config routing

This commit is contained in:
catvayor 2024-03-26 16:06:08 +01:00
parent 936ea1c3db
commit 209c0ea97e
4 changed files with 35 additions and 62 deletions

View file

@ -23,6 +23,7 @@ in {
};
kat-r86s = { name, nodes, ... }: {
deployment.targetHost = "r86s.kat";
imports = [
./machines/kat-r86s/configuration.nix
users.root

View file

@ -6,7 +6,7 @@
imports =
[
./hardware-configuration.nix
# ./router.nix
./router.nix
];
boot.loader.systemd-boot.enable = true;
@ -54,6 +54,22 @@
# extraGroups = [ "wheel" ];
packages = with pkgs; [
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
# maurice
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
#raito
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
# tomate
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
];
};
environment.systemPackages = with pkgs; [
@ -86,8 +102,8 @@
virtualisation.libvirtd.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
networking.firewall.allowedTCPPorts = [ 22 53 80 443 22000 ];
networking.firewall.allowedUDPPorts = [ 67 ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;

View file

@ -1,66 +1,23 @@
{config, lib, pkgs, ...}: {
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
networking = {
interfaces = {
# wan wifi
wlo1.useDHCP = true;
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
# cri
enp1s0.useDHCP = true;
# HPE
enp2s0 = {
useDHCP = false;
ipv4.addresses = [{
address = "129.199.156.112";
prefixLength = 32;
}];
mtu = 9000;
};
# thurne
enp3s0 = {
useDHCP = false;
ipv4.addresses = [{
address = "192.168.42.1";
prefixLength = 24;
}];
mtu = 9000;
};
};
nat = {
networking.nat = {
enable = true;
extraCommands = ''
iptables -t nat -A POSTROUTING -o wlo1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
'';
internalInterfaces = [ "enp2s0" ];
externalInterface = "enp1s0";
};
networking.interfaces.enp2s0 = {
useDHCP = false;
ipv4.addresses = [{ address = "192.168.42.1"; prefixLength = 24; }];
};
firewall = {
enable = true;
extraCommands = ''
iptables -A FORWARD -i enp3s0 -o wlo1 -j ACCEPT
iptables -A FORWARD -i wlo1 -o enp3s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp3s0 -o enp1s0 -j ACCEPT
iptables -A FORWARD -i enp1s0 -o enp3s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp2s0 -o enp1s0 -j ACCEPT
iptables -A FORWARD -i enp1s0 -o enp2s0 -j ACCEPT
'';
};
};
services.dnsmasq = {
enable = true;
settings = {
interface = [ "enp2s0" "enp3s0" ];
interface = [ "enp2s0" ];
bind-dynamic = true;
dhcp-option = "3,0.0.0.0";
dhcp-range = "192.168.42.2,192.168.42.254,255.255.255.0,12h";
# dhcp-host = "a8:b1:3b:75:6f:92,129.199.224.96";
dhcp-range = "192.168.42.100,192.168.42.254,255.255.255.0,12h";
};
};
}

View file

@ -15,8 +15,7 @@
};
"r86s.kat" = {
user = "root";
hostname = "129.199.156.112";
proxyJump = "sas.ens";
hostname = "100.102.49.84";
};
"test.kat" = {
user = "root";
@ -45,12 +44,12 @@
"jourdan01.dgn" = {
user = "root";
hostname = "192.168.42.17";
hostname = "192.168.42.6";
proxyJump = "r86s.kat";
};
"jourdan01.netconf.dgn" = {
user = "dgnum";
hostname = "192.168.42.17";
hostname = "192.168.42.6";
proxyJump = "r86s.kat";
port = 830;
extraOptions.sessionType = "subsystem";