etheroute-lon01: GRE->Wireguard
This commit is contained in:
parent
1c4530988d
commit
551c4f27ad
1 changed files with 36 additions and 10 deletions
|
@ -84,14 +84,8 @@
|
||||||
"8.8.8.8"
|
"8.8.8.8"
|
||||||
"8.8.4.4"
|
"8.8.4.4"
|
||||||
];
|
];
|
||||||
defaultGateway = {
|
defaultGateway.address = "103.141.25.49";
|
||||||
address = "103.141.25.49";
|
defaultGateway6.address = "2a07:242:800:64::1";
|
||||||
interface = "eno1";
|
|
||||||
};
|
|
||||||
defaultGateway6 = {
|
|
||||||
address = "2a07:242:800:64::1";
|
|
||||||
interface = "eno1";
|
|
||||||
};
|
|
||||||
interfaces.eno1 = {
|
interfaces.eno1 = {
|
||||||
ipv4.addresses = [{ address = "103.141.25.50"; prefixLength = 30; }];
|
ipv4.addresses = [{ address = "103.141.25.50"; prefixLength = 30; }];
|
||||||
ipv6.addresses = [{ address = "2a07:242:800:64::68"; prefixLength = 64; }];
|
ipv6.addresses = [{ address = "2a07:242:800:64::68"; prefixLength = 64; }];
|
||||||
|
@ -101,6 +95,7 @@
|
||||||
# virtual = true;
|
# virtual = true;
|
||||||
#};
|
#};
|
||||||
firewall.allowedTCPPorts = [ 80 443 ];
|
firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
firewall.allowedUDPPorts = [ 51820 ];
|
||||||
firewall.extraCommands = ''
|
firewall.extraCommands = ''
|
||||||
# Flush old rules.
|
# Flush old rules.
|
||||||
ip46tables -D FORWARD -j lukegb-forward 2>/dev/null || true
|
ip46tables -D FORWARD -j lukegb-forward 2>/dev/null || true
|
||||||
|
@ -118,8 +113,8 @@
|
||||||
|
|
||||||
ip46tables -N lukegb-forward
|
ip46tables -N lukegb-forward
|
||||||
|
|
||||||
# Accept from "trusted" quadv1-4 interface
|
# Accept from "trusted" quadv1 interface
|
||||||
ip46tables -A lukegb-forward -i quadv1-4 -j lukegb-fwd-accept
|
ip46tables -A lukegb-forward -i quadv1 -j lukegb-fwd-accept
|
||||||
|
|
||||||
# Accept from established/related connections.
|
# Accept from established/related connections.
|
||||||
ip46tables -A lukegb-forward -m conntrack --ctstate ESTABLISHED,RELATED -j lukegb-fwd-accept
|
ip46tables -A lukegb-forward -m conntrack --ctstate ESTABLISHED,RELATED -j lukegb-fwd-accept
|
||||||
|
@ -132,6 +127,37 @@
|
||||||
my.ip.tailscale = "100.99.227.112";
|
my.ip.tailscale = "100.99.227.112";
|
||||||
my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6263:e370";
|
my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6263:e370";
|
||||||
|
|
||||||
|
systemd.network.netdevs.quadv1 = {
|
||||||
|
netdevConfig = {
|
||||||
|
Name = "quadv1";
|
||||||
|
Kind = "wireguard";
|
||||||
|
};
|
||||||
|
|
||||||
|
wireguardConfig = {
|
||||||
|
PrivateKeyFile = pkgs.writeText "etheroute-lon01-quadv" depot.ops.secrets.wireguard.quadv1.lukegb.privateKey;
|
||||||
|
ListenPort = 51820;
|
||||||
|
RouteTable = "off";
|
||||||
|
};
|
||||||
|
|
||||||
|
wireguardPeers = [{
|
||||||
|
wireguardPeerConfig = {
|
||||||
|
PublicKey = depot.ops.secrets.wireguard.quadv1.quadv.publicKey;
|
||||||
|
AllowedIPs = "0.0.0.0/0,::/0";
|
||||||
|
};
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
systemd.network.networks.quadv1 = {
|
||||||
|
matchConfig.Name = "quadv1";
|
||||||
|
networkConfig.Address = "169.254.111.0/31";
|
||||||
|
|
||||||
|
routes = [{
|
||||||
|
routeConfig = {
|
||||||
|
Gateway = "169.254.111.1";
|
||||||
|
Destination = "92.118.31.0/24";
|
||||||
|
};
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
|
||||||
services.openssh.hostKeys = [
|
services.openssh.hostKeys = [
|
||||||
{
|
{
|
||||||
path = "/persist/etc/ssh/ssh_host_ed25519_key";
|
path = "/persist/etc/ssh/ssh_host_ed25519_key";
|
||||||
|
|
Loading…
Reference in a new issue