commit 49cd84dec385213f0b6e51898347b2debd8705e4
parent 9ab787d28e39670c30fc63628c5f804897b2818d
Author: Katja Ramona Sophie Kwast (zaphyra) <git@zaphyra.eu>
Date: Wed, 15 Oct 2025 11:28:16 +0200
parent 9ab787d28e39670c30fc63628c5f804897b2818d
Author: Katja Ramona Sophie Kwast (zaphyra) <git@zaphyra.eu>
Date: Wed, 15 Oct 2025 11:28:16 +0200
hosts/pratorum:fix wg-tunnel to `novus`
3 files changed, 63 insertions(+), 29 deletions(-)
M
|
71
++++++++++++++++++++++++++++++++++++++++++++++++++++++-----------------
diff --git a/hosts/novus/default.nix b/hosts/novus/default.nix @@ -134,9 +134,14 @@ }; wireguardPeers = [ + # { + # PublicKey = "nvyhYuWJl/dKyV/2+bDrUisvL3mi38PsNzfdIDDwSjY="; + # AllowedIPs = [ "2a03:4000:4d:5e:acab::2/128" ]; + # PersistentKeepalive = 10; + # } { - PublicKey = "nvyhYuWJl/dKyV/2+bDrUisvL3mi38PsNzfdIDDwSjY="; - AllowedIPs = [ "::/0" ]; + PublicKey = "CdnaBQL7c7zX0ORKhYyXp3HZ1kjqoEIGW03/mCCwAgI="; + AllowedIPs = [ "2a03:4000:4d:5e:acab::3/128" ]; PersistentKeepalive = 10; } ]; @@ -144,10 +149,8 @@ networks."20-wg0" = { name = "wg0"; - routes = [ - { - Destination = "2a03:4000:4d:5e:acab::/112"; - } + address = [ + "2a03:4000:4d:5e:acab::1/112" ]; linkConfig.RequiredForOnline = false; };
diff --git a/hosts/pratorum/default.nix b/hosts/pratorum/default.nix @@ -18,7 +18,7 @@ ip4PrefixLength = 24; defaultGateway4 = "192.168.2.1"; - ip6IsPrivate = true; + ip6IsPrivate = false; ip6Address = "2a03:4000:4d:5e:acab::3"; ip6PrefixLength = 112; @@ -68,42 +68,43 @@ }; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.amd.updateMicrocode = true; systemd.network = { - netdevs."10-wg-novus" = { + config.networkConfig = { + IPv6Forwarding = true; + }; + + netdevs."5-netcup" = { + netdevConfig = { + Kind = "dummy"; + Name = "netcup"; + }; + }; + + netdevs."20-wg0" = { netdevConfig = { Kind = "wireguard"; - Name = "wg-novus"; + Name = "wg0"; }; wireguardConfig = { PrivateKeyFile = config.sops.secrets."dn42/wgPrivateKey".path; ListenPort = 51820; - FirewallMark = 51820; }; wireguardPeers = [ { Endpoint = "novus.infra.zaphyra.eu:51820"; PublicKey = "J+kRRNU65JGc0yk04v6P3tFwHSQOIfq8EkfD2gFupg4="; - AllowedIPs = [ "2a03:4000:4d:5e:acab::3/112" ]; + AllowedIPs = [ + "::/0" + ]; PersistentKeepalive = 10; } ]; }; - networks."10-wg-novus" = { - matchConfig.Name = "wg-novus"; - - linkConfig = { - RequiredForOnline = false; - }; - address = [ - "${hostConfig.networking.ip6Address}/${toString hostConfig.networking.ip6PrefixLength}" - ]; - }; - networks."5-enp3s0f0" = { enable = true; name = "enp3s0f0"; @@ -118,8 +119,44 @@ address = [ "${hostConfig.networking.ip4Address}/${toString hostConfig.networking.ip4PrefixLength}" ]; + routingPolicyRules = [ ]; networkConfig.IPv6AcceptRA = true; }; + networks."10-netcup" = { + enable = true; + name = "netcup"; + address = [ + "${hostConfig.networking.ip6Address}/${toString hostConfig.networking.ip6PrefixLength}" + ]; + routingPolicyRules = [ + # { + # From = "2a03:4000:4d:5e:acab::/112"; + # Table = 254; + # Priority = 1900; + # SuppressPrefixLength = 0; + # } + { + From = "2a03:4000:4d:5e:acab::/112"; + Table = 1234; + Priority = 2000; + } + ]; + }; + networks."20-wg0" = { + matchConfig.Name = "wg0"; + linkConfig.RequiredForOnline = false; + + routes = [ + { + Destination = "::/0"; + Table = "1234"; + } + ]; + }; + }; + + networking.firewall = { + checkReversePath = "loose"; }; modules = {
diff --git a/hosts/pratorum/dn42.nix b/hosts/pratorum/dn42.nix @@ -34,12 +34,6 @@ networks."20-dn42" = { matchConfig.Name = "dn42"; linkConfig.RequiredForOnline = false; - routes = [ - { - Destination = "::/0"; - Table = "1234"; - } - ]; address = [ "fd6b:6174:6a61::10/128" ];