nixos/estuary: Add john-valorant

lib/constants.nix

@@ -148,6 +148,9 @@ rec {
       hillcrest = {
         v4 = subnet 6 0 p2pTunnels.v4;
       };
+      john-valorant = {
+        v4 = subnet 6 1 p2pTunnels.v4;
+      };
 
       cust = {
         v4 = subnet 8 100 all.v4; # single ip for routing only
@@ -446,6 +449,10 @@ rec {
     vpn.port = 51822;
   };
 
+  john-valorant = {
+    vpn.port = 51823;
+  };
+
   sshKeyFiles = {
     me = ../.keys/me.pub;
     deploy = ../.keys/deploy.pub;

nixos/boxes/colony/vms/estuary/default.nix

@@ -188,6 +188,25 @@ in
                     ];
                   };
                 }
+                {
+                  "30-john-valorant" = {
+                    netdevConfig = {
+                      Name = "john-valorant";
+                      Kind = "wireguard";
+                    };
+                    wireguardConfig = {
+                      PrivateKeyFile = config.age.secrets."estuary/john-valorant-wg.key".path;
+                      ListenPort = lib.my.c.john-valorant.vpn.port;
+                    };
+                    wireguardPeers = [
+                      {
+                        PublicKey = "xyqKF0yOAv1bObN1paL2vATFh77pdFfvN+JmuAxaTCk=";
+                        AllowedIPs = [ (net.cidr.host 2 prefixes.john-valorant.v4) ];
+                        PersistentKeepalive = 25;
+                      }
+                    ];
+                  };
+                }
               ];
 
               links = {
@@ -365,7 +384,7 @@ in
                 };
                 "95-hillcrest" = {
                   matchConfig.Name = "hillcrest";
-                  address = [ (net.cidr.host 1 prefixes.hillcrest.v4) ];
+                  address = [ "${net.cidr.host 1 prefixes.hillcrest.v4}/32" ];
                   routes = [
                     {
                       Destination = net.cidr.host 2 prefixes.hillcrest.v4;
@@ -373,6 +392,16 @@ in
                     }
                   ];
                 };
+                "95-john-valorant" = {
+                  matchConfig.Name = "john-valorant";
+                  address = [ "${net.cidr.host 1 prefixes.john-valorant.v4}/32" ];
+                  routes = [
+                    {
+                      Destination = net.cidr.host 2 prefixes.john-valorant.v4;
+                      Scope = "link";
+                    }
+                  ];
+                };
               } ];
             };
 
@@ -386,6 +415,9 @@ in
                   "estuary/hillcrest-wg.key" = {
                     owner = "systemd-network";
                   };
+                  "estuary/john-valorant-wg.key" = {
+                    owner = "systemd-network";
+                  };
                   "l2mesh/as211024.key" = {};
                 };
               };
@@ -397,7 +429,13 @@ in
                 };
               };
               firewall = {
-                udp.allowed = [ 5353 lib.my.c.kelder.vpn.port lib.my.c.hillcrest.vpn.port ];
+                udp.allowed = [
+                  5353
+
+                  lib.my.c.kelder.vpn.port
+                  lib.my.c.hillcrest.vpn.port
+                  lib.my.c.john-valorant.vpn.port
+                ];
                 tcp.allowed = [ 5353 "bgp" ];
                 nat = {
                   enable = true;
@@ -466,7 +504,7 @@ in
                       iifname { wan, as211024, $ixps } oifname base jump filter-routing
                       oifname $ixps jump ixp
                       iifname base oifname { base, wan, $ixps } accept
-                      oifname { as211024, kelder, hillcrest } accept
+                      oifname { as211024, kelder, hillcrest, john-valorant } accept
                     }
                     chain output {
                       oifname ifog ether type != vlan reject
@@ -479,6 +517,7 @@ in
                     }
                     chain postrouting {
                       oifname hillcrest snat ip to ${net.cidr.host 1 prefixes.hillcrest.v4}
+                      oifname john-valorant snat ip to ${net.cidr.host 1 prefixes.john-valorant.v4}
                       ip saddr ${prefixes.all.v4} oifname != as211024 snat to ${assignments.internal.ipv4.address}
                     }
                   }

nixos/boxes/colony/vms/estuary/dns.nix

@@ -185,6 +185,9 @@ in
             jam-fwd IN A ${allAssignments.shill.internal.ipv4.address}
             jam-cust IN AAAA ${net.cidr.host 1 prefixes.jam.v6}
 
+            hillcrest-tun IN A ${net.cidr.host 2 prefixes.hillcrest.v4}
+            john-valorant-tun IN A ${net.cidr.host 2 prefixes.john-valorant.v4}
+
             $TTL 3
             _acme-challenge IN LUA TXT @@FILE@@
 

nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix

@@ -437,6 +437,14 @@ in
         };
         useACMEHost = pubDomain;
       };
+      "hass-john.${pubDomain}" = {
+        locations."/" = {
+          proxyPass = "http://john-valorant-tun.${domain}:8123";
+          proxyWebsockets = true;
+          extraConfig = proxyHeaders;
+        };
+        useACMEHost = pubDomain;
+      };
     };
 
     minio =

secrets/estuary/john-valorant-wg.key.age

@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBvMndF
+M21hR3p2VmEzUm16eDEya2NtSW54SElScnQzRVhTYnhRNC9oS3dVCnFsS3ZyLyt2
+aVlsVEgySFpvKzA4cTd0ZnkwbGRHakJSL2JESU54KzFDNEkKLT4gWDI1NTE5IFQw
+cTN5bjJJVUoyckpjWnllM3piV3llM1VRSlN3Tlk4cG0yRzlTU1ZnMzQKQ2s2d0xs
+VjBjUlRkbUpHZDV0c2kwUGhUczhuVEV3ZE1WK2NxWndDQk9PWQotPiA+Oi1QYD47
+LWdyZWFzZSBFTEJWRHkzIE0oOVJTJQp2THpheXJqYmdPRlpTRXhQTkYzeGsyZ0dG
+aElRblgwWW1sT1NjZVNPUFNINXBPV1BxUldkCi0tLSBNOGhuUkNCV2NCZi9PdGxP
+WitZYTNwcDZXdGNjbDUzQkVZUEtUK2JsZTN3CrxYEwDQAvqeCckfsLUKB1ixsTF1
+rQNRYxioye5T7AZEnOrZg62qkOELmCwAD5UJt5tkNRrmHkm0JwiqNsThHX6qGnHl
+iDgytz/Hymij
+-----END AGE ENCRYPTED FILE-----