From a60b546277a3a80c65db6a9fc932efe6fccb20d2 Mon Sep 17 00:00:00 2001 From: catvayor Date: Thu, 5 Dec 2024 14:46:38 +0100 Subject: [PATCH] feat(vault01/gretap): gretap for hackaton --- machines/vault01/networking.nix | 82 ++++++++++++++++++++++++++- machines/vault01/secrets/secrets.nix | 1 + machines/vault01/secrets/wg-key | Bin 0 -> 1754 bytes 3 files changed, 81 insertions(+), 2 deletions(-) create mode 100644 machines/vault01/secrets/wg-key diff --git a/machines/vault01/networking.nix b/machines/vault01/networking.nix index 11a64ce..374bf8f 100644 --- a/machines/vault01/networking.nix +++ b/machines/vault01/networking.nix @@ -3,6 +3,7 @@ lib, meta, name, + config, ... }: @@ -169,6 +170,30 @@ in "10-enp67s0f0np0" = { name = "enp67s0f0np0"; linkConfig.Promiscuous = true; + networkConfig = { + Bridge = "br0"; + + LinkLocalAddressing = false; + LLDP = false; + EmitLLDP = false; + IPv6AcceptRA = false; + IPv6SendRA = false; + }; + }; + "50-gretap1" = { + name = "gretap1"; + networkConfig = { + Bridge = "br0"; + + LinkLocalAddressing = false; + LLDP = false; + EmitLLDP = false; + IPv6AcceptRA = false; + IPv6SendRA = false; + }; + }; + "50-br0" = { + name = "br0"; networkConfig = { VLAN = builtins.attrNames vlans; @@ -179,9 +204,56 @@ in IPv6SendRA = false; }; }; + "50-wg0" = { + name = "wg0"; + address = [ "10.10.17.1/30" ]; + networkConfig.Tunnel = "gretap1"; + }; } // (mapAttrs' mkNetwork vlans); - netdevs = mapAttrs' mkNetdev vlans; + netdevs = { + "50-gretap1" = { + netdevConfig = { + Name = "gretap1"; + Kind = "gretap"; + }; + tunnelConfig = { + Local = "10.10.17.1"; + Remote = "10.10.17.2"; + }; + }; + "50-br0" = { + netdevConfig = { + Name = "br0"; + Kind = "bridge"; + }; + bridgeConfig = { + VLANFiltering = false; + STP = false; + }; + }; + "50-wg0" = { + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 1194; + PrivateKeyFile = config.age.secrets."wg-key".path; + }; + + wireguardPeers = [ + { + wireguardPeerConfig = { + AllowedIPs = [ + "10.10.17.0/30" + ]; + PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00="; + }; + } + ]; + }; + } // mapAttrs' mkNetdev vlans; }; services = { @@ -248,10 +320,16 @@ in }; }; firewall = { - allowedUDPPorts = [ 67 ]; + allowedUDPPorts = [ + 67 + 1194 + ]; checkReversePath = false; }; }; + age.secrets."wg-key".owner = "systemd-network"; + users.users."systemd-network".extraGroups = [ "keys" ]; + boot.kernel.sysctl."net.ipv4.ip_forward" = true; } diff --git a/machines/vault01/secrets/secrets.nix b/machines/vault01/secrets/secrets.nix index cd300fd..48eb730 100644 --- a/machines/vault01/secrets/secrets.nix +++ b/machines/vault01/secrets/secrets.nix @@ -8,4 +8,5 @@ "radius-private_key_password_file" "eatonmon-password_file" "radius-ap-radius-secret_file" + "wg-key" ] diff --git a/machines/vault01/secrets/wg-key b/machines/vault01/secrets/wg-key new file mode 100644 index 0000000000000000000000000000000000000000..6b366f8c285e08577357137e59342e3f7aef7ca5 GIT binary patch literal 1754 zcmZXUIm^U&9mf^dCRQtpoiL5fhR0-b&L9YxNis9J|G6d^StQrwzVComil8it{esvF zHd+e4gvCOzu(c2reFYAJTRgsk&+mKvyf}J`s-Rn&A+4)#*IkTEd+6=EyS`7}q7Wm= z{c)GwoTtX@xLO

lRLa(6zU5rI(nr+dijmml~M0T}D$r(HnXIGvw%t6JY25i8)5C zfv%Xfxjj;=R}(Zz(}kV*p8w<+9(UiC%*UJr&P&jio*M5K3~N86$&%ecA~v=z4jU5mK(-(>k~k5wI&0 zggmW)e#qSEj<4O|R4v2WuIKU=Y(1|U?b=I1`WGyQ3_0>_zT%U*TyOXsw7Prpx4XO5 zW>r5%Yb|t9iNHylzMyrzx68ZxSptxI3m#i?zt0a*dsYV7C@c$5o^KKTR>rKl9`}<3 zPuTM$3Qda)g((QVqW~&F(u4&bBwhWIrue6Vdmfix?kO&v{Kt4^g(kfKmJT$>2#TxC zYUzpQi$%XlU34s}vNs%TbT1I^PiL$ilFaZkR6io76Qooxa+!oG5<$8=5)}Uaq~M!P z&v;o8jb-&g(Q>9Gtut^Rw^>T#6F_{_j)W0+`&43NNP|-dknW=#Tvz- zw|!$E_%ZMGIGoUxgJQ2&^Ue)7!|@jrQ)`jtFf7gP`}(pHw?`?r;#Fv{r0p%l=fZ*O zr0R+7g;hAJGlD@~of6s+D@`df`J~ixNx0pa_t_%T3<9tto6g1w*(<%r2y){f=J-){ zSxj+#Jwl&Op~bvUsMmcOK!S)6Wue;~nE-%9t=_UXhZdf&Znz4kW>_~^+flA=^%vRx zZzV4)>DNkdNgGD#5Yu|CB30k6mOa=CB8RkdMD5Wl*6IR4`J;{AP4cTlyRun3H3W&fTAmwY&Y-Dweet;73pP7k#TEQH6OUz2c!$I7+Tf+Pu=K0Y9@&@wmmAr2F%j>2I&rc{jW_2a zD*+Ewl{@D%3}cTb-cMPcKj(EzSl%rND6E}uNl7B$&*8W*xb4RhCLkphjIqb{xG0Tq z`^-h#M&E0z^}%dk+U#IkqDwHSufuuS6;D=B;KJwyEk$|^op*d@4+Ttt9HN~eg6W8m zCA?Ynfl?=R5~7ya@J1yk7;v@NQJVtmm;Y+ZTKNZWpS;CgbhyhRQ8+e33nR_2<(`c#V>p^@!<-C?f({X3%GBydr05EP+q>w4 ztJCtKN-)}Ggxr>q(mxrw)TygZo%xf8)ts%-D}dhK-gamW5Ghlbuwg8ba{^Tn!Uw2G zMXU58-Ey5fAw^2J>l{P)6aCTGeEpkA_!atJKU_Zg^{+0Ue)55v ze~OzQ|MH{X*FV1bpa1>KfBo9_=imPGPu9x0k!z5U~NKNszvezyOH^S!@) F^*^@wKkNVi literal 0 HcmV?d00001