diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-06 16:42:35 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-06 16:42:35 +0100 |
commit | 93f07176317920ee881773519ee342f9c62ab9c9 (patch) | |
tree | 8876150049c83ac8257ac13e191f46fcef10c242 /hosts/sif/default.nix | |
parent | 5c02818571f5dbc93b0f848514dd4b55530f73c2 (diff) | |
download | nixos-93f07176317920ee881773519ee342f9c62ab9c9.tar nixos-93f07176317920ee881773519ee342f9c62ab9c9.tar.gz nixos-93f07176317920ee881773519ee342f9c62ab9c9.tar.bz2 nixos-93f07176317920ee881773519ee342f9c62ab9c9.tar.xz nixos-93f07176317920ee881773519ee342f9c62ab9c9.zip |
sif: wgrz
Diffstat (limited to 'hosts/sif/default.nix')
-rw-r--r-- | hosts/sif/default.nix | 99 |
1 files changed, 98 insertions, 1 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 9418159c..07ba564d 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix | |||
@@ -1,5 +1,15 @@ | |||
1 | { flake, pkgs, customUtils, lib, config, path, ... }: | 1 | { flake, pkgs, customUtils, lib, config, path, ... }: |
2 | { | 2 | let |
3 | mwnSubnetsPublic = | ||
4 | [ "129.187.0.0/16" "141.40.0.0/16" "141.84.0.0/16" | ||
5 | "192.68.211.0/24" "192.68.212.0/24" "192.68.213.0/24" "192.68.214.0/24" "192.68.215.0/24" | ||
6 | "193.174.96.0/22" | ||
7 | "194.95.59.0/24" | ||
8 | ]; | ||
9 | mwnSubnetsPrivate = | ||
10 | [ "10.153.0.0/16" "10.162.0.0/16" "10.156.0.0/16" | ||
11 | ]; | ||
12 | in { | ||
3 | imports = with flake.nixosModules.systemProfiles; [ | 13 | imports = with flake.nixosModules.systemProfiles; [ |
4 | ./hw.nix | 14 | ./hw.nix |
5 | 15 | ||
@@ -104,6 +114,93 @@ | |||
104 | server=/sif.libvirt/192.168.122.1 | 114 | server=/sif.libvirt/192.168.122.1 |
105 | ''; | 115 | ''; |
106 | }; | 116 | }; |
117 | environment.etc."NetworkManager/dnsmasq.d/wgrz.conf" = { | ||
118 | text = '' | ||
119 | server=/mathinst.loc/10.153.88.9 | ||
120 | server=/cipmath.loc/10.153.88.9 | ||
121 | ''; | ||
122 | }; | ||
123 | |||
124 | environment.etc."systemd/networkd.conf" = { | ||
125 | text = '' | ||
126 | [Network] | ||
127 | RouteTable=wgrz:1025 | ||
128 | ''; | ||
129 | }; | ||
130 | systemd.network = { | ||
131 | netdevs = { | ||
132 | wgrz = { | ||
133 | netdevConfig = { | ||
134 | Name = "wgrz"; | ||
135 | Kind = "wireguard"; | ||
136 | }; | ||
137 | wireguardConfig = { | ||
138 | PrivateKeyFile = config.sops.secrets.wgrz.path; | ||
139 | ListenPort = 51822; | ||
140 | # FirewallMark = 1; | ||
141 | }; | ||
142 | wireguardPeers = [ | ||
143 | { wireguardPeerConfig = { | ||
144 | AllowedIPs = [ "10.200.116.1/32" ] ++ mwnSubnetsPrivate ++ mwnSubnetsPublic; | ||
145 | PublicKey = "YlRFLc+rD2k2KXl7pIJbOKbcPgdJCl8ZTsv0xlK4VEI="; | ||
146 | PersistentKeepalive = 25; | ||
147 | Endpoint = "wg.math.lmu.de:51820"; | ||
148 | }; | ||
149 | } | ||
150 | ]; | ||
151 | }; | ||
152 | }; | ||
153 | networks = { | ||
154 | wgrz = { | ||
155 | name = "wgrz"; | ||
156 | matchConfig = { | ||
157 | Name = "wgrz"; | ||
158 | }; | ||
159 | address = ["10.200.116.128/24"]; | ||
160 | routes = map (Destination: { routeConfig = { | ||
161 | inherit Destination; | ||
162 | Gateway = "10.200.116.1"; | ||
163 | GatewayOnLink = true; | ||
164 | Table = "wgrz"; | ||
165 | };}) (mwnSubnetsPrivate ++ mwnSubnetsPublic); | ||
166 | routingPolicyRules = [ | ||
167 | { routingPolicyRuleConfig = { | ||
168 | Table = "main"; | ||
169 | # FirewallMark = 1; | ||
170 | To = "129.187.111.225"; | ||
171 | Priority = 100; | ||
172 | }; | ||
173 | } | ||
174 | { routingPolicyRuleConfig = { | ||
175 | Table = "wgrz"; | ||
176 | From = "10.200.116.128"; | ||
177 | Priority = 200; | ||
178 | }; | ||
179 | } | ||
180 | ] ++ map (To: { routingPolicyRuleConfig = { | ||
181 | Table = "wgrz"; | ||
182 | inherit To; | ||
183 | Priority = 200; | ||
184 | };}) (mwnSubnetsPrivate ++ mwnSubnetsPublic); | ||
185 | linkConfig = { | ||
186 | RequiredForOnline = false; | ||
187 | }; | ||
188 | networkConfig = { | ||
189 | LLMNR = false; | ||
190 | MulticastDNS = false; | ||
191 | DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"]; | ||
192 | }; | ||
193 | }; | ||
194 | }; | ||
195 | }; | ||
196 | sops.secrets.wgrz = { | ||
197 | format = "binary"; | ||
198 | sopsFile = ./wgrz/privkey; | ||
199 | mode = "0640"; | ||
200 | owner = "root"; | ||
201 | group = "systemd-network"; | ||
202 | }; | ||
203 | networking.networkmanager.unmanaged = ["wgrz"]; | ||
107 | 204 | ||
108 | services.resolved.enable = false; | 205 | services.resolved.enable = false; |
109 | 206 | ||