ops/nixos: change shape of systemd-networkd
some repeated things have moved up
This commit is contained in:
parent
15124057c8
commit
4db9ef0543
8 changed files with 107 additions and 165 deletions
|
@ -258,24 +258,18 @@ in {
|
||||||
PrivateKeyFile = "/home/ninovpn/wg-priv";
|
PrivateKeyFile = "/home/ninovpn/wg-priv";
|
||||||
};
|
};
|
||||||
wireguardPeers = [{
|
wireguardPeers = [{
|
||||||
wireguardPeerConfig = {
|
|
||||||
PublicKey = "0WX1QmQaSDavNTAIp5vRsoG+UNXOP1ttZ+2VahoHR0c=";
|
PublicKey = "0WX1QmQaSDavNTAIp5vRsoG+UNXOP1ttZ+2VahoHR0c=";
|
||||||
AllowedIPs = ["10.222.0.2/32"];
|
AllowedIPs = ["10.222.0.2/32"];
|
||||||
};
|
|
||||||
} {
|
} {
|
||||||
wireguardPeerConfig = {
|
|
||||||
PublicKey = "oeRBlP5C3vHc3GDqgRT9F2qly6MAoy1+CjRHsU4F6Bo=";
|
PublicKey = "oeRBlP5C3vHc3GDqgRT9F2qly6MAoy1+CjRHsU4F6Bo=";
|
||||||
AllowedIPs = ["10.222.0.3/32"];
|
AllowedIPs = ["10.222.0.3/32"];
|
||||||
};
|
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
systemd.network.networks."20-wg0" = {
|
systemd.network.networks."20-wg0" = {
|
||||||
matchConfig.Name = "wg0";
|
matchConfig.Name = "wg0";
|
||||||
linkConfig.RequiredForOnline = "no";
|
linkConfig.RequiredForOnline = "no";
|
||||||
addresses = [{
|
addresses = [{
|
||||||
addressConfig = {
|
|
||||||
Address = "10.222.0.1/24";
|
Address = "10.222.0.1/24";
|
||||||
};
|
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -191,15 +191,12 @@ in
|
||||||
PrivateKeyFile = privateKey;
|
PrivateKeyFile = privateKey;
|
||||||
};
|
};
|
||||||
wireguardPeers = [{
|
wireguardPeers = [{
|
||||||
wireguardPeerConfig = lib.mkMerge [{
|
|
||||||
PublicKey = publicKey;
|
PublicKey = publicKey;
|
||||||
AllowedIPs = [
|
AllowedIPs = [
|
||||||
"0.0.0.0/0"
|
"0.0.0.0/0"
|
||||||
"::/0"
|
"::/0"
|
||||||
];
|
];
|
||||||
} (lib.mkIf (endpoint != null) {
|
|
||||||
Endpoint = endpoint;
|
Endpoint = endpoint;
|
||||||
})];
|
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
swannWireguard = args: wireguard (args // {
|
swannWireguard = args: wireguard (args // {
|
||||||
|
@ -253,14 +250,14 @@ in
|
||||||
networks."60-lo" = {
|
networks."60-lo" = {
|
||||||
matchConfig.Name = "lo";
|
matchConfig.Name = "lo";
|
||||||
addresses = [{
|
addresses = [{
|
||||||
addressConfig.Address = "127.0.0.1/8";
|
Address = "127.0.0.1/8";
|
||||||
addressConfig.Scope = "host";
|
Scope = "host";
|
||||||
} {
|
} {
|
||||||
addressConfig.Address = "::1/128";
|
Address = "::1/128";
|
||||||
} {
|
} {
|
||||||
addressConfig.Address = "92.118.30.252/32";
|
Address = "92.118.30.252/32";
|
||||||
} {
|
} {
|
||||||
addressConfig.Address = "2a09:a442:2000::/128";
|
Address = "2a09:a442:2000::/128";
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -19,10 +19,10 @@
|
||||||
"fe80::f00f/64"
|
"fe80::f00f/64"
|
||||||
];
|
];
|
||||||
networkConfig.IPv6SendRA = true;
|
networkConfig.IPv6SendRA = true;
|
||||||
ipv6Prefixes = [{ ipv6PrefixConfig = {
|
ipv6Prefixes = [{
|
||||||
Prefix = "2a09:a441:0:ffff::/64";
|
Prefix = "2a09:a441:0:ffff::/64";
|
||||||
Assign = true;
|
Assign = true;
|
||||||
}; }];
|
}];
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.network.netdevs."40-br-mgmt" = {
|
systemd.network.netdevs."40-br-mgmt" = {
|
||||||
|
|
|
@ -152,10 +152,8 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
wireguardPeers = [{
|
wireguardPeers = [{
|
||||||
wireguardPeerConfig = {
|
|
||||||
PublicKey = depot.ops.secrets.wireguard.quadv1.quadv.publicKey;
|
PublicKey = depot.ops.secrets.wireguard.quadv1.quadv.publicKey;
|
||||||
AllowedIPs = "0.0.0.0/0,::/0";
|
AllowedIPs = "0.0.0.0/0,::/0";
|
||||||
};
|
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
systemd.network.networks.quadv1 = {
|
systemd.network.networks.quadv1 = {
|
||||||
|
@ -163,10 +161,8 @@
|
||||||
networkConfig.Address = "169.254.111.0/31";
|
networkConfig.Address = "169.254.111.0/31";
|
||||||
|
|
||||||
routes = [{
|
routes = [{
|
||||||
routeConfig = {
|
|
||||||
Gateway = "169.254.111.1";
|
Gateway = "169.254.111.1";
|
||||||
Destination = "92.118.31.0/24";
|
Destination = "92.118.31.0/24";
|
||||||
};
|
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -87,14 +87,10 @@ in
|
||||||
IPv6SendRA = true;
|
IPv6SendRA = true;
|
||||||
};
|
};
|
||||||
ipv6Prefixes = [{
|
ipv6Prefixes = [{
|
||||||
ipv6PrefixConfig = {
|
|
||||||
Prefix = "2a09:a443:ee::/64";
|
Prefix = "2a09:a443:ee::/64";
|
||||||
};
|
|
||||||
}];
|
}];
|
||||||
ipv6RoutePrefixes = [{
|
ipv6RoutePrefixes = [{
|
||||||
ipv6RoutePrefixConfig = {
|
|
||||||
Route = "::/0";
|
Route = "::/0";
|
||||||
};
|
|
||||||
}];
|
}];
|
||||||
dhcpServerConfig = {
|
dhcpServerConfig = {
|
||||||
PoolOffset = 100;
|
PoolOffset = 100;
|
||||||
|
|
|
@ -49,11 +49,9 @@
|
||||||
RouteMetric = 512;
|
RouteMetric = 512;
|
||||||
};
|
};
|
||||||
routes = [{
|
routes = [{
|
||||||
routeConfig = {
|
|
||||||
Gateway = "10.0.0.1";
|
Gateway = "10.0.0.1";
|
||||||
Destination = "0.0.0.0/0";
|
Destination = "0.0.0.0/0";
|
||||||
Metric = 512;
|
Metric = 512;
|
||||||
};
|
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -95,15 +95,12 @@
|
||||||
PrivateKeyFile = privateKey;
|
PrivateKeyFile = privateKey;
|
||||||
};
|
};
|
||||||
wireguardPeers = [{
|
wireguardPeers = [{
|
||||||
wireguardPeerConfig = lib.mkMerge [{
|
|
||||||
PublicKey = publicKey;
|
PublicKey = publicKey;
|
||||||
AllowedIPs = [
|
AllowedIPs = [
|
||||||
"0.0.0.0/0"
|
"0.0.0.0/0"
|
||||||
"::/0"
|
"::/0"
|
||||||
];
|
];
|
||||||
} (lib.mkIf (endpoint != null) {
|
|
||||||
Endpoint = endpoint;
|
Endpoint = endpoint;
|
||||||
})];
|
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
swannWireguard = args: wireguard (args // {
|
swannWireguard = args: wireguard (args // {
|
||||||
|
@ -199,11 +196,11 @@
|
||||||
"1.1.1.1"
|
"1.1.1.1"
|
||||||
];
|
];
|
||||||
networkConfig.DNSDefaultRoute = true;
|
networkConfig.DNSDefaultRoute = true;
|
||||||
routes = [{ routeConfig = {
|
routes = [{
|
||||||
Gateway = "195.74.55.20";
|
Gateway = "195.74.55.20";
|
||||||
}; } { routeConfig = {
|
} {
|
||||||
Gateway = "2a03:ee40:8080:9:1::1";
|
Gateway = "2a03:ee40:8080:9:1::1";
|
||||||
}; }];
|
}];
|
||||||
};
|
};
|
||||||
netdevs."20-vl-velox2" = {
|
netdevs."20-vl-velox2" = {
|
||||||
netdevConfig = {
|
netdevConfig = {
|
||||||
|
@ -229,11 +226,11 @@
|
||||||
"1.1.1.1"
|
"1.1.1.1"
|
||||||
];
|
];
|
||||||
networkConfig.DNSDefaultRoute = true;
|
networkConfig.DNSDefaultRoute = true;
|
||||||
routes = [{ routeConfig = {
|
routes = [{
|
||||||
Gateway = "195.74.55.22";
|
Gateway = "195.74.55.22";
|
||||||
}; } { routeConfig = {
|
} {
|
||||||
Gateway = "2a03:ee40:8080:9:2::1";
|
Gateway = "2a03:ee40:8080:9:2::1";
|
||||||
}; }];
|
}];
|
||||||
};
|
};
|
||||||
netdevs."20-vl-linx" = {
|
netdevs."20-vl-linx" = {
|
||||||
netdevConfig = {
|
netdevConfig = {
|
||||||
|
@ -264,14 +261,14 @@
|
||||||
networks."60-lo" = {
|
networks."60-lo" = {
|
||||||
matchConfig.Name = "lo";
|
matchConfig.Name = "lo";
|
||||||
addresses = [{
|
addresses = [{
|
||||||
addressConfig.Address = "127.0.0.1/8";
|
Address = "127.0.0.1/8";
|
||||||
addressConfig.Scope = "host";
|
Scope = "host";
|
||||||
} {
|
} {
|
||||||
addressConfig.Address = "::1/128";
|
Address = "::1/128";
|
||||||
} {
|
} {
|
||||||
addressConfig.Address = "92.118.30.251/32";
|
Address = "92.118.30.251/32";
|
||||||
} {
|
} {
|
||||||
addressConfig.Address = "2a09:a442:1000::/128";
|
Address = "2a09:a442:1000::/128";
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -102,12 +102,10 @@ in {
|
||||||
dhcpV4Config.RouteTable = rtID;
|
dhcpV4Config.RouteTable = rtID;
|
||||||
ipv6AcceptRAConfig.RouteTable = rtID;
|
ipv6AcceptRAConfig.RouteTable = rtID;
|
||||||
routingPolicyRules = [{
|
routingPolicyRules = [{
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
Family = "both";
|
Family = "both";
|
||||||
FirewallMark = hexToInt wireguardFwmark;
|
FirewallMark = hexToInt wireguardFwmark;
|
||||||
Priority = 10000;
|
Priority = 10000;
|
||||||
Table = rtID;
|
Table = rtID;
|
||||||
};
|
|
||||||
}] ++ extraRules;
|
}] ++ extraRules;
|
||||||
};
|
};
|
||||||
wireguardNetwork = { linkName, relativePriority, rtID, v4Linknet, v6Linknet }: {
|
wireguardNetwork = { linkName, relativePriority, rtID, v4Linknet, v6Linknet }: {
|
||||||
|
@ -124,29 +122,21 @@ in {
|
||||||
"${builtins.elemAt pieces 0}${lib.toHexString (fn (hexToInt "0x${builtins.elemAt pieces 2}"))}";
|
"${builtins.elemAt pieces 0}${lib.toHexString (fn (hexToInt "0x${builtins.elemAt pieces 2}"))}";
|
||||||
in [
|
in [
|
||||||
{
|
{
|
||||||
routeConfig = {
|
|
||||||
Destination = "${v4Linknet}/31";
|
Destination = "${v4Linknet}/31";
|
||||||
Table = rtID;
|
Table = rtID;
|
||||||
};
|
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
routeConfig = {
|
|
||||||
Gateway = replaceV4Octet v4Linknet (n: n + 1);
|
Gateway = replaceV4Octet v4Linknet (n: n + 1);
|
||||||
Table = rtID;
|
Table = rtID;
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
routeConfig = {
|
|
||||||
Destination = "${replaceV6Octet v6Linknet (n: 0)}/112";
|
Destination = "${replaceV6Octet v6Linknet (n: 0)}/112";
|
||||||
Table = rtID;
|
Table = rtID;
|
||||||
};
|
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
routeConfig = {
|
|
||||||
Gateway = replaceV6Octet v6Linknet (n: n + 1);
|
Gateway = replaceV6Octet v6Linknet (n: n + 1);
|
||||||
Table = rtID;
|
Table = rtID;
|
||||||
};
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -162,32 +152,26 @@ in {
|
||||||
|
|
||||||
# Allow picking destination by source IP.
|
# Allow picking destination by source IP.
|
||||||
{
|
{
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
Family = "ipv4";
|
Family = "ipv4";
|
||||||
From = v4Linknet;
|
From = v4Linknet;
|
||||||
Priority = 10010;
|
Priority = 10010;
|
||||||
Table = rtID;
|
Table = rtID;
|
||||||
};
|
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
Family = "ipv6";
|
Family = "ipv6";
|
||||||
From = v6Linknet;
|
From = v6Linknet;
|
||||||
Priority = 10010;
|
Priority = 10010;
|
||||||
Table = rtID;
|
Table = rtID;
|
||||||
};
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
tailscaleRule = priority: table: {
|
tailscaleRule = priority: table: {
|
||||||
# Route Tailscale (fwmark 0x80000) via Wireguard first.
|
# Route Tailscale (fwmark 0x80000) via Wireguard first.
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
Family = "both";
|
Family = "both";
|
||||||
FirewallMark = hexToInt "0x80000"; # Should be "0x80000/0xff0000"
|
FirewallMark = hexToInt "0x80000"; # Should be "0x80000/0xff0000"
|
||||||
Priority = priority;
|
Priority = priority;
|
||||||
Table = table;
|
Table = table;
|
||||||
};
|
};
|
||||||
};
|
|
||||||
in let
|
in let
|
||||||
routeTables = {
|
routeTables = {
|
||||||
bgp = 150;
|
bgp = 150;
|
||||||
|
@ -240,20 +224,16 @@ in {
|
||||||
networks."40-lo" = {
|
networks."40-lo" = {
|
||||||
routingPolicyRules = let
|
routingPolicyRules = let
|
||||||
viaMain = priority: to: {
|
viaMain = priority: to: {
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
To = to;
|
To = to;
|
||||||
Table = "main";
|
Table = "main";
|
||||||
Priority = priority;
|
Priority = priority;
|
||||||
};
|
};
|
||||||
};
|
|
||||||
blackhole = fwmark: {
|
blackhole = fwmark: {
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
Family = "both";
|
Family = "both";
|
||||||
FirewallMark = hexToInt fwmark;
|
FirewallMark = hexToInt fwmark;
|
||||||
Priority = 10001;
|
Priority = 10001;
|
||||||
Type = "unreachable";
|
Type = "unreachable";
|
||||||
};
|
};
|
||||||
};
|
|
||||||
in [
|
in [
|
||||||
(tailscaleRule 5000 150)
|
(tailscaleRule 5000 150)
|
||||||
|
|
||||||
|
@ -274,50 +254,38 @@ in {
|
||||||
|
|
||||||
{
|
{
|
||||||
# Catch-all "go via WG"
|
# Catch-all "go via WG"
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
Family = "both";
|
Family = "both";
|
||||||
Priority = 10080;
|
Priority = 10080;
|
||||||
Table = routeTables.bgp;
|
Table = routeTables.bgp;
|
||||||
};
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
networks."40-en-ee" = (physicalNetwork routeTables.ee "0xdead" [{
|
networks."40-en-ee" = (physicalNetwork routeTables.ee "0xdead" [{
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
# add-on.ee.co.uk goes via EE.
|
# add-on.ee.co.uk goes via EE.
|
||||||
To = "82.192.97.153/32";
|
To = "82.192.97.153/32";
|
||||||
Table = routeTables.ee;
|
Table = routeTables.ee;
|
||||||
Priority = 10031;
|
Priority = 10031;
|
||||||
};
|
|
||||||
} {
|
} {
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
# as does anything from 10.42.0.0/24.
|
# as does anything from 10.42.0.0/24.
|
||||||
From = "10.42.0.0/24";
|
From = "10.42.0.0/24";
|
||||||
Table = routeTables.ee;
|
Table = routeTables.ee;
|
||||||
Priority = 10031;
|
Priority = 10031;
|
||||||
};
|
|
||||||
}]) // {
|
}]) // {
|
||||||
linkConfig.RequiredForOnline = "no";
|
linkConfig.RequiredForOnline = "no";
|
||||||
routes = [{
|
routes = [{
|
||||||
routeConfig = {
|
|
||||||
Gateway = "10.42.0.1";
|
Gateway = "10.42.0.1";
|
||||||
Destination = "0.0.0.0/0";
|
Destination = "0.0.0.0/0";
|
||||||
Table = routeTables.ee;
|
Table = routeTables.ee;
|
||||||
};
|
|
||||||
} {
|
} {
|
||||||
routeConfig = {
|
|
||||||
Destination = "10.42.0.0/24";
|
Destination = "10.42.0.0/24";
|
||||||
Table = routeTables.ee;
|
Table = routeTables.ee;
|
||||||
};
|
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
networks."40-en-gnet" = (physicalNetwork routeTables.gnet "0xcafe" [{
|
networks."40-en-gnet" = (physicalNetwork routeTables.gnet "0xcafe" [{
|
||||||
# Catch-all mop-up rule at the end.
|
# Catch-all mop-up rule at the end.
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
Family = "both";
|
Family = "both";
|
||||||
Priority = 32768;
|
Priority = 32768;
|
||||||
Table = routeTables.gnet;
|
Table = routeTables.gnet;
|
||||||
};
|
|
||||||
}]);
|
}]);
|
||||||
networks."40-br-internal" = {
|
networks."40-br-internal" = {
|
||||||
networkConfig.VLAN = [ "vl-eduroam" ];
|
networkConfig.VLAN = [ "vl-eduroam" ];
|
||||||
|
@ -345,14 +313,12 @@ in {
|
||||||
RouteTable = "off";
|
RouteTable = "off";
|
||||||
};
|
};
|
||||||
wireguardPeers = [{
|
wireguardPeers = [{
|
||||||
wireguardPeerConfig = {
|
|
||||||
Endpoint = endpoint;
|
Endpoint = endpoint;
|
||||||
PublicKey = publicKey;
|
PublicKey = publicKey;
|
||||||
AllowedIPs = [
|
AllowedIPs = [
|
||||||
"0.0.0.0/0"
|
"0.0.0.0/0"
|
||||||
"::/0"
|
"::/0"
|
||||||
];
|
];
|
||||||
};
|
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
rexxarWireguard = args: wireguard (args // {
|
rexxarWireguard = args: wireguard (args // {
|
||||||
|
@ -403,7 +369,6 @@ in {
|
||||||
FirewallMark = hexToInt "0xcafe"; # over gnet
|
FirewallMark = hexToInt "0xcafe"; # over gnet
|
||||||
};
|
};
|
||||||
wireguardPeers = [{
|
wireguardPeers = [{
|
||||||
wireguardPeerConfig = {
|
|
||||||
Endpoint = "shenfield-mythic.i.eta.st:51825";
|
Endpoint = "shenfield-mythic.i.eta.st:51825";
|
||||||
#PublicKey = config.my.vault.secrets.wg-eta-public.path;
|
#PublicKey = config.my.vault.secrets.wg-eta-public.path;
|
||||||
PublicKey = "JDelaz8FQBtJBRVd9CMYikO/25gKipYgfyXtjL6jgS8=";
|
PublicKey = "JDelaz8FQBtJBRVd9CMYikO/25gKipYgfyXtjL6jgS8=";
|
||||||
|
@ -411,7 +376,6 @@ in {
|
||||||
"0.0.0.0/0"
|
"0.0.0.0/0"
|
||||||
"::/0"
|
"::/0"
|
||||||
];
|
];
|
||||||
};
|
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
"20-br-internal" = {
|
"20-br-internal" = {
|
||||||
|
|
Loading…
Reference in a new issue