swann: add wg-eta
This commit is contained in:
parent
0471d22092
commit
6f11983d75
1 changed files with 115 additions and 2 deletions
|
@ -140,7 +140,7 @@ in {
|
|||
|
||||
{
|
||||
routeConfig = {
|
||||
Destination = "${replaceV6Octet v6Linknet (n: n - 1)}/112";
|
||||
Destination = "${replaceV6Octet v6Linknet (n: 0)}/112";
|
||||
Table = rtID;
|
||||
};
|
||||
}
|
||||
|
@ -195,6 +195,7 @@ in {
|
|||
bgp = 150;
|
||||
wg-ee = 152;
|
||||
wg-gnet = 153;
|
||||
wg-eta = 160;
|
||||
ee = 201;
|
||||
gnet = 203;
|
||||
};
|
||||
|
@ -215,6 +216,13 @@ in {
|
|||
v4Linknet = "92.118.30.4";
|
||||
v6Linknet = "2a09:a442::3:1";
|
||||
};
|
||||
networks."50-wg-eta" = wireguardNetwork {
|
||||
linkName = "wg-eta";
|
||||
relativePriority = 10;
|
||||
rtID = routeTables.wg-eta;
|
||||
v4Linknet = "169.254.2.1";
|
||||
v6Linknet = "fe80:1234::b";
|
||||
};
|
||||
networks."40-lo" = {
|
||||
routingPolicyRules = let
|
||||
viaMain = priority: to: {
|
||||
|
@ -352,6 +360,30 @@ in {
|
|||
endpoint = "92.118.28.252:51822";
|
||||
fwmark = "0xcafe";
|
||||
};
|
||||
"50-wg-eta" = {
|
||||
netdevConfig = {
|
||||
Name = "wg-eta";
|
||||
Kind = "wireguard";
|
||||
Description = "WireGuard tunnel wg-eta";
|
||||
};
|
||||
wireguardConfig = {
|
||||
ListenPort = 51830;
|
||||
PrivateKeyFile = config.my.vault.secrets.wg-eta-private.path;
|
||||
RouteTable = "off";
|
||||
FirewallMark = hexToInt "0xcafe"; # over gnet
|
||||
};
|
||||
wireguardPeers = [{
|
||||
wireguardPeerConfig = {
|
||||
Endpoint = "shenfield-mythic.i.eta.st:51825";
|
||||
#PublicKey = config.my.vault.secrets.wg-eta-public.path;
|
||||
PublicKey = "JDelaz8FQBtJBRVd9CMYikO/25gKipYgfyXtjL6jgS8=";
|
||||
AllowedIPs = [
|
||||
"0.0.0.0/0"
|
||||
"::/0"
|
||||
];
|
||||
};
|
||||
}];
|
||||
};
|
||||
"20-br-internal" = {
|
||||
netdevConfig = {
|
||||
Name = "br-internal";
|
||||
|
@ -380,6 +412,24 @@ in {
|
|||
};
|
||||
};
|
||||
};
|
||||
my.vault.secrets = {
|
||||
wg-eta-public = {
|
||||
group = "systemd-network";
|
||||
template = ''
|
||||
{{- with secret "kv/apps/wireguard/swann" -}}
|
||||
{{- .Data.data.publicKeyFromEta -}}
|
||||
{{- end -}}
|
||||
'';
|
||||
};
|
||||
wg-eta-private = {
|
||||
group = "systemd-network";
|
||||
template = ''
|
||||
{{- with secret "kv/apps/wireguard/swann" -}}
|
||||
{{- .Data.data.privateKeyToEta -}}
|
||||
{{- end -}}
|
||||
'';
|
||||
};
|
||||
};
|
||||
services.mstpd.enable = true;
|
||||
my.ip.tailscale = "100.102.224.95";
|
||||
my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6266:e05f";
|
||||
|
@ -583,6 +633,11 @@ in {
|
|||
3784 # BFD
|
||||
];
|
||||
};
|
||||
interfaces.wg-eta = {
|
||||
allowedTCPPorts = [
|
||||
179 # BGP
|
||||
];
|
||||
};
|
||||
extraCommands = ''
|
||||
ip46tables -F FORWARD
|
||||
|
||||
|
@ -594,6 +649,7 @@ in {
|
|||
|
||||
ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-ee -j ACCEPT
|
||||
ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-gnet -j ACCEPT
|
||||
ip46tables -A FORWARD -i vl-eduroam -o wg-eta -j ACCEPT
|
||||
ip46tables -A FORWARD -i vl-eduroam -m state --state NEW,RELATED -j REJECT
|
||||
'';
|
||||
};
|
||||
|
@ -730,6 +786,16 @@ in {
|
|||
# GNetwork
|
||||
preference = 200;
|
||||
};
|
||||
|
||||
route 92.118.30.0/24 unreachable {
|
||||
bgp_ext_community.add((ro, 205479, 1000)); # export this
|
||||
};
|
||||
route 92.118.30.16/28 via "br-internal";
|
||||
route 92.118.30.254/32 via "lo";
|
||||
route 92.118.30.253/32 via "lo";
|
||||
# route 92.118.30.0/31 via "wg-tuvok-vm";
|
||||
route 92.118.30.2/31 via "wg-tuvok-ee";
|
||||
route 92.118.30.4/31 via "wg-tuvok-gnet";
|
||||
};
|
||||
protocol static export6 {
|
||||
ipv6 {};
|
||||
|
@ -754,7 +820,9 @@ in {
|
|||
route 2a09:a443:1::/48 via "br-internal";
|
||||
route 2a09:a443:2::/64 via "vl-eduroam";
|
||||
route 2a09:a443:3::/48 via "vl-eduroam";
|
||||
route 2a09:a443::/32 unreachable;
|
||||
route 2a09:a443::/32 unreachable {
|
||||
bgp_ext_community.add((ro, 205479, 1000)); # export this
|
||||
};
|
||||
};
|
||||
|
||||
protocol bfd {
|
||||
|
@ -771,6 +839,51 @@ in {
|
|||
neighbor 92.118.30.5;
|
||||
neighbor 2a09:a442::3:2;
|
||||
};
|
||||
|
||||
protocol bgp eta4 {
|
||||
local 169.254.2.1 as 205479;
|
||||
neighbor 169.254.2.0 as 213185;
|
||||
interface "wg-eta";
|
||||
|
||||
ipv4 {
|
||||
export filter {
|
||||
if source != RTS_STATIC then reject;
|
||||
if ! ((ro, 205479, 1000) ~ bgp_ext_community) then reject;
|
||||
|
||||
bgp_ext_community.delete([(ro, 205479, *)]);
|
||||
accept;
|
||||
};
|
||||
import filter {
|
||||
if ! (net ~ [
|
||||
44.31.189.0/24
|
||||
]) then reject;
|
||||
accept;
|
||||
};
|
||||
next hop self;
|
||||
};
|
||||
};
|
||||
protocol bgp eta6 {
|
||||
local fe80:1234::b as 205479;
|
||||
neighbor fe80:1234::a as 213185;
|
||||
interface "wg-eta";
|
||||
|
||||
ipv6 {
|
||||
export filter {
|
||||
if source != RTS_STATIC then reject;
|
||||
if ! ((ro, 205479, 1000) ~ bgp_ext_community) then reject;
|
||||
|
||||
bgp_ext_community.delete([(ro, 205479, *)]);
|
||||
accept;
|
||||
};
|
||||
import filter {
|
||||
if ! (net ~ [
|
||||
2a0d:1a40:7553::/48{48,64}
|
||||
]) then reject;
|
||||
accept;
|
||||
};
|
||||
next hop self;
|
||||
};
|
||||
};
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue