rexxar: add some shuffles
This commit is contained in:
parent
ed0d0fa3c8
commit
2f0f17f1fd
2 changed files with 132 additions and 12 deletions
|
@ -16,8 +16,11 @@
|
|||
local = {
|
||||
routerID = "195.74.55.21";
|
||||
};
|
||||
export.v4 = [ ];
|
||||
export.v6 = [ ];
|
||||
export.v4 = [ "92.118.28.0/22" ];
|
||||
export.v6 = [ "2a09:a442:1000::/48" "2a09:a442::/48" ];
|
||||
|
||||
internal.export.v4 = [ "92.118.30.251/32" ];
|
||||
internal.export.v6 = [ "2a09:a442:1000::/48" "2a09:a442::/48" ];
|
||||
|
||||
peering = let
|
||||
base = [{
|
||||
|
@ -29,13 +32,15 @@
|
|||
}];
|
||||
link.velox2 = base ++ [{
|
||||
local.v4 = "195.74.55.23";
|
||||
local.v6 = "2a03:ee40:8080:9:1::2";
|
||||
local.v6 = "2a03:ee40:8080:9:2::2";
|
||||
}];
|
||||
link.linx = base ++ [{
|
||||
local.v4 = "195.66.224.58";
|
||||
local.v6 = "2001:7f8:4::3:22a7:1";
|
||||
remote.pref_src.v4 = "195.74.55.21";
|
||||
remote.pref_src.v6 = "2a03:ee40:8080:9:1::2";
|
||||
#remote.pref_src.v4 = "195.74.55.21";
|
||||
#remote.pref_src.v6 = "2a03:ee40:8080:9:1::2";
|
||||
remote.pref_src.v4 = "92.118.30.251";
|
||||
remote.pref_src.v6 = "2a09:a442:1000::";
|
||||
}];
|
||||
peer.velox.remote = {
|
||||
asn = 3170;
|
||||
|
@ -52,7 +57,7 @@
|
|||
}]);
|
||||
veloxserv2 = lib.mkMerge (link.velox2 ++ [peer.velox {
|
||||
remote.routers = [{
|
||||
enabled = false;
|
||||
enabled = true;
|
||||
v4 = "195.74.55.22";
|
||||
v6 = "2a03:ee40:8080:9:2::1";
|
||||
}];
|
||||
|
|
|
@ -77,15 +77,103 @@
|
|||
domain = "as205479.net";
|
||||
hostId = "b46c2ae9";
|
||||
useNetworkd = true;
|
||||
};
|
||||
systemd.network = {
|
||||
networks."10-enp9s0f0" = {
|
||||
matchConfig.Name = "enp9s0f0";
|
||||
networkConfig.VLAN = [ "vl-velox1" "vl-linx" ];
|
||||
firewall = {
|
||||
allowedUDPPorts = [
|
||||
51821 51822 51823
|
||||
];
|
||||
};
|
||||
};
|
||||
systemd.network = let
|
||||
wireguard = { name, listenPort, privateKey, publicKey, endpoint ? null }: {
|
||||
netdevConfig = {
|
||||
Name = name;
|
||||
Kind = "wireguard";
|
||||
Description = "WireGuard tunnel ${name}";
|
||||
};
|
||||
wireguardConfig = {
|
||||
ListenPort = listenPort;
|
||||
PrivateKeyFile = privateKey;
|
||||
};
|
||||
wireguardPeers = [{
|
||||
wireguardPeerConfig = lib.mkMerge [{
|
||||
PublicKey = publicKey;
|
||||
AllowedIPs = [
|
||||
"0.0.0.0/0"
|
||||
"::/0"
|
||||
];
|
||||
} (lib.mkIf (endpoint != null) {
|
||||
Endpoint = endpoint;
|
||||
})];
|
||||
}];
|
||||
};
|
||||
swannWireguard = args: wireguard (args // {
|
||||
privateKey = config.my.vault.secrets.wg-swann-private.path;
|
||||
publicKey = "XyfovUP6GUwIg15t5UWxicfxooeto/U/7nLs7Zu8HH4=";
|
||||
});
|
||||
cofractalWireguard = args: wireguard (args // {
|
||||
privateKey = config.my.vault.secrets.wg-cofractal-ams01-private.path;
|
||||
publicKey = "qKi6mWIhV2n16LGH16Iug5W+Bx4Fx7eprxCgA/1Ra1g=";
|
||||
});
|
||||
in {
|
||||
netdevs."40-wg-swann-ee" = swannWireguard {
|
||||
name = "wg-swann-ee";
|
||||
listenPort = 51821;
|
||||
};
|
||||
netdevs."40-wg-swann-gnet" = swannWireguard {
|
||||
name = "wg-swann-gnet";
|
||||
listenPort = 51822;
|
||||
endpoint = "185.250.189.20:51822";
|
||||
};
|
||||
netdevs."40-wg-cofractal" = cofractalWireguard {
|
||||
name = "wg-cofractal";
|
||||
listenPort = 51823;
|
||||
endpoint = "[2a09:a446:1337:ffff::10]:51823";
|
||||
};
|
||||
|
||||
networks."40-wg-swann-ee" = {
|
||||
matchConfig.Name = "wg-swann-ee";
|
||||
address = [
|
||||
"92.118.30.3/31"
|
||||
"2a09:a442::2:2/64"
|
||||
];
|
||||
};
|
||||
networks."40-wg-swann-gnet" = {
|
||||
matchConfig.Name = "wg-swann-gnet";
|
||||
address = [
|
||||
"92.118.30.5/31"
|
||||
"2a09:a442::3:2/64"
|
||||
];
|
||||
};
|
||||
networks."40-wg-cofractal" = {
|
||||
matchConfig.Name = "wg-cofractal";
|
||||
address = [
|
||||
"169.254.200.0/31"
|
||||
];
|
||||
};
|
||||
|
||||
networks."10-usb0" = {
|
||||
matchConfig.Name = "usb0";
|
||||
address = [
|
||||
"169.254.0.1/24"
|
||||
# IPMI 169.254.0.17
|
||||
];
|
||||
};
|
||||
networks."10-enp193s0f0np0" = {
|
||||
matchConfig.Name = "enp193s0f0np0";
|
||||
# Telia
|
||||
address = [
|
||||
"62.115.150.105/31"
|
||||
"2001:2035:0:1f7e::2/126"
|
||||
];
|
||||
};
|
||||
networks."10-enp193s0f1np1" = {
|
||||
matchConfig.Name = "enp193s0f1np1";
|
||||
networkConfig.VLAN = [ "vl-velox1" ];
|
||||
};
|
||||
# enp9s0f0 - previously velox copper cable 1, now enp193s0f1np1 via 10G
|
||||
networks."10-enp9s0f1" = {
|
||||
matchConfig.Name = "enp9s0f1";
|
||||
networkConfig.VLAN = [ "vl-velox2" ];
|
||||
networkConfig.VLAN = [ "vl-velox2" "vl-linx" ];
|
||||
};
|
||||
netdevs."20-vl-velox1" = {
|
||||
netdevConfig = {
|
||||
|
@ -173,6 +261,19 @@
|
|||
IPv6SendRA = false;
|
||||
};
|
||||
};
|
||||
networks."60-lo" = {
|
||||
matchConfig.Name = "lo";
|
||||
addresses = [{
|
||||
addressConfig.Address = "127.0.0.1/8";
|
||||
addressConfig.Scope = "host";
|
||||
} {
|
||||
addressConfig.Address = "::1/128";
|
||||
} {
|
||||
addressConfig.Address = "92.118.30.251/32";
|
||||
} {
|
||||
addressConfig.Address = "2a09:a442:1000::/128";
|
||||
}];
|
||||
};
|
||||
};
|
||||
my.ip.tailscale = "100.97.110.48";
|
||||
my.ip.tailscale6 = "fd7a:115c:a1e0::3a01:6e30";
|
||||
|
@ -227,5 +328,19 @@
|
|||
|
||||
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
||||
|
||||
my.vault.secrets = let
|
||||
wireguardSecret = key: {
|
||||
group = "systemd-network";
|
||||
template = ''
|
||||
{{- with secret "kv/apps/wireguard/rexxar" -}}
|
||||
{{- .Data.data.${key} -}}
|
||||
{{- end -}}
|
||||
'';
|
||||
};
|
||||
in {
|
||||
wg-swann-private = wireguardSecret "privateKeyToSwann";
|
||||
wg-cofractal-ams01-private = wireguardSecret "privateKeyToCofractalAms01";
|
||||
};
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue