From 0fd44c31c151840688573eca63f20253c94692cc Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sun, 24 Mar 2024 23:25:15 +0000 Subject: [PATCH] cofractal-ams01: set up network bridge --- ops/nixos/cofractal-ams01/default.nix | 5 ++- ops/nixos/cofractal-ams01/vm-bridge.nix | 27 ++++++++++++ ops/nixos/cofractal-ams01/vxlan-bridge.nix | 49 ++++++++++++++++++++++ 3 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 ops/nixos/cofractal-ams01/vm-bridge.nix create mode 100644 ops/nixos/cofractal-ams01/vxlan-bridge.nix diff --git a/ops/nixos/cofractal-ams01/default.nix b/ops/nixos/cofractal-ams01/default.nix index be1f5aeaa2..9dc0ec06c7 100644 --- a/ops/nixos/cofractal-ams01/default.nix +++ b/ops/nixos/cofractal-ams01/default.nix @@ -65,6 +65,8 @@ in ../lib/coredns/default.nix ../lib/deluge.nix ../lib/plex.nix + ./vm-bridge.nix + ./vxlan-bridge.nix ]; my.plex.customTLS = { @@ -219,6 +221,7 @@ in in [ (bindMountSvc "/var/lib/tailscale" "tailscaled.service") (bindMountSvc "/var/lib/private/factorio" "factorio.service") + (bindMountSvc "/var/lib/libvirt" "libvirt.service") ]; services.lukegbgp = let @@ -274,8 +277,8 @@ in game-name = "Briefcase Full of Bees"; mods = depot.nix.pkgs.factorio-mods._all; mods-dat = ./mod-settings.dat; + admins = ["lukegb"]; extraSettings = { - admins = ["lukegb"]; auto_pause = true; only_admins_can_pause_the_game = false; game_password = depot.ops.secrets.factorioServerPassword; diff --git a/ops/nixos/cofractal-ams01/vm-bridge.nix b/ops/nixos/cofractal-ams01/vm-bridge.nix new file mode 100644 index 0000000000..c0e278b18c --- /dev/null +++ b/ops/nixos/cofractal-ams01/vm-bridge.nix @@ -0,0 +1,27 @@ +# SPDX-FileCopyrightText: 2024 Luke Granger-Brown +# +# SPDX-License-Identifier: Apache-2.0 + +{ depot, lib, pkgs, config, ... }: + +{ + systemd.network.netdevs."40-br-public" = { + netdevConfig = { + Name = "br-public"; + Kind = "bridge"; + }; + }; + systemd.network.networks."40-br-public" = { + matchConfig.Name = "br-public"; + }; + + systemd.network.netdevs."40-br-mgmt" = { + netdevConfig = { + Name = "br-mgmt"; + Kind = "bridge"; + }; + }; + systemd.network.networks."40-br-mgmt" = { + matchConfig.Name = "br-mgmt"; + }; +} diff --git a/ops/nixos/cofractal-ams01/vxlan-bridge.nix b/ops/nixos/cofractal-ams01/vxlan-bridge.nix new file mode 100644 index 0000000000..70b94d201b --- /dev/null +++ b/ops/nixos/cofractal-ams01/vxlan-bridge.nix @@ -0,0 +1,49 @@ +# SPDX-FileCopyrightText: 2024 Luke Granger-Brown +# +# SPDX-License-Identifier: Apache-2.0 + +{ depot, lib, pkgs, config, ... }: + +{ + imports = [ ./vm-bridge.nix ]; + + systemd.network.netdevs."40-vx-public" = { + netdevConfig = { + Name = "vx-public"; + Kind = "vxlan"; + }; + vxlanConfig = { + VNI = 100; + Remote = "2a09:a441:0:ffff::1"; + Local = "2a09:a446:1337:ffff::10"; + DestinationPort = 4789; + }; + }; + systemd.network.networks."40-vx-public" = { + matchConfig.Name = "vx-public"; + networkConfig.Bridge = "br-public"; + }; + + systemd.network.netdevs."40-vx-mgmt" = { + netdevConfig = { + Name = "vx-mgmt"; + Kind = "vxlan"; + }; + vxlanConfig = { + VNI = 101; + Remote = "2a09:a441:0:ffff::1"; + Local = "2a09:a446:1337:ffff::10"; + DestinationPort = 4789; + }; + }; + systemd.network.networks."40-vx-mgmt" = { + matchConfig.Name = "vx-mgmt"; + networkConfig.Bridge = "br-mgmt"; + }; + + networking.firewall.extraCommands = '' + ip6tables -I nixos-fw -p udp --src 2a09:a441:0:ffff::1 --dst 2a09:a446:1337:ffff::10 --dport 4789 -j ACCEPT + ''; + + systemd.network.networks."40-bond0".networkConfig.VXLAN = [ "vx-public" "vx-mgmt" ]; +}