nixbld: connect to USA VPN

This commit is contained in:
Sébastien Bourdeauducq 2024-10-08 16:09:56 +08:00
parent 3419fe6013
commit 2bf7bb0638

View File

@ -6,6 +6,7 @@ let
netifLan = "enp5s0f1"; netifLan = "enp5s0f1";
netifWifi = "wlp6s0"; netifWifi = "wlp6s0";
netifSit = "henet0"; netifSit = "henet0";
netifUSA = "trump0";
netifAlt = "alt0"; netifAlt = "alt0";
netifAltVlan = "vlan0"; netifAltVlan = "vlan0";
hydraWwwOutputs = "/var/www/hydra-outputs"; hydraWwwOutputs = "/var/www/hydra-outputs";
@ -205,6 +206,13 @@ in
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }]; addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
routes = [{ address = "::"; prefixLength = 0; }]; routes = [{ address = "::"; prefixLength = 0; }];
}; };
greTunnels."${netifUSA}" = {
dev = netifWan;
remote = "5.78.86.156";
local = "94.190.212.123";
ttl = 255;
type = "tun";
};
greTunnels."${netifAlt}" = { greTunnels."${netifAlt}" = {
dev = netifWan; dev = netifWan;
remote = "103.206.98.1"; remote = "103.206.98.1";
@ -212,6 +220,22 @@ in
ttl = 255; ttl = 255;
type = "tun"; type = "tun";
}; };
interfaces."${netifUSA}" = {
ipv4.addresses = [
{
address = "10.47.3.1";
prefixLength = 31;
}
];
ipv4.routes = [
{
address = "0.0.0.0";
prefixLength = 0;
via = "10.47.3.0";
options.table = "3";
}
];
};
interfaces."${netifAlt}" = { interfaces."${netifAlt}" = {
ipv4.addresses = [ ipv4.addresses = [
{ {
@ -275,6 +299,27 @@ in
start_action = "start"; start_action = "start";
}; };
}; };
services.strongswan-swanctl.swanctl.connections.usa = {
local_addrs = [ "94.190.212.123" ];
remote_addrs = [ "5.78.86.156" ];
local.main = {
auth = "pubkey";
id = "fqdn:m-labs.hk";
pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
};
remote.main = {
auth = "pubkey";
id = "fqdn:m-labs-intl.com";
pubkeys = [ "/etc/swanctl/pubkey/m-labs-intl.com" ];
};
children."${netifUSA}" = {
mode = "transport";
ah_proposals = [ "sha256-curve25519" ];
remote_ts = [ "5.78.86.156[gre]" ];
local_ts = [ "94.190.212.123[gre]" ];
start_action = "start";
};
};
# prevent race condition similar to https://github.com/NixOS/nixpkgs/issues/27070 # prevent race condition similar to https://github.com/NixOS/nixpkgs/issues/27070
systemd.services.strongswan-swanctl = { systemd.services.strongswan-swanctl = {
after = [ "network-addresses-${netifAlt}.service" ]; after = [ "network-addresses-${netifAlt}.service" ];
@ -290,6 +335,15 @@ in
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2"; ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2";
}; };
}; };
systemd.services.network-custom-route-usa = {
wantedBy = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 10.47.3.0/31 table 3";
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 3";
};
};
systemd.services.network-custom-route-alt = { systemd.services.network-custom-route-alt = {
wantedBy = [ "network.target" ]; wantedBy = [ "network.target" ];
serviceConfig = { serviceConfig = {