feat(vault01/gretap): gretap for hackaton

This commit is contained in:
catvayor 2024-12-05 14:46:38 +01:00
parent 09b5963449
commit a60b546277
Signed by untrusted user: lbailly
GPG key ID: CE3E645251AC63F3
3 changed files with 81 additions and 2 deletions

View file

@ -3,6 +3,7 @@
lib,
meta,
name,
config,
...
}:
@ -169,6 +170,30 @@ in
"10-enp67s0f0np0" = {
name = "enp67s0f0np0";
linkConfig.Promiscuous = true;
networkConfig = {
Bridge = "br0";
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
};
"50-gretap1" = {
name = "gretap1";
networkConfig = {
Bridge = "br0";
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
};
"50-br0" = {
name = "br0";
networkConfig = {
VLAN = builtins.attrNames vlans;
@ -179,9 +204,56 @@ in
IPv6SendRA = false;
};
};
"50-wg0" = {
name = "wg0";
address = [ "10.10.17.1/30" ];
networkConfig.Tunnel = "gretap1";
};
} // (mapAttrs' mkNetwork vlans);
netdevs = mapAttrs' mkNetdev vlans;
netdevs = {
"50-gretap1" = {
netdevConfig = {
Name = "gretap1";
Kind = "gretap";
};
tunnelConfig = {
Local = "10.10.17.1";
Remote = "10.10.17.2";
};
};
"50-br0" = {
netdevConfig = {
Name = "br0";
Kind = "bridge";
};
bridgeConfig = {
VLANFiltering = false;
STP = false;
};
};
"50-wg0" = {
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 1194;
PrivateKeyFile = config.age.secrets."wg-key".path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
AllowedIPs = [
"10.10.17.0/30"
];
PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00=";
};
}
];
};
} // mapAttrs' mkNetdev vlans;
};
services = {
@ -248,10 +320,16 @@ in
};
};
firewall = {
allowedUDPPorts = [ 67 ];
allowedUDPPorts = [
67
1194
];
checkReversePath = false;
};
};
age.secrets."wg-key".owner = "systemd-network";
users.users."systemd-network".extraGroups = [ "keys" ];
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
}

View file

@ -8,4 +8,5 @@
"radius-private_key_password_file"
"eatonmon-password_file"
"radius-ap-radius-secret_file"
"wg-key"
]

Binary file not shown.