diff options
Diffstat (limited to 'hosts')
| -rw-r--r-- | hosts/sif/default.nix | 20 | ||||
| -rw-r--r-- | hosts/sif/libvirt/default.nix | 5 | ||||
| -rw-r--r-- | hosts/sif/ruleset.nft | 2 |
3 files changed, 26 insertions, 1 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index e71ee4ec..a2eca749 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix | |||
| @@ -182,6 +182,7 @@ in { | |||
| 182 | netdevConfig = { | 182 | netdevConfig = { |
| 183 | Name = "wgrz"; | 183 | Name = "wgrz"; |
| 184 | Kind = "wireguard"; | 184 | Kind = "wireguard"; |
| 185 | MTUBytes = "1538"; | ||
| 185 | }; | 186 | }; |
| 186 | wireguardConfig = { | 187 | wireguardConfig = { |
| 187 | PrivateKeyFile = "/run/credentials/systemd-networkd.service/wgrz.priv"; | 188 | PrivateKeyFile = "/run/credentials/systemd-networkd.service/wgrz.priv"; |
| @@ -203,6 +204,24 @@ in { | |||
| 203 | MACAddress = "52:54:00:18:85:5b"; | 204 | MACAddress = "52:54:00:18:85:5b"; |
| 204 | }; | 205 | }; |
| 205 | }; | 206 | }; |
| 207 | gre-0971 = { | ||
| 208 | netdevConfig = { | ||
| 209 | Name = "gre-0971"; | ||
| 210 | Kind = "bridge"; | ||
| 211 | MTUBytes = "1500"; | ||
| 212 | }; | ||
| 213 | }; | ||
| 214 | gre-0971-1 = { | ||
| 215 | netdevConfig = { | ||
| 216 | Name = "gre-0971-1"; | ||
| 217 | Kind = "gretap"; | ||
| 218 | MTUBytes = "1500"; | ||
| 219 | }; | ||
| 220 | tunnelConfig = { | ||
| 221 | Local = "10.116.200.128"; | ||
| 222 | Remote = "10.116.200.1"; | ||
| 223 | }; | ||
| 224 | }; | ||
| 206 | }; | 225 | }; |
| 207 | networks = { | 226 | networks = { |
| 208 | wgrz = { | 227 | wgrz = { |
| @@ -246,6 +265,7 @@ in { | |||
| 246 | LLMNR = false; | 265 | LLMNR = false; |
| 247 | MulticastDNS = false; | 266 | MulticastDNS = false; |
| 248 | DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"]; | 267 | DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"]; |
| 268 | Tunnel = "gre-0971-1"; | ||
| 249 | }; | 269 | }; |
| 250 | }; | 270 | }; |
| 251 | virbr0 = { | 271 | virbr0 = { |
diff --git a/hosts/sif/libvirt/default.nix b/hosts/sif/libvirt/default.nix index b5d95996..b42fa8fc 100644 --- a/hosts/sif/libvirt/default.nix +++ b/hosts/sif/libvirt/default.nix | |||
| @@ -4,7 +4,10 @@ with flakeInputs.nixVirt.lib; | |||
| 4 | 4 | ||
| 5 | { | 5 | { |
| 6 | config = { | 6 | config = { |
| 7 | virtualisation.libvirtd.qemu.swtpm.enable = true; | 7 | virtualisation.libvirtd = { |
| 8 | qemu.swtpm.enable = true; | ||
| 9 | allowedBridges = ["virbr0" "gre-0971"]; | ||
| 10 | }; | ||
| 8 | virtualisation.libvirt = { | 11 | virtualisation.libvirt = { |
| 9 | enable = true; | 12 | enable = true; |
| 10 | swtpm.enable = true; | 13 | swtpm.enable = true; |
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft index 33c17253..2af8b2ee 100644 --- a/hosts/sif/ruleset.nft +++ b/hosts/sif/ruleset.nft | |||
| @@ -145,6 +145,8 @@ table inet filter { | |||
| 145 | iifname virbr0 udp dport 53 counter name libvirt-dns accept | 145 | iifname virbr0 udp dport 53 counter name libvirt-dns accept |
| 146 | iifname virbr0 tcp dport 53 counter name libvirt-dns accept | 146 | iifname virbr0 tcp dport 53 counter name libvirt-dns accept |
| 147 | 147 | ||
| 148 | iifname wgrz ip saddr 10.200.116.1 meta l4proto gre counter accept | ||
| 149 | |||
| 148 | ct state {established, related} counter name established-rx accept | 150 | ct state {established, related} counter name established-rx accept |
| 149 | 151 | ||
| 150 | 152 | ||