diff options
| -rw-r--r-- | hosts/sif/default.nix | 5 | ||||
| -rw-r--r-- | hosts/vidhar/dns/default.nix | 4 | ||||
| -rw-r--r-- | hosts/vidhar/network/ruleset.nft | 4 | ||||
| -rw-r--r-- | modules/yggdrasil-wg/default.nix | 7 |
4 files changed, 13 insertions, 7 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 647021ca..96bb793a 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix | |||
| @@ -110,6 +110,11 @@ in { | |||
| 110 | server=/cipmath.loc/10.153.88.9 | 110 | server=/cipmath.loc/10.153.88.9 |
| 111 | ''; | 111 | ''; |
| 112 | }; | 112 | }; |
| 113 | environment.etc."NetworkManager/dnsmasq.d/yggdrasil.conf" = { | ||
| 114 | text = '' | ||
| 115 | server=/yggdrasil/2a03:4000:52:ada:1:1:: | ||
| 116 | ''; | ||
| 117 | }; | ||
| 113 | 118 | ||
| 114 | environment.etc."systemd/networkd.conf" = { | 119 | environment.etc."systemd/networkd.conf" = { |
| 115 | text = '' | 120 | text = '' |
diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix index b1457a7a..caaa8e15 100644 --- a/hosts/vidhar/dns/default.nix +++ b/hosts/vidhar/dns/default.nix | |||
| @@ -82,6 +82,10 @@ in { | |||
| 82 | listen: 127.0.0.1@5353 | 82 | listen: 127.0.0.1@5353 |
| 83 | listen: ::1@5353 | 83 | listen: ::1@5353 |
| 84 | 84 | ||
| 85 | listen: 10.141.1.1@53 | ||
| 86 | listen: 10.141.2.1@53 | ||
| 87 | listen: 2a03:4000:52:ada:1:1::@53 | ||
| 88 | |||
| 85 | acl: | 89 | acl: |
| 86 | - id: local_acl | 90 | - id: local_acl |
| 87 | key: local_key | 91 | key: local_key |
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 0f591f24..4e8341e9 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
| @@ -165,8 +165,8 @@ table inet filter { | |||
| 165 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept | 165 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept |
| 166 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60001-61000 counter name mosh-rx accept | 166 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60001-61000 counter name mosh-rx accept |
| 167 | 167 | ||
| 168 | iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept | 168 | iifname { lan, mgmt, dmz01, yggdrasil } tcp dport 53 counter name dns-rx accept |
| 169 | iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept | 169 | iifname { lan, mgmt, dmz01, yggdrasil } udp dport 53 counter name dns-rx accept |
| 170 | 170 | ||
| 171 | iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept | 171 | iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept |
| 172 | iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept | 172 | iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept |
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index 82002a05..66d14c95 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix | |||
| @@ -77,9 +77,6 @@ let | |||
| 77 | sif = ["${batSubnet}:2::/${toString batHostLength}"]; | 77 | sif = ["${batSubnet}:2::/${toString batHostLength}"]; |
| 78 | }; | 78 | }; |
| 79 | routers = [ "surtr" ]; | 79 | routers = [ "surtr" ]; |
| 80 | hostNames = { | ||
| 81 | vidhar = [ "grafana.vidhar.yggdrasil" ]; | ||
| 82 | }; | ||
| 83 | 80 | ||
| 84 | mkPublicKeyPath = family: host: ./hosts + "/${family}" + "/${host}.pub"; | 81 | mkPublicKeyPath = family: host: ./hosts + "/${family}" + "/${host}.pub"; |
| 85 | mkPrivateKeyPath = family: host: ./hosts + "/${family}" + "/${host}.priv"; | 82 | mkPrivateKeyPath = family: host: ./hosts + "/${family}" + "/${host}.priv"; |
| @@ -205,6 +202,8 @@ in { | |||
| 205 | Name = "yggdrasil"; | 202 | Name = "yggdrasil"; |
| 206 | }; | 203 | }; |
| 207 | address = batHostIPs.${hostName}; | 204 | address = batHostIPs.${hostName}; |
| 205 | dns = ["[2a03:4000:52:ada:1:1::]"]; | ||
| 206 | domains = ["yggdrasil"]; | ||
| 208 | routes = [ | 207 | routes = [ |
| 209 | { routeConfig = { | 208 | { routeConfig = { |
| 210 | Destination = "${batSubnet}::/${toString batSubnetLength}"; | 209 | Destination = "${batSubnet}::/${toString batSubnetLength}"; |
| @@ -247,8 +246,6 @@ in { | |||
| 247 | 246 | ||
| 248 | sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); | 247 | sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); |
| 249 | 248 | ||
| 250 | networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) (["${name}.yggdrasil"] ++ (hostNames.${name} or []))) value) (mapAttrsToList nameValuePair batHostIPs))); | ||
| 251 | |||
| 252 | boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; | 249 | boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; |
| 253 | environment.systemPackages = with pkgs; [ wireguard-tools batctl ]; | 250 | environment.systemPackages = with pkgs; [ wireguard-tools batctl ]; |
| 254 | networking.networkmanager.unmanaged = ["yggdrasil" "ip6gre0" "ip6tnl0"] ++ map (family: "yggdrasil-wg-${family}") hostFamilies ++ concatMap (family: map ({from, to, ...}: let other = if thisHost from then to else from; in "yggre-${other}-${family}") hostLinks.${family}) hostFamilies; | 251 | networking.networkmanager.unmanaged = ["yggdrasil" "ip6gre0" "ip6tnl0"] ++ map (family: "yggdrasil-wg-${family}") hostFamilies ++ concatMap (family: map ({from, to, ...}: let other = if thisHost from then to else from; in "yggre-${other}-${family}") hostLinks.${family}) hostFamilies; |