feat(vault01/gretap): gretap for hackaton
All checks were successful
Check meta / check_dns (pull_request) Successful in 18s
Check meta / check_meta (pull_request) Successful in 19s
Check workflows / check_workflows (pull_request) Successful in 23s
Build all the nodes / bridge01 (pull_request) Successful in 59s
Build all the nodes / geo01 (pull_request) Successful in 56s
Build all the nodes / geo02 (pull_request) Successful in 1m1s
Build all the nodes / compute01 (pull_request) Successful in 1m25s
Build all the nodes / rescue01 (pull_request) Successful in 1m5s
Run pre-commit on all files / check (pull_request) Successful in 24s
Build all the nodes / storage01 (pull_request) Successful in 1m10s
Build all the nodes / vault01 (pull_request) Successful in 1m16s
Build all the nodes / web02 (pull_request) Successful in 1m1s
Build all the nodes / web03 (pull_request) Successful in 1m1s
Build all the nodes / web01 (pull_request) Successful in 1m34s
Build all the nodes / geo01 (push) Successful in 1m4s
Build all the nodes / bridge01 (push) Successful in 1m6s
Build all the nodes / geo02 (push) Successful in 1m8s
Build all the nodes / rescue01 (push) Successful in 1m13s
Build all the nodes / storage01 (push) Successful in 1m17s
Build all the nodes / compute01 (push) Successful in 1m32s
Run pre-commit on all files / check (push) Successful in 25s
Build all the nodes / web02 (push) Successful in 1m11s
Build all the nodes / web03 (push) Successful in 1m8s
Build all the nodes / vault01 (push) Successful in 1m18s
Build all the nodes / web01 (push) Successful in 1m30s
All checks were successful
Check meta / check_dns (pull_request) Successful in 18s
Check meta / check_meta (pull_request) Successful in 19s
Check workflows / check_workflows (pull_request) Successful in 23s
Build all the nodes / bridge01 (pull_request) Successful in 59s
Build all the nodes / geo01 (pull_request) Successful in 56s
Build all the nodes / geo02 (pull_request) Successful in 1m1s
Build all the nodes / compute01 (pull_request) Successful in 1m25s
Build all the nodes / rescue01 (pull_request) Successful in 1m5s
Run pre-commit on all files / check (pull_request) Successful in 24s
Build all the nodes / storage01 (pull_request) Successful in 1m10s
Build all the nodes / vault01 (pull_request) Successful in 1m16s
Build all the nodes / web02 (pull_request) Successful in 1m1s
Build all the nodes / web03 (pull_request) Successful in 1m1s
Build all the nodes / web01 (pull_request) Successful in 1m34s
Build all the nodes / geo01 (push) Successful in 1m4s
Build all the nodes / bridge01 (push) Successful in 1m6s
Build all the nodes / geo02 (push) Successful in 1m8s
Build all the nodes / rescue01 (push) Successful in 1m13s
Build all the nodes / storage01 (push) Successful in 1m17s
Build all the nodes / compute01 (push) Successful in 1m32s
Run pre-commit on all files / check (push) Successful in 25s
Build all the nodes / web02 (push) Successful in 1m11s
Build all the nodes / web03 (push) Successful in 1m8s
Build all the nodes / vault01 (push) Successful in 1m18s
Build all the nodes / web01 (push) Successful in 1m30s
This commit is contained in:
parent
09b5963449
commit
a60b546277
3 changed files with 81 additions and 2 deletions
|
@ -3,6 +3,7 @@
|
||||||
lib,
|
lib,
|
||||||
meta,
|
meta,
|
||||||
name,
|
name,
|
||||||
|
config,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
|
|
||||||
|
@ -169,6 +170,30 @@ in
|
||||||
"10-enp67s0f0np0" = {
|
"10-enp67s0f0np0" = {
|
||||||
name = "enp67s0f0np0";
|
name = "enp67s0f0np0";
|
||||||
linkConfig.Promiscuous = true;
|
linkConfig.Promiscuous = true;
|
||||||
|
networkConfig = {
|
||||||
|
Bridge = "br0";
|
||||||
|
|
||||||
|
LinkLocalAddressing = false;
|
||||||
|
LLDP = false;
|
||||||
|
EmitLLDP = false;
|
||||||
|
IPv6AcceptRA = false;
|
||||||
|
IPv6SendRA = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"50-gretap1" = {
|
||||||
|
name = "gretap1";
|
||||||
|
networkConfig = {
|
||||||
|
Bridge = "br0";
|
||||||
|
|
||||||
|
LinkLocalAddressing = false;
|
||||||
|
LLDP = false;
|
||||||
|
EmitLLDP = false;
|
||||||
|
IPv6AcceptRA = false;
|
||||||
|
IPv6SendRA = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"50-br0" = {
|
||||||
|
name = "br0";
|
||||||
networkConfig = {
|
networkConfig = {
|
||||||
VLAN = builtins.attrNames vlans;
|
VLAN = builtins.attrNames vlans;
|
||||||
|
|
||||||
|
@ -179,9 +204,56 @@ in
|
||||||
IPv6SendRA = false;
|
IPv6SendRA = false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
"50-wg0" = {
|
||||||
|
name = "wg0";
|
||||||
|
address = [ "10.10.17.1/30" ];
|
||||||
|
networkConfig.Tunnel = "gretap1";
|
||||||
|
};
|
||||||
} // (mapAttrs' mkNetwork vlans);
|
} // (mapAttrs' mkNetwork vlans);
|
||||||
|
|
||||||
netdevs = mapAttrs' mkNetdev vlans;
|
netdevs = {
|
||||||
|
"50-gretap1" = {
|
||||||
|
netdevConfig = {
|
||||||
|
Name = "gretap1";
|
||||||
|
Kind = "gretap";
|
||||||
|
};
|
||||||
|
tunnelConfig = {
|
||||||
|
Local = "10.10.17.1";
|
||||||
|
Remote = "10.10.17.2";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"50-br0" = {
|
||||||
|
netdevConfig = {
|
||||||
|
Name = "br0";
|
||||||
|
Kind = "bridge";
|
||||||
|
};
|
||||||
|
bridgeConfig = {
|
||||||
|
VLANFiltering = false;
|
||||||
|
STP = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"50-wg0" = {
|
||||||
|
netdevConfig = {
|
||||||
|
Name = "wg0";
|
||||||
|
Kind = "wireguard";
|
||||||
|
};
|
||||||
|
wireguardConfig = {
|
||||||
|
ListenPort = 1194;
|
||||||
|
PrivateKeyFile = config.age.secrets."wg-key".path;
|
||||||
|
};
|
||||||
|
|
||||||
|
wireguardPeers = [
|
||||||
|
{
|
||||||
|
wireguardPeerConfig = {
|
||||||
|
AllowedIPs = [
|
||||||
|
"10.10.17.0/30"
|
||||||
|
];
|
||||||
|
PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00=";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
} // mapAttrs' mkNetdev vlans;
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
|
@ -248,10 +320,16 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedUDPPorts = [ 67 ];
|
allowedUDPPorts = [
|
||||||
|
67
|
||||||
|
1194
|
||||||
|
];
|
||||||
checkReversePath = false;
|
checkReversePath = false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
age.secrets."wg-key".owner = "systemd-network";
|
||||||
|
users.users."systemd-network".extraGroups = [ "keys" ];
|
||||||
|
|
||||||
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
|
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
|
||||||
}
|
}
|
||||||
|
|
|
@ -8,4 +8,5 @@
|
||||||
"radius-private_key_password_file"
|
"radius-private_key_password_file"
|
||||||
"eatonmon-password_file"
|
"eatonmon-password_file"
|
||||||
"radius-ap-radius-secret_file"
|
"radius-ap-radius-secret_file"
|
||||||
|
"wg-key"
|
||||||
]
|
]
|
||||||
|
|
BIN
machines/vault01/secrets/wg-key
Normal file
BIN
machines/vault01/secrets/wg-key
Normal file
Binary file not shown.
Loading…
Reference in a new issue