nixbld: connect to USA VPN

2024-10-08 16:09:56 +08:00 · 2024-10-08 16:09:56 +08:00 · 2bf7bb0638
parent 3419fe6013
commit 2bf7bb0638
1 changed files with 54 additions and 0 deletions
--- a/nixbld-etc-nixos/configuration.nix
+++ b/nixbld-etc-nixos/configuration.nix
@ -6,6 +6,7 @@ let
  netifLan = "enp5s0f1";
  netifWifi = "wlp6s0";
  netifSit = "henet0";
+  netifUSA = "trump0";
  netifAlt = "alt0";
  netifAltVlan = "vlan0";
  hydraWwwOutputs = "/var/www/hydra-outputs";
@ -205,6 +206,13 @@ in
      addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
      routes = [{ address = "::"; prefixLength = 0; }];
    };
+    greTunnels."${netifUSA}" = {
+      dev = netifWan;
+      remote = "5.78.86.156";
+      local = "94.190.212.123";
+      ttl = 255;
+      type = "tun";
+    };
    greTunnels."${netifAlt}" = {
      dev = netifWan;
      remote = "103.206.98.1";
@ -212,6 +220,22 @@ in
      ttl = 255;
      type = "tun";
    };
+    interfaces."${netifUSA}" = {
+      ipv4.addresses = [
+        {
+          address = "10.47.3.1";
+          prefixLength = 31;
+        }
+      ];
+      ipv4.routes = [
+        {
+          address = "0.0.0.0";
+          prefixLength = 0;
+          via = "10.47.3.0";
+          options.table = "3";
+        }
+      ];
+    };
    interfaces."${netifAlt}" = {
      ipv4.addresses = [
        {
@ -275,6 +299,27 @@ in
      start_action = "start";
    };
  };
+  services.strongswan-swanctl.swanctl.connections.usa = {
+    local_addrs = [ "94.190.212.123" ];
+    remote_addrs = [ "5.78.86.156" ];
+    local.main = {
+      auth = "pubkey";
+      id = "fqdn:m-labs.hk";
+      pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
+    };
+    remote.main = {
+      auth = "pubkey";
+      id = "fqdn:m-labs-intl.com";
+      pubkeys = [ "/etc/swanctl/pubkey/m-labs-intl.com" ];
+    };
+    children."${netifUSA}" = {
+      mode = "transport";
+      ah_proposals = [ "sha256-curve25519" ];
+      remote_ts = [ "5.78.86.156[gre]" ];
+      local_ts = [ "94.190.212.123[gre]" ];
+      start_action = "start";
+    };
+  };
  # prevent race condition similar to https://github.com/NixOS/nixpkgs/issues/27070
  systemd.services.strongswan-swanctl = {
    after = [ "network-addresses-${netifAlt}.service" ];
@ -290,6 +335,15 @@ in
      ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2";
    };
  };
+  systemd.services.network-custom-route-usa = {
+    wantedBy = [ "network.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${pkgs.iproute2}/bin/ip rule add from 10.47.3.0/31 table 3";
+      ExecStop = "${pkgs.iproute2}/bin/ip rule del table 3";
+    };
+  };
  systemd.services.network-custom-route-alt = {
    wantedBy = [ "network.target" ];
    serviceConfig = {