hosts: revise networking-related variables set

This commit is contained in:
Gabriel Arazas 2023-01-25 11:38:45 +08:00
parent 00bbbd8135
commit d0720ee7b7
7 changed files with 95 additions and 52 deletions

View File

@ -9,8 +9,8 @@ let
wireguardPeers; wireguardPeers;
wireguardAllowedIPs = [ wireguardAllowedIPs = [
"${interfaces.internal.IPv4}/16" "${interfaces.internal.IPv4.address}/16"
"${interfaces.internal.IPv6}/64" "${interfaces.internal.IPv6.address}/64"
]; ];
wireguardIFName = "wireguard0"; wireguardIFName = "wireguard0";
in in
@ -229,7 +229,7 @@ in
PublicKey = lib.readFile ../plover/files/wireguard/wireguard-public-key-plover; PublicKey = lib.readFile ../plover/files/wireguard/wireguard-public-key-plover;
PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/plover".path; PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/plover".path;
AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs; AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs;
Endpoint = "${interfaces.main'.IPv4}:51820"; Endpoint = "${interfaces.main'.IPv4.address}:${toString wireguardPort}";
}; };
} }
]; ];

View File

@ -2,6 +2,7 @@
let let
inherit (builtins) toString; inherit (builtins) toString;
inherit (import ./modules/hardware/networks.nix) interfaces;
# The head of the Borgbase hostname. # The head of the Borgbase hostname.
hetzner-boxes-user = "u332477"; hetzner-boxes-user = "u332477";
@ -56,6 +57,10 @@ in
services.fail2ban.ignoreIP = [ services.fail2ban.ignoreIP = [
"172.16.0.0/12" "172.16.0.0/12"
"fc00::/7" "fc00::/7"
# Those from the tunneling services.
"${interfaces.wireguard0.IPv4.address}/16"
"${interfaces.wireguard0.IPv6.address}/64"
]; ];
# TODO: Put the secrets to the respective service module. # TODO: Put the secrets to the respective service module.

View File

@ -4,12 +4,12 @@
# settings of whatever image format configuration this host system will import # settings of whatever image format configuration this host system will import
# from nixos-generators. # from nixos-generators.
let let
network = import ./networks.nix;
inherit (builtins) toString; inherit (builtins) toString;
inherit (network) privateIPv6Prefix interfaces; inherit (import ./networks.nix) interfaces;
# This is just referring to the same interface just with alternative names. # This is just referring to the same interface just with alternative names.
mainEthernetInterfaceNames = [ "ens3" "enp0s3" ]; mainEthernetInterfaceNames = [ "ens10" "enp0s10" ];
internalEthernetInterfaceNames = [ "ens11" "enp0s11" ];
in in
{ {
imports = [ imports = [
@ -58,61 +58,68 @@ in
# For more information, you can look at Hetzner documentation from # For more information, you can look at Hetzner documentation from
# https://docs.hetzner.com/robot/dedicated-server/ip/additional-ip-adresses/ # https://docs.hetzner.com/robot/dedicated-server/ip/additional-ip-adresses/
networks = { networks = {
"60-wan" = { "20-wan" = {
matchConfig.Name = lib.concatStringsSep " " mainEthernetInterfaceNames; matchConfig.Name = lib.concatStringsSep " " mainEthernetInterfaceNames;
# Setting the primary static IPs. # Setting the primary static IPs.
address = with interfaces; [ address = with interfaces; [
# The public IPs. # The public IPs.
"${main'.IPv4}/32" "${main'.IPv4.address}/32"
"${main'.IPv6}/128" "${main'.IPv6.address}/128"
# IPs in the LAN.
"${main.IPv4}/16"
"${main.IPv6}/64"
]; ];
networkConfig = { networkConfig.IPForward = true;
IPForward = true;
IPMasquerade = "both"; gateway = [
}; interfaces.main'.IPv4.gateway
interfaces.main'.IPv6.gateway
];
routes = [ routes = [
{ routeConfig.Gateway = "fe80::1"; } { routeConfig.Gateway = interfaces.main'.IPv6.gateway; }
{ routeConfig.Destination = "${interfaces.main'.IPv4}/32"; } { routeConfig.Destination = interfaces.main'.IPv4.address; }
{ {
routeConfig = { routeConfig = {
Gateway = "${interfaces.main'.IPv4}/32"; Gateway = interfaces.main'.IPv4.gateway;
GatewayOnLink = true; GatewayOnLink = true;
}; };
} }
]; ];
}; };
"60-lan" = { "20-lan" = with interfaces.internal; {
matchConfig.Name = "ens11"; matchConfig.Name = lib.concatStringsSep " " internalEthernetInterfaceNames;
address = with interfaces.internal; [ address = [
"${IPv4}/16" "${IPv4.address}/16"
"${IPv6}/64" "${IPv6.address}/64"
];
gateway = [
IPv4.gateway
IPv6.gateway
];
routes = [
{ routeConfig.Gateway = IPv6.gateway; }
{ routeConfig.Destination = IPv4.address; }
{
routeConfig = {
Gateway = IPv4.gateway;
GatewayOnLink = true;
};
}
]; ];
networkConfig.DHCP = "yes";
}; };
# This is to make use of the remaining ethernet interfaces as we can "60-internal" = {
# build a local network. matchConfig.Name = "ens*";
"60-dhcpv6-pd-downstreams" = {
matchConfig.Name = "en*";
networkConfig.DHCP = "yes"; networkConfig.DHCP = "yes";
# Even if there's one, it would have the interface with subnets and a
# guaranteed network interface for the internal services.
dhcpV6Config.PrefixDelegationHint = "${privateIPv6Prefix}:43ff::/64";
}; };
}; };
}; };
# This is to look out for any errors that will occur for my networking setup # This is to look out for any errors that will occur for my networking setup
# which is always a possibility. # which is always a possibility.
systemd.services.systemd-networkd.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=debug"; systemd.services.systemd-networkd.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=info";
} }

View File

@ -6,30 +6,58 @@ let
in in
rec { rec {
privateIPv6Prefix = "fdee:b0de:5685"; privateIPv6Prefix = "fdee:b0de:5685";
interfaces = { interfaces = let
ploverInternalNetworkGateway = "172.16.0.1";
widdeerLan = "10.0.0.1";
ipv6Gateway = "fe80::1";
in
{
# This is the public-facing interface. Any interface name with a prime # This is the public-facing interface. Any interface name with a prime
# symbol means it's a public-facing interface. # symbol means it's a public-facing interface.
main' = { main' = {
IPv4 = "95.217.212.19"; # The gateways for the public addresses are retrieved from the following
IPv6 = "2a01:4f9:c011:a448::1"; # pages:
#
# * https://docs.hetzner.com/cloud/networks/faq/#are-any-ip-addresses-reserved
# * https://docs.hetzner.com/robot/dedicated-server/ip/additional-ip-adresses/#gateway
IPv4 = {
address = "95.217.212.19";
gateway = "172.31.1.1";
};
IPv6 = {
address = "2a01:4f9:c011:a448::1";
gateway = ipv6Gateway;
};
}; };
# /16 block for IPv4, /64 for IPv6. # /16 block for IPv4, /64 for IPv6.
main = { main = {
IPv4 = "172.25.0.1"; IPv4 = {
IPv6 = "${privateIPv6Prefix}:1::"; address = "172.27.0.1";
gateway = ploverInternalNetworkGateway;
};
IPv6 = {
address = "${privateIPv6Prefix}:1::";
gateway = ipv6Gateway;
};
}; };
# /16 block for IPv4, /64 for IPv6. # /16 block for IPv4, /64 for IPv6.
internal = { internal = {
IPv4 = "172.24.0.1"; IPv4 = {
IPv6 = "${privateIPv6Prefix}:2::"; address = "172.27.0.2";
gateway = ploverInternalNetworkGateway;
};
IPv6 = {
address = "${privateIPv6Prefix}:2::";
gateway = ipv6Gateway;
};
}; };
# /16 BLOCK for IPv4, /64 for IPv6. # /16 BLOCK for IPv4, /64 for IPv6.
wireguard0 = { wireguard0 = {
IPv4 = "10.210.0.1"; IPv4.address = "10.210.0.1";
IPv6 = "${privateIPv6Prefix}:12ae::"; IPv6.address = "${privateIPv6Prefix}:12ae::";
}; };
}; };
@ -39,19 +67,22 @@ rec {
# Wireguard-related things. # Wireguard-related things.
wireguardPort = 51820; wireguardPort = 51820;
wireguardIPHostPart = "10.210.0"; wireguardIPHostPart = "10.210.0";
wireguardIPv6Prefix = interfaces.wireguard0.IPv6; wireguardIPv6Prefix = interfaces.wireguard0.IPv6.address;
# These are all fixed IP addresses. They should be /32 IPv4 block and /128 # These are all fixed IP addresses. They should be /32 IPv4 block and /128
# IPv6 block. # IPv6 block.
wireguardPeers = { wireguardPeers = {
server = with interfaces.wireguard0; { inherit IPv4 IPv6; }; server = with interfaces.wireguard0; {
IPv4 = IPv4.address;
IPv6 = IPv6.address;
};
desktop = { desktop = {
IPv4 = "${wireguardIPHostPart}.2"; IPv4 = "${wireguardIPHostPart}.2";
IPv6 = "${wireguardIPv6Prefix}:12ae::2"; IPv6 = "${wireguardIPv6Prefix}2";
}; };
phone = { phone = {
IPv4 = "${wireguardIPHostPart}.3"; IPv4 = "${wireguardIPHostPart}.3";
IPv6 = "${wireguardIPv6Prefix}:12ae::3"; IPv6 = "${wireguardIPv6Prefix}3";
}; };
}; };
} }

View File

@ -7,7 +7,7 @@ let
inherit (import ../hardware/networks.nix) preferredInternalTLD interfaces; inherit (import ../hardware/networks.nix) preferredInternalTLD interfaces;
atuinDomain = "atuin.${config.networking.domain}.${preferredInternalTLD}"; atuinDomain = "atuin.${config.networking.domain}.${preferredInternalTLD}";
host = interfaces.internal.IPv4; host = interfaces.internal.IPv4.address;
in in
{ {
# Atuin sync server because why not. # Atuin sync server because why not.

View File

@ -11,7 +11,7 @@ let
keycloakDbName = if config.services.keycloak.database.createLocally then keycloakUser else config.services.keycloak.database.username; keycloakDbName = if config.services.keycloak.database.createLocally then keycloakUser else config.services.keycloak.database.username;
certs = config.security.acme.certs; certs = config.security.acme.certs;
host = interfaces.internal.IPv4; host = interfaces.internal.IPv4.address;
in in
{ {
# Hey, the hub for your application sign-in. # Hey, the hub for your application sign-in.

View File

@ -53,8 +53,8 @@ in
networks."99-${wireguardIFName}" = { networks."99-${wireguardIFName}" = {
matchConfig.Name = wireguardIFName; matchConfig.Name = wireguardIFName;
address = with interfaces.wireguard0; [ address = with interfaces.wireguard0; [
"${IPv4}/32" "${IPv4.address}/32"
"${IPv6}/128" "${IPv6.address}/128"
]; ];
routes = [ routes = [