commit 430c89f728e24d46ca015fdf09e9498594a36499
parent 9ab787d28e39670c30fc63628c5f804897b2818d
Author: Katja Ramona Sophie Kwast (zaphyra) <git@zaphyra.eu>
Date: Wed, 15 Oct 2025 11:28:16 +0200
parent 9ab787d28e39670c30fc63628c5f804897b2818d
Author: Katja Ramona Sophie Kwast (zaphyra) <git@zaphyra.eu>
Date: Wed, 15 Oct 2025 11:28:16 +0200
hosts/pratorum:fix wg-tunnel to `novus`
5 files changed, 133 insertions(+), 35 deletions(-)
M
|
70
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------
M
|
71
++++++++++++++++++++++++++++++++++++++++++++++++++++++-----------------
diff --git a/config/nixos/modules/presets/zaphyra/router/systemd-networkd.nix b/config/nixos/modules/presets/zaphyra/router/systemd-networkd.nix @@ -65,7 +65,7 @@ in wireguardPeers = [ { - Endpoint = "novus.infra.zaphyra.eu:51820"; + Endpoint = "[2a03:4000:4d:5e::1]:51820"; PublicKey = "J+kRRNU65JGc0yk04v6P3tFwHSQOIfq8EkfD2gFupg4="; AllowedIPs = [ "::/0" ]; PersistentKeepalive = 10; @@ -73,6 +73,28 @@ in ]; }; + netdevs."10-wg-dn42" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg-dn42"; + }; + + wireguardConfig = { + PrivateKeyFile = config.sops.secrets.wireguardPrivKey.path; + ListenPort = 1718; + FirewallMark = 1718; + }; + + wireguardPeers = [ + { + Endpoint = "[2a03:4000:4d:5e::1]:1718"; + PublicKey = "MRXPP//j+BDCiUyrYHdXtdULAsCZyfgumas8pxp6oiE="; + AllowedIPs = [ "::/0" ]; + PersistentKeepalive = 10; + } + ]; + }; + networks = { "5-dtagdsl" = { matchConfig.Name = "dtagdsl"; @@ -137,6 +159,30 @@ in ]; }; + "10-wg-dn42" = { + matchConfig.Name = "wg-dn42"; + linkConfig.RequiredForOnline = false; + + address = [ "fd6b:6174:6a61::5/128" ]; + routes = [ + { + Destination = "fd00::/8"; + } + ]; + + networkConfig = { + DNSDefaultRoute = false; + DNS = [ + "fd6b:6174:6a61::1" + ]; + Domains = [ + "~dn42" + "d.f.ip6.arpa" + ]; + }; + + }; + "20-brlan" = { matchConfig = { Name = "brlan"; @@ -150,6 +196,7 @@ in address = [ "${hostConfig.networking.ip4Address}/${toString hostConfig.networking.ip4PrefixLength}" "${hostConfig.networking.ip6Address}/${toString hostConfig.networking.ip6PrefixLength}" + # "fd6b:6174:6a61:100::1/56" ]; routingPolicyRules = [ @@ -186,16 +233,25 @@ in }; ipv6SendRAConfig = { + OtherInformation = true; + Managed = true; RouterLifetimeSec = 1800; EmitDNS = true; - DNS = "_link_local"; + DNS = "${hostConfig.networking.ip6Address}"; }; - ipv6PREF64Prefixes = [ - { - Prefix = "64:ff9b::/96"; - } - ]; + # ipv6PREF64Prefixes = [ + # { + # Prefix = "64:ff9b::/96"; + # } + # ]; + + # ipv6Prefixes = [ + # { + # Prefix = "fd6b:6174:6a61:100::/56"; + # PreferredLifetimeSec = 1800; + # } + # ]; dhcpServerConfig = { PersistLeases = true;
diff --git a/hosts/novus/default.nix b/hosts/novus/default.nix @@ -136,7 +136,12 @@ wireguardPeers = [ { PublicKey = "nvyhYuWJl/dKyV/2+bDrUisvL3mi38PsNzfdIDDwSjY="; - AllowedIPs = [ "::/0" ]; + AllowedIPs = [ "2a03:4000:4d:5e:acab::2/128" ]; + PersistentKeepalive = 10; + } + { + PublicKey = "CdnaBQL7c7zX0ORKhYyXp3HZ1kjqoEIGW03/mCCwAgI="; + AllowedIPs = [ "2a03:4000:4d:5e:acab::3/128" ]; PersistentKeepalive = 10; } ]; @@ -144,10 +149,8 @@ networks."20-wg0" = { name = "wg0"; - routes = [ - { - Destination = "2a03:4000:4d:5e:acab::/112"; - } + address = [ + "2a03:4000:4d:5e:acab::1/112" ]; linkConfig.RequiredForOnline = false; };
diff --git a/hosts/novus/dn42.nix b/hosts/novus/dn42.nix @@ -209,6 +209,14 @@ ]; PersistentKeepalive = 10; } + { + #zaphyraHomeServerGrog + PublicKey = "CdnaBQL7c7zX0ORKhYyXp3HZ1kjqoEIGW03/mCCwAgI="; + AllowedIPs = [ + "fd6b:6174:6a61::10/128" + ]; + PersistentKeepalive = 10; + } ]; };
diff --git a/hosts/pratorum/default.nix b/hosts/pratorum/default.nix @@ -18,7 +18,7 @@ ip4PrefixLength = 24; defaultGateway4 = "192.168.2.1"; - ip6IsPrivate = true; + ip6IsPrivate = false; ip6Address = "2a03:4000:4d:5e:acab::3"; ip6PrefixLength = 112; @@ -68,42 +68,43 @@ }; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.amd.updateMicrocode = true; systemd.network = { - netdevs."10-wg-novus" = { + config.networkConfig = { + IPv6Forwarding = true; + }; + + netdevs."5-netcup" = { + netdevConfig = { + Kind = "dummy"; + Name = "netcup"; + }; + }; + + netdevs."20-wg0" = { netdevConfig = { Kind = "wireguard"; - Name = "wg-novus"; + Name = "wg0"; }; wireguardConfig = { PrivateKeyFile = config.sops.secrets."dn42/wgPrivateKey".path; ListenPort = 51820; - FirewallMark = 51820; }; wireguardPeers = [ { Endpoint = "novus.infra.zaphyra.eu:51820"; PublicKey = "J+kRRNU65JGc0yk04v6P3tFwHSQOIfq8EkfD2gFupg4="; - AllowedIPs = [ "2a03:4000:4d:5e:acab::3/112" ]; + AllowedIPs = [ + "::/0" + ]; PersistentKeepalive = 10; } ]; }; - networks."10-wg-novus" = { - matchConfig.Name = "wg-novus"; - - linkConfig = { - RequiredForOnline = false; - }; - address = [ - "${hostConfig.networking.ip6Address}/${toString hostConfig.networking.ip6PrefixLength}" - ]; - }; - networks."5-enp3s0f0" = { enable = true; name = "enp3s0f0"; @@ -118,8 +119,44 @@ address = [ "${hostConfig.networking.ip4Address}/${toString hostConfig.networking.ip4PrefixLength}" ]; + routingPolicyRules = [ ]; networkConfig.IPv6AcceptRA = true; }; + networks."10-netcup" = { + enable = true; + name = "netcup"; + address = [ + "${hostConfig.networking.ip6Address}/${toString hostConfig.networking.ip6PrefixLength}" + ]; + routingPolicyRules = [ + # { + # From = "2a03:4000:4d:5e:acab::/112"; + # Table = 254; + # Priority = 1900; + # SuppressPrefixLength = 0; + # } + { + From = "2a03:4000:4d:5e:acab::/112"; + Table = 1234; + Priority = 2000; + } + ]; + }; + networks."20-wg0" = { + matchConfig.Name = "wg0"; + linkConfig.RequiredForOnline = false; + + routes = [ + { + Destination = "::/0"; + Table = "1234"; + } + ]; + }; + }; + + networking.firewall = { + checkReversePath = "loose"; }; modules = {
diff --git a/hosts/pratorum/dn42.nix b/hosts/pratorum/dn42.nix @@ -34,12 +34,6 @@ networks."20-dn42" = { matchConfig.Name = "dn42"; linkConfig.RequiredForOnline = false; - routes = [ - { - Destination = "::/0"; - Table = "1234"; - } - ]; address = [ "fd6b:6174:6a61::10/128" ];