From 209c0ea97e791bab1f708edcd9f800117c8fba66 Mon Sep 17 00:00:00 2001 From: catvayor Date: Tue, 26 Mar 2024 16:06:08 +0100 Subject: [PATCH] config routing --- hive.nix | 1 + machines/kat-r86s/configuration.nix | 22 ++++++++-- machines/kat-r86s/router.nix | 67 ++++++----------------------- modules/ssh.nix | 7 ++- 4 files changed, 35 insertions(+), 62 deletions(-) diff --git a/hive.nix b/hive.nix index 6a03f46..59e8140 100644 --- a/hive.nix +++ b/hive.nix @@ -23,6 +23,7 @@ in { }; kat-r86s = { name, nodes, ... }: { + deployment.targetHost = "r86s.kat"; imports = [ ./machines/kat-r86s/configuration.nix users.root diff --git a/machines/kat-r86s/configuration.nix b/machines/kat-r86s/configuration.nix index 77e1530..0f26da6 100644 --- a/machines/kat-r86s/configuration.nix +++ b/machines/kat-r86s/configuration.nix @@ -6,7 +6,7 @@ imports = [ ./hardware-configuration.nix -# ./router.nix + ./router.nix ]; boot.loader.systemd-boot.enable = true; @@ -54,6 +54,22 @@ # extraGroups = [ "wheel" ]; packages = with pkgs; [ ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor" + + # maurice + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris" + + #raito + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU" + + # tomate + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn" + ]; }; environment.systemPackages = with pkgs; [ @@ -86,8 +102,8 @@ virtualisation.libvirtd.enable = true; # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; + networking.firewall.allowedTCPPorts = [ 22 53 80 443 22000 ]; + networking.firewall.allowedUDPPorts = [ 67 ]; # Or disable the firewall altogether. # networking.firewall.enable = false; diff --git a/machines/kat-r86s/router.nix b/machines/kat-r86s/router.nix index 09aedbe..9cd5752 100644 --- a/machines/kat-r86s/router.nix +++ b/machines/kat-r86s/router.nix @@ -1,66 +1,23 @@ {config, lib, pkgs, ...}: { - boot.kernel.sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; + boot.kernel.sysctl."net.ipv4.ip_forward" = true; + + networking.nat = { + enable = true; + internalInterfaces = [ "enp2s0" ]; + externalInterface = "enp1s0"; }; - networking = { - interfaces = { - # wan wifi - wlo1.useDHCP = true; - - # cri - enp1s0.useDHCP = true; - - # HPE - enp2s0 = { - useDHCP = false; - ipv4.addresses = [{ - address = "129.199.156.112"; - prefixLength = 32; - }]; - mtu = 9000; - }; - - # thurne - enp3s0 = { - useDHCP = false; - ipv4.addresses = [{ - address = "192.168.42.1"; - prefixLength = 24; - }]; - mtu = 9000; - }; - }; - - nat = { - enable = true; - extraCommands = '' - iptables -t nat -A POSTROUTING -o wlo1 -j MASQUERADE - iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE - ''; - }; - firewall = { - enable = true; - extraCommands = '' - iptables -A FORWARD -i enp3s0 -o wlo1 -j ACCEPT - iptables -A FORWARD -i wlo1 -o enp3s0 -m state --state RELATED,ESTABLISHED -j ACCEPT - - iptables -A FORWARD -i enp3s0 -o enp1s0 -j ACCEPT - iptables -A FORWARD -i enp1s0 -o enp3s0 -m state --state RELATED,ESTABLISHED -j ACCEPT - - iptables -A FORWARD -i enp2s0 -o enp1s0 -j ACCEPT - iptables -A FORWARD -i enp1s0 -o enp2s0 -j ACCEPT - ''; - }; + networking.interfaces.enp2s0 = { + useDHCP = false; + ipv4.addresses = [{ address = "192.168.42.1"; prefixLength = 24; }]; }; + services.dnsmasq = { enable = true; settings = { - interface = [ "enp2s0" "enp3s0" ]; + interface = [ "enp2s0" ]; bind-dynamic = true; dhcp-option = "3,0.0.0.0"; - dhcp-range = "192.168.42.2,192.168.42.254,255.255.255.0,12h"; - # dhcp-host = "a8:b1:3b:75:6f:92,129.199.224.96"; + dhcp-range = "192.168.42.100,192.168.42.254,255.255.255.0,12h"; }; }; } diff --git a/modules/ssh.nix b/modules/ssh.nix index 3adc925..971c225 100644 --- a/modules/ssh.nix +++ b/modules/ssh.nix @@ -15,8 +15,7 @@ }; "r86s.kat" = { user = "root"; - hostname = "129.199.156.112"; - proxyJump = "sas.ens"; + hostname = "100.102.49.84"; }; "test.kat" = { user = "root"; @@ -45,12 +44,12 @@ "jourdan01.dgn" = { user = "root"; - hostname = "192.168.42.17"; + hostname = "192.168.42.6"; proxyJump = "r86s.kat"; }; "jourdan01.netconf.dgn" = { user = "dgnum"; - hostname = "192.168.42.17"; + hostname = "192.168.42.6"; proxyJump = "r86s.kat"; port = 830; extraOptions.sessionType = "subsystem";