diff --git a/ops/nixos/etheroute-lon01/default.nix b/ops/nixos/etheroute-lon01/default.nix index 25e066d950..ed6f322787 100644 --- a/ops/nixos/etheroute-lon01/default.nix +++ b/ops/nixos/etheroute-lon01/default.nix @@ -84,14 +84,8 @@ "8.8.8.8" "8.8.4.4" ]; - defaultGateway = { - address = "103.141.25.49"; - interface = "eno1"; - }; - defaultGateway6 = { - address = "2a07:242:800:64::1"; - interface = "eno1"; - }; + defaultGateway.address = "103.141.25.49"; + defaultGateway6.address = "2a07:242:800:64::1"; interfaces.eno1 = { ipv4.addresses = [{ address = "103.141.25.50"; prefixLength = 30; }]; ipv6.addresses = [{ address = "2a07:242:800:64::68"; prefixLength = 64; }]; @@ -101,6 +95,7 @@ # virtual = true; #}; firewall.allowedTCPPorts = [ 80 443 ]; + firewall.allowedUDPPorts = [ 51820 ]; firewall.extraCommands = '' # Flush old rules. ip46tables -D FORWARD -j lukegb-forward 2>/dev/null || true @@ -118,8 +113,8 @@ ip46tables -N lukegb-forward - # Accept from "trusted" quadv1-4 interface - ip46tables -A lukegb-forward -i quadv1-4 -j lukegb-fwd-accept + # Accept from "trusted" quadv1 interface + ip46tables -A lukegb-forward -i quadv1 -j lukegb-fwd-accept # Accept from established/related connections. ip46tables -A lukegb-forward -m conntrack --ctstate ESTABLISHED,RELATED -j lukegb-fwd-accept @@ -132,6 +127,37 @@ my.ip.tailscale = "100.99.227.112"; my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6263:e370"; + systemd.network.netdevs.quadv1 = { + netdevConfig = { + Name = "quadv1"; + Kind = "wireguard"; + }; + + wireguardConfig = { + PrivateKeyFile = pkgs.writeText "etheroute-lon01-quadv" depot.ops.secrets.wireguard.quadv1.lukegb.privateKey; + ListenPort = 51820; + RouteTable = "off"; + }; + + wireguardPeers = [{ + wireguardPeerConfig = { + PublicKey = depot.ops.secrets.wireguard.quadv1.quadv.publicKey; + AllowedIPs = "0.0.0.0/0,::/0"; + }; + }]; + }; + systemd.network.networks.quadv1 = { + matchConfig.Name = "quadv1"; + networkConfig.Address = "169.254.111.0/31"; + + routes = [{ + routeConfig = { + Gateway = "169.254.111.1"; + Destination = "92.118.31.0/24"; + }; + }]; + }; + services.openssh.hostKeys = [ { path = "/persist/etc/ssh/ssh_host_ed25519_key";