rexxar: add some shuffles

This commit is contained in:
Luke Granger-Brown 2024-04-04 22:51:55 +00:00
parent ed0d0fa3c8
commit 2f0f17f1fd
2 changed files with 132 additions and 12 deletions

View file

@ -16,8 +16,11 @@
local = { local = {
routerID = "195.74.55.21"; routerID = "195.74.55.21";
}; };
export.v4 = [ ]; export.v4 = [ "92.118.28.0/22" ];
export.v6 = [ ]; export.v6 = [ "2a09:a442:1000::/48" "2a09:a442::/48" ];
internal.export.v4 = [ "92.118.30.251/32" ];
internal.export.v6 = [ "2a09:a442:1000::/48" "2a09:a442::/48" ];
peering = let peering = let
base = [{ base = [{
@ -29,13 +32,15 @@
}]; }];
link.velox2 = base ++ [{ link.velox2 = base ++ [{
local.v4 = "195.74.55.23"; local.v4 = "195.74.55.23";
local.v6 = "2a03:ee40:8080:9:1::2"; local.v6 = "2a03:ee40:8080:9:2::2";
}]; }];
link.linx = base ++ [{ link.linx = base ++ [{
local.v4 = "195.66.224.58"; local.v4 = "195.66.224.58";
local.v6 = "2001:7f8:4::3:22a7:1"; local.v6 = "2001:7f8:4::3:22a7:1";
remote.pref_src.v4 = "195.74.55.21"; #remote.pref_src.v4 = "195.74.55.21";
remote.pref_src.v6 = "2a03:ee40:8080:9:1::2"; #remote.pref_src.v6 = "2a03:ee40:8080:9:1::2";
remote.pref_src.v4 = "92.118.30.251";
remote.pref_src.v6 = "2a09:a442:1000::";
}]; }];
peer.velox.remote = { peer.velox.remote = {
asn = 3170; asn = 3170;
@ -52,7 +57,7 @@
}]); }]);
veloxserv2 = lib.mkMerge (link.velox2 ++ [peer.velox { veloxserv2 = lib.mkMerge (link.velox2 ++ [peer.velox {
remote.routers = [{ remote.routers = [{
enabled = false; enabled = true;
v4 = "195.74.55.22"; v4 = "195.74.55.22";
v6 = "2a03:ee40:8080:9:2::1"; v6 = "2a03:ee40:8080:9:2::1";
}]; }];

View file

@ -77,15 +77,103 @@
domain = "as205479.net"; domain = "as205479.net";
hostId = "b46c2ae9"; hostId = "b46c2ae9";
useNetworkd = true; useNetworkd = true;
}; firewall = {
systemd.network = { allowedUDPPorts = [
networks."10-enp9s0f0" = { 51821 51822 51823
matchConfig.Name = "enp9s0f0"; ];
networkConfig.VLAN = [ "vl-velox1" "vl-linx" ];
}; };
};
systemd.network = let
wireguard = { name, listenPort, privateKey, publicKey, endpoint ? null }: {
netdevConfig = {
Name = name;
Kind = "wireguard";
Description = "WireGuard tunnel ${name}";
};
wireguardConfig = {
ListenPort = listenPort;
PrivateKeyFile = privateKey;
};
wireguardPeers = [{
wireguardPeerConfig = lib.mkMerge [{
PublicKey = publicKey;
AllowedIPs = [
"0.0.0.0/0"
"::/0"
];
} (lib.mkIf (endpoint != null) {
Endpoint = endpoint;
})];
}];
};
swannWireguard = args: wireguard (args // {
privateKey = config.my.vault.secrets.wg-swann-private.path;
publicKey = "XyfovUP6GUwIg15t5UWxicfxooeto/U/7nLs7Zu8HH4=";
});
cofractalWireguard = args: wireguard (args // {
privateKey = config.my.vault.secrets.wg-cofractal-ams01-private.path;
publicKey = "qKi6mWIhV2n16LGH16Iug5W+Bx4Fx7eprxCgA/1Ra1g=";
});
in {
netdevs."40-wg-swann-ee" = swannWireguard {
name = "wg-swann-ee";
listenPort = 51821;
};
netdevs."40-wg-swann-gnet" = swannWireguard {
name = "wg-swann-gnet";
listenPort = 51822;
endpoint = "185.250.189.20:51822";
};
netdevs."40-wg-cofractal" = cofractalWireguard {
name = "wg-cofractal";
listenPort = 51823;
endpoint = "[2a09:a446:1337:ffff::10]:51823";
};
networks."40-wg-swann-ee" = {
matchConfig.Name = "wg-swann-ee";
address = [
"92.118.30.3/31"
"2a09:a442::2:2/64"
];
};
networks."40-wg-swann-gnet" = {
matchConfig.Name = "wg-swann-gnet";
address = [
"92.118.30.5/31"
"2a09:a442::3:2/64"
];
};
networks."40-wg-cofractal" = {
matchConfig.Name = "wg-cofractal";
address = [
"169.254.200.0/31"
];
};
networks."10-usb0" = {
matchConfig.Name = "usb0";
address = [
"169.254.0.1/24"
# IPMI 169.254.0.17
];
};
networks."10-enp193s0f0np0" = {
matchConfig.Name = "enp193s0f0np0";
# Telia
address = [
"62.115.150.105/31"
"2001:2035:0:1f7e::2/126"
];
};
networks."10-enp193s0f1np1" = {
matchConfig.Name = "enp193s0f1np1";
networkConfig.VLAN = [ "vl-velox1" ];
};
# enp9s0f0 - previously velox copper cable 1, now enp193s0f1np1 via 10G
networks."10-enp9s0f1" = { networks."10-enp9s0f1" = {
matchConfig.Name = "enp9s0f1"; matchConfig.Name = "enp9s0f1";
networkConfig.VLAN = [ "vl-velox2" ]; networkConfig.VLAN = [ "vl-velox2" "vl-linx" ];
}; };
netdevs."20-vl-velox1" = { netdevs."20-vl-velox1" = {
netdevConfig = { netdevConfig = {
@ -173,6 +261,19 @@
IPv6SendRA = false; IPv6SendRA = false;
}; };
}; };
networks."60-lo" = {
matchConfig.Name = "lo";
addresses = [{
addressConfig.Address = "127.0.0.1/8";
addressConfig.Scope = "host";
} {
addressConfig.Address = "::1/128";
} {
addressConfig.Address = "92.118.30.251/32";
} {
addressConfig.Address = "2a09:a442:1000::/128";
}];
};
}; };
my.ip.tailscale = "100.97.110.48"; my.ip.tailscale = "100.97.110.48";
my.ip.tailscale6 = "fd7a:115c:a1e0::3a01:6e30"; my.ip.tailscale6 = "fd7a:115c:a1e0::3a01:6e30";
@ -227,5 +328,19 @@
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
my.vault.secrets = let
wireguardSecret = key: {
group = "systemd-network";
template = ''
{{- with secret "kv/apps/wireguard/rexxar" -}}
{{- .Data.data.${key} -}}
{{- end -}}
'';
};
in {
wg-swann-private = wireguardSecret "privateKeyToSwann";
wg-cofractal-ams01-private = wireguardSecret "privateKeyToCofractalAms01";
};
system.stateVersion = "24.05"; system.stateVersion = "24.05";
} }