gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions
infrastructure/config/profiles/network.nix

133 lines
4.2 KiB
Nix
Raw Blame History

{ config, lib, tf, pkgs, meta, ... }: with lib;
{
options.network = with lib; {
routeDefault = mkOption {
default = true;
type = types.bool;
};
};
config = {
network.yggdrasil.extern = let
in {
pubkeys = {
satorin =
"cbadeaa973b051cf66e23dcb014ab5be59e55a1c98ef541345520868e3bcf9f7";
shanghai =
"5aba9ba2ac7a54ffef19dea9e39881bd977f76032db81a2c82c4674ed475c95b";
grimoire =
"2a1567a2848540070328c9e938c58d40f2b1a3f08982c15c7edc5dcabfde3330";
boline =
"89684441745467da0d1bf7f47dc74ec3ca65e05c72f752298ef3c22a22024d43";
okami =
"f8fd12c6ed924048e93a7bd7dd63c2464813c9edddfef7415c4574518ecd4757";
amaterasu =
"ab9a4a78df124a8413c3a6576332d7739a44c036e14b7b0b4ea4558373ddda97";
duck-powerduck =
"9475274dcd43f0f3f397d56168efd436b0db58e58f4c068f75ab93ba3f51e405";
duck-nagoya =
"0000001a24b38f4341e356e7efc98dd31e259669242e0a82ba86971317b94954";
};
};
kw.secrets.variables.tailscale-authkey = {
path = "secrets/tailscale";
field = "password";
};
deploy.tf.variables.tailscale-authkey.export = true;
networking.firewall = {
trustedInterfaces = [ "tailscale0" ];
# allow the Tailscale UDP port through the firewall
allowedTCPPorts = [ 5200 ];
allowedUDPPorts = [ config.services.tailscale.port ];
};
services.tailscale.enable = true;
systemd.services.tailscale-autoconnect = mkIf (builtins.getEnv "TF_IN_AUTOMATION" != "" || tf.state.enable) {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up -authkey ${tf.variables.tailscale-authkey.get}
'';
};
};
}
# networking.firewall.extraCommands = ''
# ip6tables -A INPUT -p 89 -i wgmesh-+ -j ACCEPT
# ${if config.networking.hostName != "marisa" then "ip route replace to 10.42.68.0/24 via ${meta.network.nodes.marisa.network.addresses.wireguard.nixos.ipv4.address}" else ""}
# '';
# networking.nftables.extraInput = ''
# meta l4proto 89 iifname wgmesh-* accept
# '';
#
# network.firewall.private.interfaces = singleton "wgmesh-*";
#
# networking.policyrouting = {
# enable = true;
# rules = [
# { rule = "lookup main suppress_prefixlength 0"; prio = 7000; }
# { rule = "lookup 89 suppress_prefixlength 0"; prio = 8000; }
# { rule = "from all fwmark 51820 lookup main"; prio = 9000; }
# ] ++ (lib.optional config.network.routeDefault { rule = "not from all fwmark 51820 lookup 89"; prio = 9000; });
# };
#
# network.wireguard = {
# enable = true;
# tf.enable = true;
# fwmark = 51820;
# };
#
# network.bird =
# let
# mkKernel = version: ''
# ipv${toString version} {
# import all;
# export filter {
# if source = RTS_STATIC then reject;
# accept;
# };
# };
# kernel table 89;
# scan time 15;
# '';
# mkIgp = version: {
# version = 3;
# extra = "ipv${toString version} { import all; export all; };";
# areas."0".interfaces."wgmesh-*".cost = 100;
# };
# in
# {
# routerId = "${config.network.wireguard.prefixV4}.${toString config.network.wireguard.magicNumber}";
# kernel4Config = mkKernel 4;
# kernel6Config = mkKernel 6;
# ospf = {
# enable = true;
# protocols.igp4 = mkIgp 4;
# protocols.igp6 = mkIgp 6;
# };
# };
Reference in a new issue View git blame Copy permalink