feat: migrate nfmnk to ifog, add hosthatch
This commit is contained in:
parent
4a42e3fe3c
commit
2f60cd571a
16 changed files with 656 additions and 119 deletions
|
|
@ -208,7 +208,7 @@ in {
|
|||
vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange;
|
||||
# lan.ipv4Addresses = ["192.168.0.0/16"];
|
||||
wan.interfaces = ["wan" "lan0"];
|
||||
vpn.interfaces = ["wg0" "wg1"];
|
||||
vpn.interfaces = ["wg0" "wg1" "wg2"];
|
||||
}
|
||||
//
|
||||
# generate a zone for each vlan
|
||||
|
|
@ -367,11 +367,11 @@ in {
|
|||
systemd.network = {
|
||||
wait-online.anyInterface = true;
|
||||
netdevs = let
|
||||
router0-nmfk_wg0Endpoint = "${repoFlake.colmena.router0-nfmnk.deployment.targetHost}:${
|
||||
router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${
|
||||
builtins.toString
|
||||
repoFlake
|
||||
.nixosConfigurations
|
||||
.router0-nfmnk
|
||||
.router0-ifog
|
||||
.config
|
||||
.systemd
|
||||
.network
|
||||
|
|
@ -381,11 +381,11 @@ in {
|
|||
.ListenPort
|
||||
}";
|
||||
|
||||
router0-nmfk_wg1Endpoint = "${repoFlake.colmena.router0-nfmnk.deployment.targetHost}:${
|
||||
router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${
|
||||
builtins.toString
|
||||
repoFlake
|
||||
.nixosConfigurations
|
||||
.router0-nfmnk
|
||||
.router0-ifog
|
||||
.config
|
||||
.systemd
|
||||
.network
|
||||
|
|
@ -394,6 +394,20 @@ in {
|
|||
.wireguardConfig
|
||||
.ListenPort
|
||||
}";
|
||||
|
||||
router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${
|
||||
builtins.toString
|
||||
repoFlake
|
||||
.nixosConfigurations
|
||||
.router0-hosthatch
|
||||
.config
|
||||
.systemd
|
||||
.network
|
||||
.netdevs
|
||||
.wg0
|
||||
.wireguardConfig
|
||||
.ListenPort
|
||||
}";
|
||||
in
|
||||
{
|
||||
# Create the bridge interface
|
||||
|
|
@ -442,7 +456,7 @@ in {
|
|||
PersistentKeepalive = 15;
|
||||
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
|
||||
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
|
||||
Endpoint = router0-nmfk_wg0Endpoint;
|
||||
Endpoint = router0-ifog_wg0Endpoint;
|
||||
};
|
||||
}
|
||||
];
|
||||
|
|
@ -468,7 +482,43 @@ in {
|
|||
PersistentKeepalive = 15;
|
||||
PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
|
||||
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
|
||||
Endpoint = router0-nmfk_wg1Endpoint;
|
||||
Endpoint = router0-ifog_wg1Endpoint;
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
wg2 = {
|
||||
enable = true;
|
||||
netdevConfig = {
|
||||
Name = "wg2";
|
||||
Kind = "wireguard";
|
||||
};
|
||||
wireguardConfig = {
|
||||
PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path;
|
||||
FirewallMark = 102;
|
||||
};
|
||||
wireguardPeers = [
|
||||
{
|
||||
wireguardPeerConfig = {
|
||||
AllowedIPs = [
|
||||
# this allows all traffic to be routed through this interface
|
||||
"0.0.0.0/0"
|
||||
|
||||
# # alternatively, specific destinations could be allowed
|
||||
|
||||
# # remote peer wg addr
|
||||
# "10.0.0.0/32"
|
||||
|
||||
# "1.1.1.1/32"
|
||||
# # ifconfig.co.
|
||||
# "172.67.168.106"
|
||||
# "104.21.54.91"
|
||||
];
|
||||
PersistentKeepalive = 15;
|
||||
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
|
||||
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
|
||||
Endpoint = router0-hosthatch_wg0Endpoint;
|
||||
};
|
||||
}
|
||||
];
|
||||
|
|
@ -513,6 +563,21 @@ in {
|
|||
# ip rule add fwmark 101 priority 0 table 101
|
||||
# ip rule add fwmark 101 priority 1 prohibit
|
||||
routingPolicyRules = [
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
FirewallMark = 100;
|
||||
Priority = 30000;
|
||||
Table = 100;
|
||||
};
|
||||
}
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
FirewallMark = 100;
|
||||
Priority = 30001;
|
||||
Table = 100;
|
||||
Type = "prohibit";
|
||||
};
|
||||
}
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
FirewallMark = 101;
|
||||
|
|
@ -530,16 +595,16 @@ in {
|
|||
}
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
FirewallMark = 100;
|
||||
FirewallMark = 102;
|
||||
Priority = 30000;
|
||||
Table = 100;
|
||||
Table = 102;
|
||||
};
|
||||
}
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
FirewallMark = 100;
|
||||
FirewallMark = 102;
|
||||
Priority = 30001;
|
||||
Table = 100;
|
||||
Table = 102;
|
||||
Type = "prohibit";
|
||||
};
|
||||
}
|
||||
|
|
@ -596,6 +661,12 @@ in {
|
|||
Table = 100;
|
||||
};
|
||||
}
|
||||
{
|
||||
routeConfig = {
|
||||
Gateway = "_dhcp4";
|
||||
Table = 102;
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
|
|
@ -696,7 +767,8 @@ in {
|
|||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Destination = "185.143.101.42/32";
|
||||
# test the set uprouting to a specific IP
|
||||
Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32";
|
||||
MultiPathRoute = "10.0.0.0 1";
|
||||
};
|
||||
}
|
||||
|
|
@ -711,12 +783,24 @@ in {
|
|||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Destination = "185.143.101.42/32";
|
||||
Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32";
|
||||
MultiPathRoute = "10.0.0.2 1";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
"50-wg2" = {
|
||||
enable = true;
|
||||
matchConfig.Name = "wg2";
|
||||
address = [
|
||||
"10.0.1.1/31"
|
||||
];
|
||||
|
||||
routes = [
|
||||
# TODO: add a testing route here
|
||||
];
|
||||
};
|
||||
}
|
||||
# configuration for the hostapd dynamic interfaces
|
||||
# * netdev type vlan
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue