forked from c3d2/nix-config
yggdrasil: implement ospf, nat, name interfaces
This commit is contained in:
parent
6c28006440
commit
379b1851bb
|
@ -39,11 +39,11 @@
|
|||
},
|
||||
"secrets": {
|
||||
"locked": {
|
||||
"lastModified": 1614162961,
|
||||
"narHash": "sha256-mWZ8TPGmjIh4GYMvUPbMCa7F7UPWzsD0R3B7YOrgvlI=",
|
||||
"lastModified": 1614812093,
|
||||
"narHash": "sha256-ca+4c4t4ALcXhlmrBGLZ+odG8QWGcJTMiyLZUe8gSkY=",
|
||||
"ref": "master",
|
||||
"rev": "326cb89e8d82ab9cb5180eb2cedc6ba72ca8a7b8",
|
||||
"revCount": 77,
|
||||
"rev": "169bddfd0cfea16ad74dc95187ca7c3ac40b6a11",
|
||||
"revCount": 78,
|
||||
"type": "git",
|
||||
"url": "ssh://git@gitea.c3d2.de:2222/c3d2-admins/secrets.git"
|
||||
},
|
||||
|
|
|
@ -111,6 +111,9 @@
|
|||
./hosts/containers/yggdrasil
|
||||
./lib/lxc-container.nix
|
||||
./lib/users/emery.nix
|
||||
({ ... }: {
|
||||
nixpkgs.overlays = [ secrets.overlays.ospf ];
|
||||
})
|
||||
];
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
{ hostRegistry, ... }:
|
||||
{ pkgs, lib, config, hostRegistry, ... }:
|
||||
|
||||
let
|
||||
yggAddress = "201:4561:bb58:4dac:5f6a:7b23:44f:a5ef";
|
||||
host = hostRegistry.hosts.yggdrasil;
|
||||
yggAddress = host.ygg;
|
||||
yggPrefix = "301:4561:bb58:4dac"; # 301:4561:bb58:4dac::/64
|
||||
# taken from the output of "yggdrasilctl getself".
|
||||
port = 46823;
|
||||
|
@ -19,16 +20,23 @@ in {
|
|||
|
||||
c3d2 = { isInHq = true; };
|
||||
|
||||
networking = let host = hostRegistry.hosts.yggdrasil;
|
||||
in {
|
||||
networking = {
|
||||
hostName = "yggdrasil";
|
||||
firewall.enable = false;
|
||||
nat = {
|
||||
enable = true;
|
||||
# Provide routing for the house
|
||||
extraCommands = ''
|
||||
ip6tables -t nat -A POSTROUTING ! --src 200::/7 -o ygg -j MASQUERADE
|
||||
'';
|
||||
};
|
||||
defaultGateway = "172.20.72.6";
|
||||
defaultGateway6 = "2a02:8106:208:5281::b:0";
|
||||
# systemd-networkd breaks setting default routes. so sad.
|
||||
useNetworkd = pkgs.lib.mkForce false;
|
||||
nameservers = [ "172.20.73.8" ];
|
||||
interfaces.eth0 = {
|
||||
interfaces.core = {
|
||||
mtu = 1500;
|
||||
ipv4 = {
|
||||
addresses = [{
|
||||
address = host.ip4;
|
||||
|
@ -41,6 +49,12 @@ in {
|
|||
address = host.ip6;
|
||||
prefixLength = 64;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
interfaces.c3d2 = lib.mkForce {
|
||||
ipv6 = {
|
||||
addresses = [
|
||||
{
|
||||
address = yggPrefix + "::1";
|
||||
prefixLength = 64;
|
||||
|
@ -54,6 +68,7 @@ in {
|
|||
enable = true;
|
||||
persistentKeys = true;
|
||||
config = {
|
||||
IfName = "ygg";
|
||||
Listen = [
|
||||
"tcp://[::]:${toString port}"
|
||||
];
|
||||
|
@ -77,6 +92,63 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
# Get routes on the core network, advertise Yggdrasil routes to ZW core
|
||||
services.bird2 = {
|
||||
enable = true;
|
||||
config = ''
|
||||
protocol kernel K4 {
|
||||
ipv4 {
|
||||
export all;
|
||||
};
|
||||
}
|
||||
protocol kernel K6 {
|
||||
ipv6 {
|
||||
export all;
|
||||
};
|
||||
}
|
||||
protocol device {
|
||||
scan time 10;
|
||||
}
|
||||
|
||||
protocol radv {
|
||||
interface "c3d2" {
|
||||
min ra interval 10;
|
||||
max ra interval 60;
|
||||
prefix ${yggPrefix}/64 {
|
||||
preferred lifetime 20;
|
||||
valid lifetime 60;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
protocol ospf v2 ZW4 {
|
||||
area 0 {
|
||||
networks {
|
||||
172.20.72.0/21;
|
||||
};
|
||||
interface "core" {
|
||||
authentication cryptographic;
|
||||
password "${pkgs.zentralwerk-ospf-message-digest-key}";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
protocol ospf v3 ZW6 {
|
||||
area 0 {
|
||||
networks {
|
||||
fd23:42:c3d2:500::/56;
|
||||
2a02:8106:208:5200::/56;
|
||||
2a02:8106:211:e900::/56;
|
||||
};
|
||||
stubnet 200::/7 {};
|
||||
interface "core" {};
|
||||
};
|
||||
}
|
||||
|
||||
router id ${host.ip4};
|
||||
'';
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."y.c3d2.de" = {
|
||||
|
|
Loading…
Reference in New Issue
Block a user