From 8167dec3203cc5e9751b799f751fe56ea2d655b7 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Wed, 30 Oct 2024 09:13:11 +0100
Subject: ...

---
 hosts/sif/default.nix         | 20 ++++++++++++++++++++
 hosts/sif/libvirt/default.nix |  5 ++++-
 hosts/sif/ruleset.nft         |  2 ++
 3 files changed, 26 insertions(+), 1 deletion(-)

(limited to 'hosts')

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index e71ee4ec..a2eca749 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -182,6 +182,7 @@ in {
           netdevConfig = {
             Name = "wgrz";
             Kind = "wireguard";
+            MTUBytes = "1538";
           };
           wireguardConfig = {
             PrivateKeyFile = "/run/credentials/systemd-networkd.service/wgrz.priv";
@@ -203,6 +204,24 @@ in {
             MACAddress = "52:54:00:18:85:5b";
           };
         };
+        gre-0971 = {
+          netdevConfig = {
+            Name = "gre-0971";
+            Kind = "bridge";
+            MTUBytes = "1500";
+          };
+        };
+        gre-0971-1 = {
+          netdevConfig = {
+            Name = "gre-0971-1";
+            Kind = "gretap";
+            MTUBytes = "1500";
+          };
+          tunnelConfig = {
+            Local = "10.116.200.128";
+            Remote = "10.116.200.1";
+          };
+        };
       };
       networks = {
         wgrz = {
@@ -246,6 +265,7 @@ in {
             LLMNR = false;
             MulticastDNS = false;
             DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"];
+            Tunnel = "gre-0971-1";
           };
         };
         virbr0 = {
diff --git a/hosts/sif/libvirt/default.nix b/hosts/sif/libvirt/default.nix
index b5d95996..b42fa8fc 100644
--- a/hosts/sif/libvirt/default.nix
+++ b/hosts/sif/libvirt/default.nix
@@ -4,7 +4,10 @@ with flakeInputs.nixVirt.lib;
 
 {
   config = {
-    virtualisation.libvirtd.qemu.swtpm.enable = true;
+    virtualisation.libvirtd = {
+      qemu.swtpm.enable = true;
+      allowedBridges = ["virbr0" "gre-0971"];
+    };
     virtualisation.libvirt = {
       enable = true;
       swtpm.enable = true;
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft
index 33c17253..2af8b2ee 100644
--- a/hosts/sif/ruleset.nft
+++ b/hosts/sif/ruleset.nft
@@ -145,6 +145,8 @@ table inet filter {
     iifname virbr0 udp dport 53 counter name libvirt-dns accept
     iifname virbr0 tcp dport 53 counter name libvirt-dns accept
 
+    iifname wgrz ip saddr 10.200.116.1 meta l4proto gre counter accept
+
     ct state {established, related} counter name established-rx accept
 
 
-- 
cgit v1.2.3