swann: add wg-eta
This commit is contained in:
parent
0471d22092
commit
6f11983d75
1 changed files with 115 additions and 2 deletions
|
@ -140,7 +140,7 @@ in {
|
||||||
|
|
||||||
{
|
{
|
||||||
routeConfig = {
|
routeConfig = {
|
||||||
Destination = "${replaceV6Octet v6Linknet (n: n - 1)}/112";
|
Destination = "${replaceV6Octet v6Linknet (n: 0)}/112";
|
||||||
Table = rtID;
|
Table = rtID;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -195,6 +195,7 @@ in {
|
||||||
bgp = 150;
|
bgp = 150;
|
||||||
wg-ee = 152;
|
wg-ee = 152;
|
||||||
wg-gnet = 153;
|
wg-gnet = 153;
|
||||||
|
wg-eta = 160;
|
||||||
ee = 201;
|
ee = 201;
|
||||||
gnet = 203;
|
gnet = 203;
|
||||||
};
|
};
|
||||||
|
@ -215,6 +216,13 @@ in {
|
||||||
v4Linknet = "92.118.30.4";
|
v4Linknet = "92.118.30.4";
|
||||||
v6Linknet = "2a09:a442::3:1";
|
v6Linknet = "2a09:a442::3:1";
|
||||||
};
|
};
|
||||||
|
networks."50-wg-eta" = wireguardNetwork {
|
||||||
|
linkName = "wg-eta";
|
||||||
|
relativePriority = 10;
|
||||||
|
rtID = routeTables.wg-eta;
|
||||||
|
v4Linknet = "169.254.2.1";
|
||||||
|
v6Linknet = "fe80:1234::b";
|
||||||
|
};
|
||||||
networks."40-lo" = {
|
networks."40-lo" = {
|
||||||
routingPolicyRules = let
|
routingPolicyRules = let
|
||||||
viaMain = priority: to: {
|
viaMain = priority: to: {
|
||||||
|
@ -352,6 +360,30 @@ in {
|
||||||
endpoint = "92.118.28.252:51822";
|
endpoint = "92.118.28.252:51822";
|
||||||
fwmark = "0xcafe";
|
fwmark = "0xcafe";
|
||||||
};
|
};
|
||||||
|
"50-wg-eta" = {
|
||||||
|
netdevConfig = {
|
||||||
|
Name = "wg-eta";
|
||||||
|
Kind = "wireguard";
|
||||||
|
Description = "WireGuard tunnel wg-eta";
|
||||||
|
};
|
||||||
|
wireguardConfig = {
|
||||||
|
ListenPort = 51830;
|
||||||
|
PrivateKeyFile = config.my.vault.secrets.wg-eta-private.path;
|
||||||
|
RouteTable = "off";
|
||||||
|
FirewallMark = hexToInt "0xcafe"; # over gnet
|
||||||
|
};
|
||||||
|
wireguardPeers = [{
|
||||||
|
wireguardPeerConfig = {
|
||||||
|
Endpoint = "shenfield-mythic.i.eta.st:51825";
|
||||||
|
#PublicKey = config.my.vault.secrets.wg-eta-public.path;
|
||||||
|
PublicKey = "JDelaz8FQBtJBRVd9CMYikO/25gKipYgfyXtjL6jgS8=";
|
||||||
|
AllowedIPs = [
|
||||||
|
"0.0.0.0/0"
|
||||||
|
"::/0"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}];
|
||||||
|
};
|
||||||
"20-br-internal" = {
|
"20-br-internal" = {
|
||||||
netdevConfig = {
|
netdevConfig = {
|
||||||
Name = "br-internal";
|
Name = "br-internal";
|
||||||
|
@ -380,6 +412,24 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
my.vault.secrets = {
|
||||||
|
wg-eta-public = {
|
||||||
|
group = "systemd-network";
|
||||||
|
template = ''
|
||||||
|
{{- with secret "kv/apps/wireguard/swann" -}}
|
||||||
|
{{- .Data.data.publicKeyFromEta -}}
|
||||||
|
{{- end -}}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
wg-eta-private = {
|
||||||
|
group = "systemd-network";
|
||||||
|
template = ''
|
||||||
|
{{- with secret "kv/apps/wireguard/swann" -}}
|
||||||
|
{{- .Data.data.privateKeyToEta -}}
|
||||||
|
{{- end -}}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
services.mstpd.enable = true;
|
services.mstpd.enable = true;
|
||||||
my.ip.tailscale = "100.102.224.95";
|
my.ip.tailscale = "100.102.224.95";
|
||||||
my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6266:e05f";
|
my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6266:e05f";
|
||||||
|
@ -583,6 +633,11 @@ in {
|
||||||
3784 # BFD
|
3784 # BFD
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
interfaces.wg-eta = {
|
||||||
|
allowedTCPPorts = [
|
||||||
|
179 # BGP
|
||||||
|
];
|
||||||
|
};
|
||||||
extraCommands = ''
|
extraCommands = ''
|
||||||
ip46tables -F FORWARD
|
ip46tables -F FORWARD
|
||||||
|
|
||||||
|
@ -594,6 +649,7 @@ in {
|
||||||
|
|
||||||
ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-ee -j ACCEPT
|
ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-ee -j ACCEPT
|
||||||
ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-gnet -j ACCEPT
|
ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-gnet -j ACCEPT
|
||||||
|
ip46tables -A FORWARD -i vl-eduroam -o wg-eta -j ACCEPT
|
||||||
ip46tables -A FORWARD -i vl-eduroam -m state --state NEW,RELATED -j REJECT
|
ip46tables -A FORWARD -i vl-eduroam -m state --state NEW,RELATED -j REJECT
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
@ -730,6 +786,16 @@ in {
|
||||||
# GNetwork
|
# GNetwork
|
||||||
preference = 200;
|
preference = 200;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
route 92.118.30.0/24 unreachable {
|
||||||
|
bgp_ext_community.add((ro, 205479, 1000)); # export this
|
||||||
|
};
|
||||||
|
route 92.118.30.16/28 via "br-internal";
|
||||||
|
route 92.118.30.254/32 via "lo";
|
||||||
|
route 92.118.30.253/32 via "lo";
|
||||||
|
# route 92.118.30.0/31 via "wg-tuvok-vm";
|
||||||
|
route 92.118.30.2/31 via "wg-tuvok-ee";
|
||||||
|
route 92.118.30.4/31 via "wg-tuvok-gnet";
|
||||||
};
|
};
|
||||||
protocol static export6 {
|
protocol static export6 {
|
||||||
ipv6 {};
|
ipv6 {};
|
||||||
|
@ -754,7 +820,9 @@ in {
|
||||||
route 2a09:a443:1::/48 via "br-internal";
|
route 2a09:a443:1::/48 via "br-internal";
|
||||||
route 2a09:a443:2::/64 via "vl-eduroam";
|
route 2a09:a443:2::/64 via "vl-eduroam";
|
||||||
route 2a09:a443:3::/48 via "vl-eduroam";
|
route 2a09:a443:3::/48 via "vl-eduroam";
|
||||||
route 2a09:a443::/32 unreachable;
|
route 2a09:a443::/32 unreachable {
|
||||||
|
bgp_ext_community.add((ro, 205479, 1000)); # export this
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
protocol bfd {
|
protocol bfd {
|
||||||
|
@ -771,6 +839,51 @@ in {
|
||||||
neighbor 92.118.30.5;
|
neighbor 92.118.30.5;
|
||||||
neighbor 2a09:a442::3:2;
|
neighbor 2a09:a442::3:2;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
protocol bgp eta4 {
|
||||||
|
local 169.254.2.1 as 205479;
|
||||||
|
neighbor 169.254.2.0 as 213185;
|
||||||
|
interface "wg-eta";
|
||||||
|
|
||||||
|
ipv4 {
|
||||||
|
export filter {
|
||||||
|
if source != RTS_STATIC then reject;
|
||||||
|
if ! ((ro, 205479, 1000) ~ bgp_ext_community) then reject;
|
||||||
|
|
||||||
|
bgp_ext_community.delete([(ro, 205479, *)]);
|
||||||
|
accept;
|
||||||
|
};
|
||||||
|
import filter {
|
||||||
|
if ! (net ~ [
|
||||||
|
44.31.189.0/24
|
||||||
|
]) then reject;
|
||||||
|
accept;
|
||||||
|
};
|
||||||
|
next hop self;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
protocol bgp eta6 {
|
||||||
|
local fe80:1234::b as 205479;
|
||||||
|
neighbor fe80:1234::a as 213185;
|
||||||
|
interface "wg-eta";
|
||||||
|
|
||||||
|
ipv6 {
|
||||||
|
export filter {
|
||||||
|
if source != RTS_STATIC then reject;
|
||||||
|
if ! ((ro, 205479, 1000) ~ bgp_ext_community) then reject;
|
||||||
|
|
||||||
|
bgp_ext_community.delete([(ro, 205479, *)]);
|
||||||
|
accept;
|
||||||
|
};
|
||||||
|
import filter {
|
||||||
|
if ! (net ~ [
|
||||||
|
2a0d:1a40:7553::/48{48,64}
|
||||||
|
]) then reject;
|
||||||
|
accept;
|
||||||
|
};
|
||||||
|
next hop self;
|
||||||
|
};
|
||||||
|
};
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue