forked from DGNum/infrastructure
feat(vault01/gretap): gretap for hackaton
This commit is contained in:
parent
09b5963449
commit
a60b546277
3 changed files with 81 additions and 2 deletions
|
@ -3,6 +3,7 @@
|
|||
lib,
|
||||
meta,
|
||||
name,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
|
||||
|
@ -169,6 +170,30 @@ in
|
|||
"10-enp67s0f0np0" = {
|
||||
name = "enp67s0f0np0";
|
||||
linkConfig.Promiscuous = true;
|
||||
networkConfig = {
|
||||
Bridge = "br0";
|
||||
|
||||
LinkLocalAddressing = false;
|
||||
LLDP = false;
|
||||
EmitLLDP = false;
|
||||
IPv6AcceptRA = false;
|
||||
IPv6SendRA = false;
|
||||
};
|
||||
};
|
||||
"50-gretap1" = {
|
||||
name = "gretap1";
|
||||
networkConfig = {
|
||||
Bridge = "br0";
|
||||
|
||||
LinkLocalAddressing = false;
|
||||
LLDP = false;
|
||||
EmitLLDP = false;
|
||||
IPv6AcceptRA = false;
|
||||
IPv6SendRA = false;
|
||||
};
|
||||
};
|
||||
"50-br0" = {
|
||||
name = "br0";
|
||||
networkConfig = {
|
||||
VLAN = builtins.attrNames vlans;
|
||||
|
||||
|
@ -179,9 +204,56 @@ in
|
|||
IPv6SendRA = false;
|
||||
};
|
||||
};
|
||||
"50-wg0" = {
|
||||
name = "wg0";
|
||||
address = [ "10.10.17.1/30" ];
|
||||
networkConfig.Tunnel = "gretap1";
|
||||
};
|
||||
} // (mapAttrs' mkNetwork vlans);
|
||||
|
||||
netdevs = mapAttrs' mkNetdev vlans;
|
||||
netdevs = {
|
||||
"50-gretap1" = {
|
||||
netdevConfig = {
|
||||
Name = "gretap1";
|
||||
Kind = "gretap";
|
||||
};
|
||||
tunnelConfig = {
|
||||
Local = "10.10.17.1";
|
||||
Remote = "10.10.17.2";
|
||||
};
|
||||
};
|
||||
"50-br0" = {
|
||||
netdevConfig = {
|
||||
Name = "br0";
|
||||
Kind = "bridge";
|
||||
};
|
||||
bridgeConfig = {
|
||||
VLANFiltering = false;
|
||||
STP = false;
|
||||
};
|
||||
};
|
||||
"50-wg0" = {
|
||||
netdevConfig = {
|
||||
Name = "wg0";
|
||||
Kind = "wireguard";
|
||||
};
|
||||
wireguardConfig = {
|
||||
ListenPort = 1194;
|
||||
PrivateKeyFile = config.age.secrets."wg-key".path;
|
||||
};
|
||||
|
||||
wireguardPeers = [
|
||||
{
|
||||
wireguardPeerConfig = {
|
||||
AllowedIPs = [
|
||||
"10.10.17.0/30"
|
||||
];
|
||||
PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00=";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
} // mapAttrs' mkNetdev vlans;
|
||||
};
|
||||
|
||||
services = {
|
||||
|
@ -248,10 +320,16 @@ in
|
|||
};
|
||||
};
|
||||
firewall = {
|
||||
allowedUDPPorts = [ 67 ];
|
||||
allowedUDPPorts = [
|
||||
67
|
||||
1194
|
||||
];
|
||||
checkReversePath = false;
|
||||
};
|
||||
};
|
||||
|
||||
age.secrets."wg-key".owner = "systemd-network";
|
||||
users.users."systemd-network".extraGroups = [ "keys" ];
|
||||
|
||||
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
|
||||
}
|
||||
|
|
|
@ -8,4 +8,5 @@
|
|||
"radius-private_key_password_file"
|
||||
"eatonmon-password_file"
|
||||
"radius-ap-radius-secret_file"
|
||||
"wg-key"
|
||||
]
|
||||
|
|
BIN
machines/vault01/secrets/wg-key
Normal file
BIN
machines/vault01/secrets/wg-key
Normal file
Binary file not shown.
Loading…
Reference in a new issue