diff --git a/machines/vault01/networking.nix b/machines/vault01/networking.nix index 11a64ce..374bf8f 100644 --- a/machines/vault01/networking.nix +++ b/machines/vault01/networking.nix @@ -3,6 +3,7 @@ lib, meta, name, + config, ... }: @@ -169,6 +170,30 @@ in "10-enp67s0f0np0" = { name = "enp67s0f0np0"; linkConfig.Promiscuous = true; + networkConfig = { + Bridge = "br0"; + + LinkLocalAddressing = false; + LLDP = false; + EmitLLDP = false; + IPv6AcceptRA = false; + IPv6SendRA = false; + }; + }; + "50-gretap1" = { + name = "gretap1"; + networkConfig = { + Bridge = "br0"; + + LinkLocalAddressing = false; + LLDP = false; + EmitLLDP = false; + IPv6AcceptRA = false; + IPv6SendRA = false; + }; + }; + "50-br0" = { + name = "br0"; networkConfig = { VLAN = builtins.attrNames vlans; @@ -179,9 +204,56 @@ in IPv6SendRA = false; }; }; + "50-wg0" = { + name = "wg0"; + address = [ "10.10.17.1/30" ]; + networkConfig.Tunnel = "gretap1"; + }; } // (mapAttrs' mkNetwork vlans); - netdevs = mapAttrs' mkNetdev vlans; + netdevs = { + "50-gretap1" = { + netdevConfig = { + Name = "gretap1"; + Kind = "gretap"; + }; + tunnelConfig = { + Local = "10.10.17.1"; + Remote = "10.10.17.2"; + }; + }; + "50-br0" = { + netdevConfig = { + Name = "br0"; + Kind = "bridge"; + }; + bridgeConfig = { + VLANFiltering = false; + STP = false; + }; + }; + "50-wg0" = { + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 1194; + PrivateKeyFile = config.age.secrets."wg-key".path; + }; + + wireguardPeers = [ + { + wireguardPeerConfig = { + AllowedIPs = [ + "10.10.17.0/30" + ]; + PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00="; + }; + } + ]; + }; + } // mapAttrs' mkNetdev vlans; }; services = { @@ -248,10 +320,16 @@ in }; }; firewall = { - allowedUDPPorts = [ 67 ]; + allowedUDPPorts = [ + 67 + 1194 + ]; checkReversePath = false; }; }; + age.secrets."wg-key".owner = "systemd-network"; + users.users."systemd-network".extraGroups = [ "keys" ]; + boot.kernel.sysctl."net.ipv4.ip_forward" = true; } diff --git a/machines/vault01/secrets/secrets.nix b/machines/vault01/secrets/secrets.nix index cd300fd..48eb730 100644 --- a/machines/vault01/secrets/secrets.nix +++ b/machines/vault01/secrets/secrets.nix @@ -8,4 +8,5 @@ "radius-private_key_password_file" "eatonmon-password_file" "radius-ap-radius-secret_file" + "wg-key" ] diff --git a/machines/vault01/secrets/wg-key b/machines/vault01/secrets/wg-key new file mode 100644 index 0000000..6b366f8 Binary files /dev/null and b/machines/vault01/secrets/wg-key differ