harry
/
it-infra
forked from M-Labs/it-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

nixbld: altnet setup

This commit is contained in:
Sebastien Bourdeauducq 2023-07-13 13:56:10 +08:00
parent c2c7e67549
commit 39a6ea69f6
3 changed files with 116 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
nixbld-etc-nixos/configuration.nix
View File

@ -104,6 +104,15 @@ in
address = "2001:470:f891:1::";
prefixLength = 64;
}];
# https://unix.stackexchange.com/questions/423502/iproute2-inherit-or-copy-table
# we just copy what matters here. Ugly but easier.
ipv4.routes = [
{
address = "192.168.1.0";
prefixLength = 24;
options.table = "1";
}
];
};
interfaces."${netifWifi}" = {
ipv4.addresses = [{
@ -161,12 +170,80 @@ in
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
routes = [{ address = "::"; prefixLength = 0; }];
};
greTunnels.alt0 = {
dev = netifWan;
remote = "103.206.98.1";
local = "94.190.212.123";
ttl = 255;
type = "tun";
};
interfaces.alt0 = {
ipv4.addresses = [
{
address = "103.206.98.227";
prefixLength = 31;
}
];
ipv4.routes = [
{
address = "0.0.0.0";
prefixLength = 0;
via = "103.206.98.226";
options.table = "1";
}
];
};
vlans = {
vlan0 = {
id = 2;
interface = netifLan;
};
};
interfaces.vlan0 = {
ipv4.addresses = [{
address = "103.206.98.200";
prefixLength = 29;
}];
};
};
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1";
boot.kernel.sysctl."net.ipv6.conf.default.forwarding" = "1";
boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0";
boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0";
services.strongswan-swanctl.enable = true;
services.strongswan-swanctl.swanctl.connections.altnet = {
local_addrs = [ "94.190.212.123" ];
remote_addrs = [ "103.206.98.1" ];
local.main = {
auth = "pubkey";
id = "fqdn:m-labs.hk";
pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
};
remote.main = {
auth = "pubkey";
id = "fqdn:igw0.hkg.as150788.net";
pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
};
children.alt0 = {
mode = "transport";
ah_proposals = [ "sha256-curve25519" ];
remote_ts = [ "103.206.98.1[gre]" ];
local_ts = [ "94.190.212.123[gre]" ];
start_action = "start";
};
};
systemd.services.custom-network-setup = {
wantedBy = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 103.206.98.200/29 table 1";
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 1";
};
};
# https://kb.isc.org/docs/dnssec-key-and-signing-policy
# chown named.named /etc/nixos/named
services.bind = {
@ -212,6 +289,23 @@ in
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
];
};
"200-29.98.206.103.in-addr.arpa" = {
name = "200-29.98.206.103.in-addr.arpa";
master = true;
file = "/etc/nixos/named/200-29.98.206.103.in-addr.arpa";
extraConfig =
''
dnssec-policy "default";
inline-signing yes;
notify explicit;
also-notify {
216.218.130.2; # ns1.he.net
};
'';
slaves = [
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
];
};
};
extraConfig = ''
zone "mil." IN {

17
nixbld-etc-nixos/named/200-29.98.206.103.in-addr.arpa Normal file
View File

@ -0,0 +1,17 @@
$TTL 7200
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
2023071303
7200
3600
86400
600)
NS NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
NS ns1.he.net.
200 PTR router.alt.m-labs.hk.
201 PTR stewardship1.alt.m-labs.hk.
202 PTR stewardship2.alt.m-labs.hk.

6
nixbld-etc-nixos/named/m-labs.hk
View File

@ -1,7 +1,7 @@
$TTL 7200
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
2023040501
2023071301
7200
3600
86400
@ -51,3 +51,7 @@ hestia AAAA 2001:470:f891:1:881c:f409:a090:8401
vulcan AAAA 2001:470:f891:1:105d:3f15:bd53:c5ac
aux A 42.200.147.171
router.alt A 103.206.98.200
stewardship1.alt A 103.206.98.201
stewardship2.alt A 103.206.98.202