From 8167dec3203cc5e9751b799f751fe56ea2d655b7 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Wed, 30 Oct 2024 09:13:11 +0100 Subject: ... --- hosts/sif/default.nix | 20 ++++++++++++++++++++ hosts/sif/libvirt/default.nix | 5 ++++- hosts/sif/ruleset.nft | 2 ++ 3 files changed, 26 insertions(+), 1 deletion(-) (limited to 'hosts/sif') diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index e71ee4ec..a2eca749 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -182,6 +182,7 @@ in { netdevConfig = { Name = "wgrz"; Kind = "wireguard"; + MTUBytes = "1538"; }; wireguardConfig = { PrivateKeyFile = "/run/credentials/systemd-networkd.service/wgrz.priv"; @@ -203,6 +204,24 @@ in { MACAddress = "52:54:00:18:85:5b"; }; }; + gre-0971 = { + netdevConfig = { + Name = "gre-0971"; + Kind = "bridge"; + MTUBytes = "1500"; + }; + }; + gre-0971-1 = { + netdevConfig = { + Name = "gre-0971-1"; + Kind = "gretap"; + MTUBytes = "1500"; + }; + tunnelConfig = { + Local = "10.116.200.128"; + Remote = "10.116.200.1"; + }; + }; }; networks = { wgrz = { @@ -246,6 +265,7 @@ in { LLMNR = false; MulticastDNS = false; DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"]; + Tunnel = "gre-0971-1"; }; }; virbr0 = { diff --git a/hosts/sif/libvirt/default.nix b/hosts/sif/libvirt/default.nix index b5d95996..b42fa8fc 100644 --- a/hosts/sif/libvirt/default.nix +++ b/hosts/sif/libvirt/default.nix @@ -4,7 +4,10 @@ with flakeInputs.nixVirt.lib; { config = { - virtualisation.libvirtd.qemu.swtpm.enable = true; + virtualisation.libvirtd = { + qemu.swtpm.enable = true; + allowedBridges = ["virbr0" "gre-0971"]; + }; virtualisation.libvirt = { enable = true; swtpm.enable = true; diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft index 33c17253..2af8b2ee 100644 --- a/hosts/sif/ruleset.nft +++ b/hosts/sif/ruleset.nft @@ -145,6 +145,8 @@ table inet filter { iifname virbr0 udp dport 53 counter name libvirt-dns accept iifname virbr0 tcp dport 53 counter name libvirt-dns accept + iifname wgrz ip saddr 10.200.116.1 meta l4proto gre counter accept + ct state {established, related} counter name established-rx accept -- cgit v1.2.3