forked from M-Labs/it-infra
nixbld: altnet setup
This commit is contained in:
parent
c2c7e67549
commit
39a6ea69f6
@ -104,6 +104,15 @@ in
|
||||
address = "2001:470:f891:1::";
|
||||
prefixLength = 64;
|
||||
}];
|
||||
# https://unix.stackexchange.com/questions/423502/iproute2-inherit-or-copy-table
|
||||
# we just copy what matters here. Ugly but easier.
|
||||
ipv4.routes = [
|
||||
{
|
||||
address = "192.168.1.0";
|
||||
prefixLength = 24;
|
||||
options.table = "1";
|
||||
}
|
||||
];
|
||||
};
|
||||
interfaces."${netifWifi}" = {
|
||||
ipv4.addresses = [{
|
||||
@ -161,12 +170,80 @@ in
|
||||
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
|
||||
routes = [{ address = "::"; prefixLength = 0; }];
|
||||
};
|
||||
greTunnels.alt0 = {
|
||||
dev = netifWan;
|
||||
remote = "103.206.98.1";
|
||||
local = "94.190.212.123";
|
||||
ttl = 255;
|
||||
type = "tun";
|
||||
};
|
||||
interfaces.alt0 = {
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "103.206.98.227";
|
||||
prefixLength = 31;
|
||||
}
|
||||
];
|
||||
ipv4.routes = [
|
||||
{
|
||||
address = "0.0.0.0";
|
||||
prefixLength = 0;
|
||||
via = "103.206.98.226";
|
||||
options.table = "1";
|
||||
}
|
||||
];
|
||||
};
|
||||
vlans = {
|
||||
vlan0 = {
|
||||
id = 2;
|
||||
interface = netifLan;
|
||||
};
|
||||
};
|
||||
interfaces.vlan0 = {
|
||||
ipv4.addresses = [{
|
||||
address = "103.206.98.200";
|
||||
prefixLength = 29;
|
||||
}];
|
||||
};
|
||||
};
|
||||
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1";
|
||||
boot.kernel.sysctl."net.ipv6.conf.default.forwarding" = "1";
|
||||
boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0";
|
||||
boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0";
|
||||
|
||||
services.strongswan-swanctl.enable = true;
|
||||
services.strongswan-swanctl.swanctl.connections.altnet = {
|
||||
local_addrs = [ "94.190.212.123" ];
|
||||
remote_addrs = [ "103.206.98.1" ];
|
||||
local.main = {
|
||||
auth = "pubkey";
|
||||
id = "fqdn:m-labs.hk";
|
||||
pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
|
||||
};
|
||||
remote.main = {
|
||||
auth = "pubkey";
|
||||
id = "fqdn:igw0.hkg.as150788.net";
|
||||
pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
|
||||
};
|
||||
children.alt0 = {
|
||||
mode = "transport";
|
||||
ah_proposals = [ "sha256-curve25519" ];
|
||||
remote_ts = [ "103.206.98.1[gre]" ];
|
||||
local_ts = [ "94.190.212.123[gre]" ];
|
||||
start_action = "start";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.custom-network-setup = {
|
||||
wantedBy = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 103.206.98.200/29 table 1";
|
||||
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 1";
|
||||
};
|
||||
};
|
||||
|
||||
# https://kb.isc.org/docs/dnssec-key-and-signing-policy
|
||||
# chown named.named /etc/nixos/named
|
||||
services.bind = {
|
||||
@ -212,6 +289,23 @@ in
|
||||
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
|
||||
];
|
||||
};
|
||||
"200-29.98.206.103.in-addr.arpa" = {
|
||||
name = "200-29.98.206.103.in-addr.arpa";
|
||||
master = true;
|
||||
file = "/etc/nixos/named/200-29.98.206.103.in-addr.arpa";
|
||||
extraConfig =
|
||||
''
|
||||
dnssec-policy "default";
|
||||
inline-signing yes;
|
||||
notify explicit;
|
||||
also-notify {
|
||||
216.218.130.2; # ns1.he.net
|
||||
};
|
||||
'';
|
||||
slaves = [
|
||||
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
|
||||
];
|
||||
};
|
||||
};
|
||||
extraConfig = ''
|
||||
zone "mil." IN {
|
||||
|
17
nixbld-etc-nixos/named/200-29.98.206.103.in-addr.arpa
Normal file
17
nixbld-etc-nixos/named/200-29.98.206.103.in-addr.arpa
Normal file
@ -0,0 +1,17 @@
|
||||
$TTL 7200
|
||||
|
||||
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
|
||||
2023071303
|
||||
7200
|
||||
3600
|
||||
86400
|
||||
600)
|
||||
|
||||
|
||||
NS NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
|
||||
NS ns1.he.net.
|
||||
|
||||
200 PTR router.alt.m-labs.hk.
|
||||
201 PTR stewardship1.alt.m-labs.hk.
|
||||
202 PTR stewardship2.alt.m-labs.hk.
|
||||
|
@ -1,7 +1,7 @@
|
||||
$TTL 7200
|
||||
|
||||
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
|
||||
2023040501
|
||||
2023071301
|
||||
7200
|
||||
3600
|
||||
86400
|
||||
@ -51,3 +51,7 @@ hestia AAAA 2001:470:f891:1:881c:f409:a090:8401
|
||||
vulcan AAAA 2001:470:f891:1:105d:3f15:bd53:c5ac
|
||||
|
||||
aux A 42.200.147.171
|
||||
|
||||
router.alt A 103.206.98.200
|
||||
stewardship1.alt A 103.206.98.201
|
||||
stewardship2.alt A 103.206.98.202
|
||||
|
Loading…
Reference in New Issue
Block a user