPort = lib.my.c.john-valorant.vpn.port; + }; + wireguardPeers = [ + { + PublicKey = "xyqKF0yOAv1bObN1paL2vATFh77pdFfvN+JmuAxaTCk="; + AllowedIPs = [ (net.cidr.host 2 prefixes.john-valorant.v4) ]; + PersistentKeepalive = 25; + } + ]; + }; + } ]; links = { @@ -365,7 +384,7 @@ in }; "95-hillcrest" = { matchConfig.Name = "hillcrest"; - address = [ (net.cidr.host 1 prefixes.hillcrest.v4) ]; + address = [ "${net.cidr.host 1 prefixes.hillcrest.v4}/32" ]; routes = [ { Destination = net.cidr.host 2 prefixes.hillcrest.v4; @@ -373,6 +392,16 @@ in } ]; }; + "95-john-valorant" = { + matchConfig.Name = "john-valorant"; + address = [ "${net.cidr.host 1 prefixes.john-valorant.v4}/32" ]; + routes = [ + { + Destination = net.cidr.host 2 prefixes.john-valorant.v4; + Scope = "link"; + } + ]; + }; } ]; }; @@ -386,6 +415,9 @@ in "estuary/hillcrest-wg.key" = { owner = "systemd-network"; }; + "estuary/john-valorant-wg.key" = { + owner = "systemd-network"; + }; "l2mesh/as211024.key" = {}; }; }; @@ -397,7 +429,13 @@ in }; }; firewall = { - udp.allowed = [ 5353 lib.my.c.kelder.vpn.port lib.my.c.hillcrest.vpn.port ]; + udp.allowed = [ + 5353 + + lib.my.c.kelder.vpn.port + lib.my.c.hillcrest.vpn.port + lib.my.c.john-valorant.vpn.port + ]; tcp.allowed = [ 5353 "bgp" ]; nat = { enable = true; @@ -466,7 +504,7 @@ in iifname { wan, as211024, $ixps } oifname base jump filter-routing oifname $ixps jump ixp iifname base oifname { base, wan, $ixps } accept - oifname { as211024, kelder, hillcrest } accept + oifname { as211024, kelder, hillcrest, john-valorant } accept } chain output { oifname ifog ether type != vlan reject @@ -479,6 +517,7 @@ in } chain postrouting { oifname hillcrest snat ip to ${net.cidr.host 1 prefixes.hillcrest.v4} + oifname john-valorant snat ip to ${net.cidr.host 1 prefixes.john-valorant.v4} ip saddr ${prefixes.all.v4} oifname != as211024 snat to ${assignments.internal.ipv4.address} } } diff --git a/nixos/boxes/colony/vms/estuary/dns.nix b/nixos/boxes/colony/vms/estuary/dns.nix index e195e01..1705979 100644 --- a/nixos/boxes/colony/vms/estuary/dns.nix +++ b/nixos/boxes/colony/vms/estuary/dns.nix @@ -185,6 +185,9 @@ in jam-fwd IN A ${allAssignments.shill.internal.ipv4.address} jam-cust IN AAAA ${net.cidr.host 1 prefixes.jam.v6} + hillcrest-tun IN A ${net.cidr.host 2 prefixes.hillcrest.v4} + john-valorant-tun IN A ${net.cidr.host 2 prefixes.john-valorant.v4} + $TTL 3 _acme-challenge IN LUA TXT @@FILE@@ diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix index 79e3b83..958e184 100644 --- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix +++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix @@ -437,6 +437,14 @@ in }; useACMEHost = pubDomain; }; + "hass-john.${pubDomain}" = { + locations."/" = { + proxyPass = "http://john-valorant-tun.${domain}:8123"; + proxyWebsockets = true; + extraConfig = proxyHeaders; + }; + useACMEHost = pubDomain; + }; }; minio = diff --git a/secrets/estuary/john-valorant-wg.key.age b/secrets/estuary/john-valorant-wg.key.age new file mode 100644 index 0000000..4cc51e7 --- /dev/null +++ b/secrets/estuary/john-valorant-wg.key.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBvMndF +M21hR3p2VmEzUm16eDEya2NtSW54SElScnQzRVhTYnhRNC9oS3dVCnFsS3ZyLyt2 +aVlsVEgySFpvKzA4cTd0ZnkwbGRHakJSL2JESU54KzFDNEkKLT4gWDI1NTE5IFQw +cTN5bjJJVUoyckpjWnllM3piV3llM1VRSlN3Tlk4cG0yRzlTU1ZnMzQKQ2s2d0xs +VjBjUlRkbUpHZDV0c2kwUGhUczhuVEV3ZE1WK2NxWndDQk9PWQotPiA+Oi1QYD47 +LWdyZWFzZSBFTEJWRHkzIE0oOVJTJQp2THpheXJqYmdPRlpTRXhQTkYzeGsyZ0dG +aElRblgwWW1sT1NjZVNPUFNINXBPV1BxUldkCi0tLSBNOGhuUkNCV2NCZi9PdGxP +WitZYTNwcDZXdGNjbDUzQkVZUEtUK2JsZTN3CrxYEwDQAvqeCckfsLUKB1ixsTF1 +rQNRYxioye5T7AZEnOrZg62qkOELmCwAD5UJt5tkNRrmHkm0JwiqNsThHX6qGnHl +iDgytz/Hymij +-----END AGE ENCRYPTED FILE-----