lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

blade-tuvok: also NAT things going out onto linx

Browse source
This commit is contained in:
Luke Granger-Brown 2021-08-31 01:37:34 +00:00
parent 9a5b0379cb
commit a0d97e082d
2 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
ops/nixos/blade-tuvok/default.nix
View file

@ -38,6 +38,9 @@ in {
ip netns exec wg-endpoint sysctl net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 net.ipv6.conf.default.forwarding=1
)
'';
nat.extraCommands = ''
iptables -w -t nat -A nixos-nat-post -m mark --mark 0x1 -o vl-linx -j SNAT --to-source 92.118.28.1
'';
};
my.ip.tailscale = "100.119.123.33";
my.blade.bay = 6;
@ -225,4 +228,5 @@ in {
route 2a09:a443::/32 via 2a09:a441::f00f;
'';
};
}

5
ops/nixos/lib/blade.nix
View file

@ -114,6 +114,11 @@ in {
firewall.interfaces.en-storage.allowedTCPPorts = lib.mkIf config.services.ceph.enable [ 6789 3300 ];
firewall.interfaces.en-storage.allowedTCPPortRanges = lib.mkIf config.services.ceph.enable [{ from = 6800; to = 7300; }];
firewall.extraCommands = ''
iptables -A nixos-fw -i en-storage -s 10.100.2.0/23 -j ACCEPT
iptables -A nixos-fw -i br-mgmt -s 10.100.0.0/23 -j ACCEPT
'';
nat = lib.optionalAttrs (config.my.blade.macAddress.internet != null) {
enable = true;
internalInterfaces = [ "br-mgmt" ];