summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-02-06 17:19:58 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-02-06 17:19:58 +0100
commit67657a453e654811ed5adf45a4c7aab32dc30274 (patch)
treeb94f3378117ca2b6bd2d43c8ef106855e52e6462
parent93f07176317920ee881773519ee342f9c62ab9c9 (diff)
downloadnixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar
nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.gz
nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.bz2
nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.xz
nixos-67657a453e654811ed5adf45a4c7aab32dc30274.zip
bifrost: ...
-rw-r--r--hosts/surtr/bifrost/default.nix66
-rw-r--r--hosts/surtr/bifrost/surtr.priv26
-rw-r--r--hosts/surtr/bifrost/surtr.pub1
-rw-r--r--hosts/surtr/default.nix2
-rw-r--r--hosts/surtr/dns/zones/li.141.soa4
-rw-r--r--hosts/surtr/dns/zones/li.yggdrasil.soa8
-rw-r--r--hosts/surtr/dns/zones/org.praseodym.soa4
-rw-r--r--hosts/surtr/ruleset.nft14
-rw-r--r--hosts/vidhar/borg.nix12
-rw-r--r--hosts/vidhar/default.nix2
-rw-r--r--hosts/vidhar/network/bifrost/default.nix82
-rw-r--r--hosts/vidhar/network/bifrost/vidhar.priv26
-rw-r--r--hosts/vidhar/network/bifrost/vidhar.pub1
-rw-r--r--hosts/vidhar/network/default.nix2
-rw-r--r--hosts/vidhar/network/ruleset.nft4
-rw-r--r--modules/yggdrasil-wg/default.nix2
16 files changed, 239 insertions, 17 deletions
diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix
new file mode 100644
index 00000000..8f1e602d
--- /dev/null
+++ b/hosts/surtr/bifrost/default.nix
@@ -0,0 +1,66 @@
1{ config, lib, ... }:
2
3with lib;
4
5let
6 trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str;
7in {
8 config = {
9 systemd.network = {
10 netdevs = {
11 bifrost = {
12 netdevConfig = {
13 Name = "bifrost";
14 Kind = "wireguard";
15 };
16 wireguardConfig = {
17 PrivateKeyFile = config.sops.secrets.bifrost.path;
18 ListenPort = 51822;
19 };
20 wireguardPeers = [
21 { wireguardPeerConfig = {
22 AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ];
23 PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub);
24 };
25 }
26 ];
27 };
28 };
29 networks = {
30 bifrost = {
31 name = "bifrost";
32 matchConfig = {
33 Name = "bifrost";
34 };
35 address = ["2a03:4000:52:ada:4::/96"];
36 routes = [
37 { routeConfig = {
38 Destination = "2a03:4000:52:ada:4::/80";
39 };
40 }
41 ];
42 linkConfig = {
43 RequiredForOnline = false;
44 };
45 networkConfig = {
46 LLMNR = false;
47 MulticastDNS = false;
48 };
49 };
50 };
51 };
52 sops.secrets.bifrost = {
53 format = "binary";
54 sopsFile = ./surtr.priv;
55 mode = "0640";
56 owner = "root";
57 group = "systemd-network";
58 };
59 environment.etc."systemd/networkd.conf" = {
60 text = ''
61 [Network]
62 RouteTable=bifrost:1026
63 '';
64 };
65 };
66}
diff --git a/hosts/surtr/bifrost/surtr.priv b/hosts/surtr/bifrost/surtr.priv
new file mode 100644
index 00000000..e7f2aeb4
--- /dev/null
+++ b/hosts/surtr/bifrost/surtr.priv
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:Q3KFfWy4UQIbXfoR6jIb02r0735fvMMHqAWtqOE/BZfe/FuJUkb+HSSJbAkt,iv:YsaIx6eYfLOv1H3IammluRd9XDJAr6o4/HaHgtL8ZUc=,tag:uyINYQ0BGhi6TAuQkPCbBA==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2022-02-06T16:09:36Z",
10 "mac": "ENC[AES256_GCM,data:lzg4JDAyy1tL4dcuima26VWqQmCbr25+8AoecVIctX61V2STXiKzd938bEoJ02UVEPYAUzq+NP5fX6IrggYx2A0tII7oyo92EGBYJsvuCBpZWhZKpniXDsRcQo09PH3QJlJ9liSM8bCf6u//ubGU06xvLldt+g4xvvNOVfqMPSo=,iv:Ya2o/hhg18zp7PqLNSHJAAkyz/Lzibysylqsh0CvMzs=,tag:zeZZ0ilsCa/As7VOSCRgSQ==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2022-02-06T16:09:36Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAx1FJFTdMFdAzIAwO1rZ9ikD/cP1nTzfI1wLZf5ufB3Uw\nY8JVtL/aSLaO3tli5eZNuz6tEhTFA0GU8l3c/Ws6ocjC+l3IR5bS2CGZbMHjyIyT\n0l4BgxRFBMFJdpbgpIEPsthgZwJRGNQofSJ7A6/550ekM5b/n77CBZQOHwocuJ4q\n7LCSH6kFUH8GgkSC26OLC8f/QpWr9zTneZP0mBd2CiADDCg6oPI3rGwq6+jQKNny\n=wDDa\n-----END PGP MESSAGE-----\n",
15 "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
16 },
17 {
18 "created_at": "2022-02-06T16:09:36Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdActA18sJwR4mjwyilHzHHBBuReg88U8QVMLphsqFvHFIw\nV5OTgNNvwiCPHSvGiYQ41Fnxa3VVDu0b3HSsq1Xvf5aFf65cRW39t/JHruwkpd1M\n0l4BbBOw5pksAlRcX25PNIIg7WEq4mlJjCi41INKJ1lF5YEu9kVZHT/+ayU6N5Kf\nVH3I6bpZiIKMc4fnF+yiVbCTWNC3EYTeCpe/ZnM8Gd0WLJh0KsLS+QVzMYagMHNm\n=Cc3x\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1"
25 }
26} \ No newline at end of file
diff --git a/hosts/surtr/bifrost/surtr.pub b/hosts/surtr/bifrost/surtr.pub
new file mode 100644
index 00000000..2f6ec1b6
--- /dev/null
+++ b/hosts/surtr/bifrost/surtr.pub
@@ -0,0 +1 @@
/s2yJlJKmy/vt+r/A4z2dof8CBs95KW7CeWLtOb0ERc=
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index be148b05..cfb218da 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -2,7 +2,7 @@
2{ 2{
3 imports = with flake.nixosModules.systemProfiles; [ 3 imports = with flake.nixosModules.systemProfiles; [
4 qemu-guest openssh rebuild-machines zfs 4 qemu-guest openssh rebuild-machines zfs
5 ./zfs.nix ./dns ./tls.nix ./http.nix 5 ./zfs.nix ./dns ./tls.nix ./http.nix ./bifrost
6 ]; 6 ];
7 7
8 config = { 8 config = {
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa
index 260a09b5..6620a0a3 100644
--- a/hosts/surtr/dns/zones/li.141.soa
+++ b/hosts/surtr/dns/zones/li.141.soa
@@ -1,7 +1,7 @@
1$ORIGIN 141.li. 1$ORIGIN 141.li.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( 3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2022020102 ; serial 4 2022020600 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -27,7 +27,7 @@ $TTL 3600
27surtr IN A 202.61.241.61 27surtr IN A 202.61.241.61
28surtr IN AAAA 2a03:4000:52:ada:: 28surtr IN AAAA 2a03:4000:52:ada::
29surtr IN MX 0 ymir.yggdrasil.li 29surtr IN MX 0 ymir.yggdrasil.li
30surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li" 30surtr IN TXT "v=spf1 redirect=yggdrasil.li"
31 31
32webdav IN CNAME surtr.yggdrasil.li. 32webdav IN CNAME surtr.yggdrasil.li.
33 33
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
index ab89351f..a4fad7a7 100644
--- a/hosts/surtr/dns/zones/li.yggdrasil.soa
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
1$ORIGIN yggdrasil.li. 1$ORIGIN yggdrasil.li.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( 3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2022020101 ; serial 4 2022020600 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -35,7 +35,11 @@ ymir IN TXT "v=spf1 redirect=yggdrasil.li"
35surtr IN A 202.61.241.61 35surtr IN A 202.61.241.61
36surtr IN AAAA 2a03:4000:52:ada:: 36surtr IN AAAA 2a03:4000:52:ada::
37surtr IN MX 0 ymir.yggdrasil.li 37surtr IN MX 0 ymir.yggdrasil.li
38surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li" 38surtr IN TXT "v=spf1 redirect=yggdrasil.li"
39
40vidhar IN AAAA 2a03:4000:52:ada:4:1::
41vidhar IN MX 0 ymir.yggdrasil.li
42vidhar IN TXT "v=spf1 redirect=yggdrasil.li"
39 43
40mailout IN A 188.68.51.254 44mailout IN A 188.68.51.254
41mailout IN AAAA 2a03:4000:6:d004:: 45mailout IN AAAA 2a03:4000:6:d004::
diff --git a/hosts/surtr/dns/zones/org.praseodym.soa b/hosts/surtr/dns/zones/org.praseodym.soa
index 4bd6263f..f4fd0d8e 100644
--- a/hosts/surtr/dns/zones/org.praseodym.soa
+++ b/hosts/surtr/dns/zones/org.praseodym.soa
@@ -1,7 +1,7 @@
1$ORIGIN praseodym.org. 1$ORIGIN praseodym.org.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( 3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2022020102 ; serial 4 2022020600 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -27,7 +27,7 @@ $TTL 3600
27surtr IN A 202.61.241.61 27surtr IN A 202.61.241.61
28surtr IN AAAA 2a03:4000:52:ada:: 28surtr IN AAAA 2a03:4000:52:ada::
29surtr IN MX 0 ymir.yggdrasil.li 29surtr IN MX 0 ymir.yggdrasil.li
30surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li" 30surtr IN TXT "v=spf1 redirect=yggdrasil.li"
31 31
32ymir._domainkey IN TXT ( 32ymir._domainkey IN TXT (
33 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2" 33 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index 132360b9..9d6fd373 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -1,4 +1,4 @@
1define icmp_protos = { ipv6-icmp, icmp, igmp } 1define icmp_protos = {ipv6-icmp, icmp, igmp}
2 2
3table arp filter { 3table arp filter {
4 limit lim_arp { 4 limit lim_arp {
@@ -44,12 +44,16 @@ table inet filter {
44 44
45 iifname lo counter accept 45 iifname lo counter accept
46 46
47 meta l4proto $icmp_protos iifname yggdrasil oifname ens3 limit name lim_icmp counter drop 47 meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname ens3 limit name lim_icmp counter drop
48 meta l4proto $icmp_protos iifname yggdrasil oifname ens3 counter accept 48 meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname ens3 counter accept
49 meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop 49 meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop
50 meta l4proto $icmp_protos ct state {established, related} counter accept 50 meta l4proto $icmp_protos ct state {established, related} counter accept
51 51
52 52
53 oifname bifrost counter accept
54 iifname bifrost oifname ens3 counter accept
55
56
53 limit name lim_reject log prefix "drop forward: " counter drop 57 limit name lim_reject log prefix "drop forward: " counter drop
54 log prefix "reject forward: " counter 58 log prefix "reject forward: " counter
55 meta l4proto tcp ct state new counter reject with tcp reset 59 meta l4proto tcp ct state new counter reject with tcp reset
@@ -78,13 +82,13 @@ table inet filter {
78 udp dport 60001-61000 counter accept 82 udp dport 60001-61000 counter accept
79 83
80 meta protocol ip udp dport 51820 counter accept 84 meta protocol ip udp dport 51820 counter accept
81 meta protocol ip6 udp dport 51821 counter accept 85 meta protocol ip6 udp dport {51821, 51822} counter accept
82 iifname "yggdrasil-wg-*" meta l4proto gre counter accept 86 iifname "yggdrasil-wg-*" meta l4proto gre counter accept
83 87
84 tcp dport 53 counter accept 88 tcp dport 53 counter accept
85 udp dport 53 counter accept 89 udp dport 53 counter accept
86 90
87 tcp dport { 80, 443 } counter accept 91 tcp dport {80, 443} counter accept
88 92
89 ct state {established, related} counter accept 93 ct state {established, related} counter accept
90 94
diff --git a/hosts/vidhar/borg.nix b/hosts/vidhar/borg.nix
new file mode 100644
index 00000000..0a0b37a5
--- /dev/null
+++ b/hosts/vidhar/borg.nix
@@ -0,0 +1,12 @@
1{ ... }:
2{
3 config = {
4 users.users.borg = {
5 isSystemUser = true;
6 createHome = false;
7 group = "borg";
8 extraGroups = [ "ssh" ];
9 };
10 users.groups."borg" = {};
11 };
12}
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index b647e472..09ae1e1e 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -1,7 +1,7 @@
1{ hostName, flake, config, pkgs, lib, ... }: 1{ hostName, flake, config, pkgs, lib, ... }:
2{ 2{
3 imports = with flake.nixosModules.systemProfiles; [ 3 imports = with flake.nixosModules.systemProfiles; [
4 ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus 4 ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus ./borg.nix
5 initrd-all-crypto-modules default-locale openssh rebuild-machines 5 initrd-all-crypto-modules default-locale openssh rebuild-machines
6 build-server 6 build-server
7 initrd-ssh 7 initrd-ssh
diff --git a/hosts/vidhar/network/bifrost/default.nix b/hosts/vidhar/network/bifrost/default.nix
new file mode 100644
index 00000000..40666f59
--- /dev/null
+++ b/hosts/vidhar/network/bifrost/default.nix
@@ -0,0 +1,82 @@
1{ config, lib, ... }:
2
3with lib;
4
5let
6 trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str;
7in {
8 config = {
9 systemd.network = {
10 netdevs = {
11 bifrost = {
12 netdevConfig = {
13 Name = "bifrost";
14 Kind = "wireguard";
15 };
16 wireguardConfig = {
17 PrivateKeyFile = config.sops.secrets.bifrost.path;
18 ListenPort = 51822;
19 };
20 wireguardPeers = [
21 { wireguardPeerConfig = {
22 AllowedIPs = [ "2a03:4000:52:ada:4::/96" ];
23 PublicKey = trim (readFile ../../../surtr/bifrost/surtr.pub);
24 PersistentKeepalive = 5;
25 Endpoint = "2a03:4000:52:ada:::51822";
26 };
27 }
28 ];
29 };
30 };
31 networks = {
32 bifrost = {
33 name = "bifrost";
34 matchConfig = {
35 Name = "bifrost";
36 };
37 address = ["2a03:4000:52:ada:4:1::/96"];
38 routes = [
39 { routeConfig = {
40 Destination = "2a03:4000:52:ada:4::/80";
41 };
42 }
43 { routeConfig ={
44 Gateway = "2a03:4000:52:ada:4::";
45 GatewayOnLink = true;
46 Table = "bifrost";
47 };
48 }
49 ];
50 routingPolicyRules = [
51 { routingPolicyRuleConfig = {
52 Table = "bifrost";
53 From = "2a03:4000:52:ada:4:1::/96";
54 Priority = 200;
55 };
56 }
57 ];
58 linkConfig = {
59 RequiredForOnline = false;
60 };
61 networkConfig = {
62 LLMNR = false;
63 MulticastDNS = false;
64 };
65 };
66 };
67 };
68 sops.secrets.bifrost = {
69 format = "binary";
70 sopsFile = ./vidhar.priv;
71 mode = "0640";
72 owner = "root";
73 group = "systemd-network";
74 };
75 environment.etc."systemd/networkd.conf" = {
76 text = ''
77 [Network]
78 RouteTable=bifrost:1026
79 '';
80 };
81 };
82}
diff --git a/hosts/vidhar/network/bifrost/vidhar.priv b/hosts/vidhar/network/bifrost/vidhar.priv
new file mode 100644
index 00000000..273e9ba7
--- /dev/null
+++ b/hosts/vidhar/network/bifrost/vidhar.priv
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:BSnTkjcVap00po3wV+hSXAi3BMDqwlW+PmhHAecVOl7RFxRAdqVLjIctkmDh,iv:CxKBDo81u1RegSq2lKRwRMlyNINyX3DxoFSqT97e5fM=,tag:Akdav4XxLeQnz2xFMjQ3yw==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2022-02-06T16:09:08Z",
10 "mac": "ENC[AES256_GCM,data:SXCQKrqkOoXlm8Mrs7UZ1CGJe/HnHhvNCuGpt8yhsnchWICfGGWEIrh99TrKkia2X1inoElwXQYYPfyKHFshLaoNjH2GduR287OXluxZs+Thnm1Fnq6oZUBO9mDDUlykZAB3Mjm4WmUnirKB87Q6DFtTRZjh26amt3oC6GwnEfE=,iv:NtPsuStBnJuVfnlbxunL9PxbPdlYktJtV+MYSa53Oc8=,tag:HKJayT/YNP8PJ/ZIlKdQSg==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2022-02-06T16:09:08Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAnjYlc0bHToon5ayDJk+08sRPPEww8MBOprZZswYU1V8w\n5+QzHJXtSbb4lEwKwdwxkkSg1wBiW+kwrV2L2yyYOvoMhWKQsntjQuzaK7I1Kjix\n0l4BOIcMVJEyJk49CEQQyFlqmgJrh9L/dMhl1D7pD842GcpGFxlB7OHRXsLo9axj\nFAuLUc35LyVgnHd2InqDwG0JKiySdI7fN3dXWiD5H3feoCDisBZvaH/5DlufdIl7\n=sLA+\n-----END PGP MESSAGE-----\n",
15 "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
16 },
17 {
18 "created_at": "2022-02-06T16:09:08Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAeG22AYCyEYq1Fvqj853ZE7oeuOWOrpDOXiAvnSl83EUw\nofhjhoZ9nMyZlsy+nD06hIvaYdcFeAuSV8iHwANAjarmKlnKicT7b7mBCkOjMJDX\n0l4BAox2QUqhcYbGUKT+/Ei7RXYMP8ht1N+iisBVnzN055VrGQhvDadpcpVzQGKH\n8Hbmmdi9O2PQWRYnvRK+0I7GJFiC4Q36Kzf8X9MojMhb/GIwiBKCU0ZK2BLM9FtA\n=WbKA\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1"
25 }
26} \ No newline at end of file
diff --git a/hosts/vidhar/network/bifrost/vidhar.pub b/hosts/vidhar/network/bifrost/vidhar.pub
new file mode 100644
index 00000000..ef05f832
--- /dev/null
+++ b/hosts/vidhar/network/bifrost/vidhar.pub
@@ -0,0 +1 @@
moESFbO3qUTuoOv6lbzSLrNYSjHkM5hyvAs5XZtQzRA=
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index a1d1b172..e8c5ba9c 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -1,6 +1,6 @@
1{ config, lib, pkgs, ... }: 1{ config, lib, pkgs, ... }:
2{ 2{
3 imports = [ ./dsl.nix ]; 3 imports = [ ./dsl.nix ./bifrost ];
4 4
5 config = { 5 config = {
6 networking = { 6 networking = {
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 4914777d..caa4863b 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -162,8 +162,8 @@ table inet filter {
162 iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop 162 iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
163 meta l4proto $icmp_protos counter name icmp-rx accept 163 meta l4proto $icmp_protos counter name icmp-rx accept
164 164
165 iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept 165 iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
166 iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept 166 iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60001-61000 counter name mosh-rx accept
167 167
168 iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept 168 iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept
169 iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept 169 iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix
index 2180711d..82002a05 100644
--- a/modules/yggdrasil-wg/default.nix
+++ b/modules/yggdrasil-wg/default.nix
@@ -95,7 +95,7 @@ let
95 let 95 let
96 other = if thisHost from then to else from; 96 other = if thisHost from then to else from;
97 in { 97 in {
98 AllowedIPs = if elem other routers then ["0.0.0.0/0" "::/0"] else wgHostIPs.${family}.${other}; 98 AllowedIPs = if elem other routers then ["::/0"] else wgHostIPs.${family}.${other};
99 PublicKey = trim (readFile (mkPublicKeyPath family other)); 99 PublicKey = trim (readFile (mkPublicKeyPath family other));
100 } // (optionalAttrs (thisHost from) (linkCfgFilterCustom opts // linkMkEndpointCfg family opts)); 100 } // (optionalAttrs (thisHost from) (linkCfgFilterCustom opts // linkMkEndpointCfg family opts));
101 linkCfgFilterCustom = filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost"])); 101 linkCfgFilterCustom = filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost"]));