diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix index df78d1e6..7116c02d 100644 --- a/nixbld-etc-nixos/configuration.nix +++ b/nixbld-etc-nixos/configuration.nix @@ -6,6 +6,7 @@ let netifLan = "enp5s0f1"; netifWifi = "wlp6s0"; netifSit = "henet0"; + netifUSA = "trump0"; netifAlt = "alt0"; netifAltVlan = "vlan0"; hydraWwwOutputs = "/var/www/hydra-outputs"; @@ -205,6 +206,13 @@ in addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }]; routes = [{ address = "::"; prefixLength = 0; }]; }; + greTunnels."${netifUSA}" = { + dev = netifWan; + remote = "5.78.86.156"; + local = "94.190.212.123"; + ttl = 255; + type = "tun"; + }; greTunnels."${netifAlt}" = { dev = netifWan; remote = "103.206.98.1"; @@ -212,6 +220,22 @@ in ttl = 255; type = "tun"; }; + interfaces."${netifUSA}" = { + ipv4.addresses = [ + { + address = "10.47.3.1"; + prefixLength = 31; + } + ]; + ipv4.routes = [ + { + address = "0.0.0.0"; + prefixLength = 0; + via = "10.47.3.0"; + options.table = "3"; + } + ]; + }; interfaces."${netifAlt}" = { ipv4.addresses = [ { @@ -275,6 +299,27 @@ in start_action = "start"; }; }; + services.strongswan-swanctl.swanctl.connections.usa = { + local_addrs = [ "94.190.212.123" ]; + remote_addrs = [ "5.78.86.156" ]; + local.main = { + auth = "pubkey"; + id = "fqdn:m-labs.hk"; + pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ]; + }; + remote.main = { + auth = "pubkey"; + id = "fqdn:m-labs-intl.com"; + pubkeys = [ "/etc/swanctl/pubkey/m-labs-intl.com" ]; + }; + children."${netifUSA}" = { + mode = "transport"; + ah_proposals = [ "sha256-curve25519" ]; + remote_ts = [ "5.78.86.156[gre]" ]; + local_ts = [ "94.190.212.123[gre]" ]; + start_action = "start"; + }; + }; # prevent race condition similar to https://github.com/NixOS/nixpkgs/issues/27070 systemd.services.strongswan-swanctl = { after = [ "network-addresses-${netifAlt}.service" ]; @@ -290,6 +335,15 @@ in ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2"; }; }; + systemd.services.network-custom-route-usa = { + wantedBy = [ "network.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.iproute2}/bin/ip rule add from 10.47.3.0/31 table 3"; + ExecStop = "${pkgs.iproute2}/bin/ip rule del table 3"; + }; + }; systemd.services.network-custom-route-alt = { wantedBy = [ "network.target" ]; serviceConfig = {