VEGAS: add backbone routing, portforward and peers
This commit is contained in:
parent
1aa75fc451
commit
1384345400
6 changed files with 87 additions and 0 deletions
28
hosts/VEGAS/services/backbone-routing/default.nix
Normal file
28
hosts/VEGAS/services/backbone-routing/default.nix
Normal file
|
@ -0,0 +1,28 @@
|
|||
{ config, hosts, ... }:
|
||||
let
|
||||
inherit (hosts.${config.networking.hostName}) interfaces;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./port-forward.nix
|
||||
./peering.nix
|
||||
];
|
||||
|
||||
networking.nat = {
|
||||
enable = true;
|
||||
externalInterface = interfaces.primary.link;
|
||||
internalIPs = [
|
||||
"10.10.0.0/16"
|
||||
];
|
||||
};
|
||||
|
||||
networking.interfaces.${interfaces.vstub.link} = {
|
||||
virtual = true;
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = interfaces.vstub.addr;
|
||||
prefixLength = 32;
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
33
hosts/VEGAS/services/backbone-routing/peering.nix
Normal file
33
hosts/VEGAS/services/backbone-routing/peering.nix
Normal file
|
@ -0,0 +1,33 @@
|
|||
{ config, ... }:
|
||||
|
||||
{
|
||||
networking.firewall.allowedUDPPorts = [
|
||||
config.networking.wireguard.interfaces.wgautobahn.listenPort
|
||||
];
|
||||
|
||||
age.secrets.wireguard-key-wgautobahn = {
|
||||
file = ../../../../secrets/wireguard-key-wgautobahn.age;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
mode = "0400";
|
||||
};
|
||||
|
||||
networking.wireguard = {
|
||||
enable = true;
|
||||
interfaces.wgautobahn = {
|
||||
ips = [ "10.15.0.1/30" ];
|
||||
listenPort = 51820;
|
||||
privateKeyFile = config.age.secrets.wireguard-key-wgautobahn.path;
|
||||
|
||||
allowedIPsAsRoutes = true;
|
||||
peers = [
|
||||
# animus
|
||||
{
|
||||
publicKey = "CIJ8W5SDMyPnSZLN2CNplwhGaNPUGoLV0mdzoDHhxUo=";
|
||||
allowedIPs = [ "10.15.0.0/30" "10.150.0.0/16" ];
|
||||
endpoint = "116.202.226.86:53042";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
9
hosts/VEGAS/services/backbone-routing/port-forward.nix
Normal file
9
hosts/VEGAS/services/backbone-routing/port-forward.nix
Normal file
|
@ -0,0 +1,9 @@
|
|||
{
|
||||
networking.nat.forwardPorts = [
|
||||
{
|
||||
sourcePort = 52222;
|
||||
destination = "10.10.2.205:22";
|
||||
proto = "tcp";
|
||||
}
|
||||
];
|
||||
}
|
|
@ -12,6 +12,9 @@
|
|||
./modules/oauth2-proxy
|
||||
./modules/virtualisation
|
||||
inputs.agenix.nixosModules.age
|
||||
|
||||
# Services
|
||||
./services/backbone-routing
|
||||
]
|
||||
# TODO: fix users
|
||||
# ++ (import ../../users "server").groups.admin
|
||||
|
|
|
@ -8,4 +8,5 @@ in with hosts;
|
|||
"hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ styx ];
|
||||
"gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ git ];
|
||||
"oauth2_proxy-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
}
|
||||
|
|
13
secrets/wireguard-key-wgautobahn.age
Normal file
13
secrets/wireguard-key-wgautobahn.age
Normal file
|
@ -0,0 +1,13 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 NO562A 2h+cvDs0ZF/4KjtEdZVAt82fol+7LpAZPDDn6AvUOTg
|
||||
NhTqPo8kezw8958g6XStj+zwfgLtsAVUFZ6Utj5SgUM
|
||||
-> ssh-ed25519 5/zT0w CxBTfWH4/UfDAdo3G30bHleMU9FdRdTA4RapQN25ISU
|
||||
F+fvzsSuMv3kINJmEodraZcC16WbslE0w4oDo6sSjqA
|
||||
-> ssh-ed25519 d3WGuA IdssM5x5IKzLJeQNyGS6CFDcre0w6yG+X8WToFU66R8
|
||||
95lNHp1fepWe6CqecaGNZhg7Oh7lBw86UeSRGY7w1wE
|
||||
-> y>hqw-grease m, z7 ;#ddi
|
||||
/DsgoGG5+p/B7Dri153Ta5PxZT5IsMF9e8ispSE0E8sA2QkPxT2GGNRRlvYkzXSF
|
||||
6b9vv3P9IvPA4m2VQRJ6IlUPAmx00n0G9U5BqxrCknSZ242+QG3zFA
|
||||
--- eJGQ5eUCAuhrs7ozhissFClHKDQVgBbkU7ZXbAA4xNg
|
||||
Bñt<C3B1>7ç²û„ÊT]P®°÷7<C3B7>þe†J$_´
|
||||
j*ôH%"žX•â 0Æê‡ë¼$¯Ä/vòÐa¾‰¡>L<>Q*Ç>}ð±/kËÁgç
|
Loading…
Reference in a new issue