bifrost: ...

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-06 17:19:58 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-06 17:19:58 +0100
commit: 67657a453e654811ed5adf45a4c7aab32dc30274 (patch)
tree: b94f3378117ca2b6bd2d43c8ef106855e52e6462 /hosts/vidhar/network/bifrost/default.nix
parent: 93f07176317920ee881773519ee342f9c62ab9c9 (diff)
download: nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar
nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.gz
nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.bz2
nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.xz
nixos-67657a453e654811ed5adf45a4c7aab32dc30274.zip
1 files changed, 82 insertions, 0 deletions
diff --git a/hosts/vidhar/network/bifrost/default.nix b/hosts/vidhar/network/bifrost/default.nix
new file mode 100644
index 00000000..40666f59
--- /dev/null
+++ b/hosts/vidhar/network/bifrost/default.nix
@@ -0,0 +1,82 @@
+{ config, lib, ... }:
+with lib;
+let
+  trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str;
+in {
+  config = {
+    systemd.network = {
+      netdevs = {
+        bifrost = {
+          netdevConfig = {
+            Name = "bifrost";
+            Kind = "wireguard";
+          };
+          wireguardConfig = {
+            PrivateKeyFile = config.sops.secrets.bifrost.path;
+            ListenPort = 51822;
+          };
+          wireguardPeers = [
+            { wireguardPeerConfig = {
+                AllowedIPs = [ "2a03:4000:52:ada:4::/96" ];
+                PublicKey = trim (readFile ../../../surtr/bifrost/surtr.pub);
+                PersistentKeepalive = 5;
+                Endpoint = "2a03:4000:52:ada:::51822";
+              };
+            }
+          ];
+        };
+      };
+      networks = {
+        bifrost = {
+          name = "bifrost";
+          matchConfig = {
+            Name = "bifrost";
+          };
+          address = ["2a03:4000:52:ada:4:1::/96"];
+          routes = [
+            { routeConfig = {
+                Destination = "2a03:4000:52:ada:4::/80";
+              };
+            }
+            { routeConfig ={
+                Gateway = "2a03:4000:52:ada:4::";
+                GatewayOnLink = true;
+                Table = "bifrost";
+              };
+            }
+          ];
+          routingPolicyRules = [
+            { routingPolicyRuleConfig = {
+                Table = "bifrost";
+                From = "2a03:4000:52:ada:4:1::/96";
+                Priority = 200;
+              };
+            }
+          ];
+          linkConfig = {
+            RequiredForOnline = false;
+          };
+          networkConfig = {
+            LLMNR = false;
+            MulticastDNS = false;
+          };
+        };
+      };
+    };
+    sops.secrets.bifrost = {
+      format = "binary";
+      sopsFile = ./vidhar.priv;
+      mode = "0640";
+      owner = "root";
+      group = "systemd-network";
+    };
+    environment.etc."systemd/networkd.conf" = {
+      text = ''
+        [Network]
+        RouteTable=bifrost:1026
+      '';
+    };
+  };
+}
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-06 17:19:58 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-06 17:19:58 +0100
commit	67657a453e654811ed5adf45a4c7aab32dc30274 (patch)
tree	b94f3378117ca2b6bd2d43c8ef106855e52e6462 /hosts/vidhar/network/bifrost/default.nix
parent	93f07176317920ee881773519ee342f9c62ab9c9 (diff)
download	nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.gz nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.bz2 nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.xz nixos-67657a453e654811ed5adf45a4c7aab32dc30274.zip

diff --git a/hosts/vidhar/network/bifrost/default.nix b/hosts/vidhar/network/bifrost/default.nix new file mode 100644 index 00000000..40666f59 --- /dev/null +++ b/hosts/vidhar/network/bifrost/default.nix
@@ -0,0 +1,82 @@
	1	{ config, lib, ... }:
	2
	3	with lib;
	4
	5	let
	6	trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str;
	7	in {
	8	config = {
	9	systemd.network = {
	10	netdevs = {
	11	bifrost = {
	12	netdevConfig = {
	13	Name = "bifrost";
	14	Kind = "wireguard";
	15	};
	16	wireguardConfig = {
	17	PrivateKeyFile = config.sops.secrets.bifrost.path;
	18	ListenPort = 51822;
	19	};
	20	wireguardPeers = [
	21	{ wireguardPeerConfig = {
	22	AllowedIPs = [ "2a03:4000:52:ada:4::/96" ];
	23	PublicKey = trim (readFile ../../../surtr/bifrost/surtr.pub);
	24	PersistentKeepalive = 5;
	25	Endpoint = "2a03:4000:52:ada:::51822";
	26	};
	27	}
	28	];
	29	};
	30	};
	31	networks = {
	32	bifrost = {
	33	name = "bifrost";
	34	matchConfig = {
	35	Name = "bifrost";
	36	};
	37	address = ["2a03:4000:52:ada:4:1::/96"];
	38	routes = [
	39	{ routeConfig = {
	40	Destination = "2a03:4000:52:ada:4::/80";
	41	};
	42	}
	43	{ routeConfig ={
	44	Gateway = "2a03:4000:52:ada:4::";
	45	GatewayOnLink = true;
	46	Table = "bifrost";
	47	};
	48	}
	49	];
	50	routingPolicyRules = [
	51	{ routingPolicyRuleConfig = {
	52	Table = "bifrost";
	53	From = "2a03:4000:52:ada:4:1::/96";
	54	Priority = 200;
	55	};
	56	}
	57	];
	58	linkConfig = {
	59	RequiredForOnline = false;
	60	};
	61	networkConfig = {
	62	LLMNR = false;
	63	MulticastDNS = false;
	64	};
	65	};
	66	};
	67	};
	68	sops.secrets.bifrost = {
	69	format = "binary";
	70	sopsFile = ./vidhar.priv;
	71	mode = "0640";
	72	owner = "root";
	73	group = "systemd-network";
	74	};
	75	environment.etc."systemd/networkd.conf" = {
	76	text = ''
	77	[Network]
	78	RouteTable=bifrost:1026
	79	'';
	80	};
	81	};
	82	}