IPv6 Hosting
This commit is contained in:
parent
7d01f776e4
commit
be9309abcd
5 changed files with 25 additions and 12 deletions
|
@ -789,7 +789,7 @@
|
||||||
selfIp6 = "2001:db8:20::27";
|
selfIp6 = "2001:db8:20::27";
|
||||||
macAddress = "02:ff:ce:a9:d3:74";
|
macAddress = "02:ff:ce:a9:d3:74";
|
||||||
keyFile = "whitestormKeyFile";
|
keyFile = "whitestormKeyFile";
|
||||||
primaryIp = "192.168.20.26";
|
# primaryIp = "192.168.20.26";
|
||||||
};
|
};
|
||||||
|
|
||||||
build2 = makeBuildConfig system {
|
build2 = makeBuildConfig system {
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
services.k3s = {
|
services.k3s = {
|
||||||
inherit enable;
|
inherit enable;
|
||||||
environmentFile = config.sops.secrets.k3s_env.path;
|
environmentFile = config.sops.secrets.k3s_env.path;
|
||||||
extraFlags = "--disable traefik --disable servicelb";
|
extraFlags = "--disable traefik --disable servicelb --cluster-cidr=10.42.0.0/16,2001:cafe:42::/56 --service-cidr=10.43.0.0/16,2001:cafe:43::/112";
|
||||||
role = "server";
|
role = "server";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -164,9 +164,14 @@ in
|
||||||
define WIFI=${wifi}
|
define WIFI=${wifi}
|
||||||
|
|
||||||
define HTTP_HOST=192.168.20.200
|
define HTTP_HOST=192.168.20.200
|
||||||
|
define HTTP_HOST_V6=2001:db8:20::200
|
||||||
|
|
||||||
define FORGEJO_HOST=192.168.20.201
|
define FORGEJO_HOST=192.168.20.201
|
||||||
|
define FORGEJO_HOST_V6=2001:db8:20::201
|
||||||
define FORGEJO_SSH_PORT=2222
|
define FORGEJO_SSH_PORT=2222
|
||||||
|
|
||||||
define DRAWPILE_HOST=192.168.20.202
|
define DRAWPILE_HOST=192.168.20.202
|
||||||
|
define DRAWPILE_HOST_V6=2001:db8:20::202
|
||||||
define DRAWPILE_TCP_PORT=27750
|
define DRAWPILE_TCP_PORT=27750
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
|
@ -207,9 +212,14 @@ in
|
||||||
}
|
}
|
||||||
|
|
||||||
chain bridge_in {
|
chain bridge_in {
|
||||||
ip daddr $HTTP_HOST tcp dport { 80, 443 } ct state new accept comment "Allow HTTP/S to http host"
|
tcp dport { 80, 443 } ip daddr $HTTP_HOST ct state new accept comment "Allow HTTP/S to http host"
|
||||||
ip daddr $FORGEJO_HOST tcp dport $FORGEJO_SSH_PORT ct state new accept comment "Allow ssh to forgejo"
|
tcp dport { 80, 443 } ip6 daddr $HTTP_HOST_V6 ct state new accept comment "Allow HTTP/S to http host"
|
||||||
ip daddr $DRAWPILE_HOST tcp dport $DRAWPILE_TCP_PORT ct state new accept comment "Allow drawpile traffic to drawpile"
|
|
||||||
|
tcp dport $FORGEJO_SSH_PORT ip daddr $FORGEJO_HOST ct state new accept comment "Allow ssh to forgejo"
|
||||||
|
tcp dport $FORGEJO_SSH_PORT ip6 daddr $FORGEJO_HOST_V6 ct state new accept comment "Allow ssh to forgejo"
|
||||||
|
|
||||||
|
tcp dport $DRAWPILE_TCP_PORT ip daddr $DRAWPILE_HOST ct state new accept comment "Allow drawpile traffic to drawpile"
|
||||||
|
tcp dport $DRAWPILE_TCP_PORT ip6 daddr $DRAWPILE_HOST_V6 ct state new accept comment "Allow drawpile traffic to drawpile"
|
||||||
}
|
}
|
||||||
chain bridge_out {
|
chain bridge_out {
|
||||||
accept
|
accept
|
||||||
|
@ -306,6 +316,9 @@ in
|
||||||
table ip6 nat {
|
table ip6 nat {
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
type nat hook prerouting priority -100; policy accept;
|
type nat hook prerouting priority -100; policy accept;
|
||||||
|
fib daddr type local tcp dport { 80, 443 } dnat to $HTTP_HOST_V6
|
||||||
|
fib daddr type local tcp dport 22 dnat to $FORGEJO_HOST_V6:$FORGEJO_SSH_PORT
|
||||||
|
fib daddr type local tcp dport $DRAWPILE_TCP_PORT dnat to $DRAWPILE_HOST_V6
|
||||||
}
|
}
|
||||||
|
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
k3s_token: ENC[AES256_GCM,data:zbRNNqY95zovQ9IMlpUHPYRoyKL56WsmJQf9mmAqegsT+j3OJhRf0IMAv3k2xZsnvkKKcNaiJomLb/filK1Lg4GMrXoA5eQ83K3B0kP9v3zw1Nvs4ySWHmP/vfENeU0v/FuyHWNCtEeBEm8E,iv:6y2hfaxL3VV/HTlOxNc29RTHHfErXD5PMzfuRc/EtQk=,tag:+Pi1u5sKZSYsAOBUUcOlpg==,type:str]
|
k3s_token: ENC[AES256_GCM,data:tQuF03fY+qw62/09w63qMDQ5OfRvmh/j5pQMsfahDEHOxaFHIULo74LTHlVMeDkxTJ9IclnCXHLCa8i/TcvHlKARG1NC4BdxZSJ5oEukefN8HNXwnIc93ZyUm0JJvtSqp7PdFAWWNDQj4tDl,iv:G2OqDwYYxrbtFsOfsUB9I9GKw0qMzbFR3+7eYlN+wNI=,tag:2qQnqM6gRBa09b5FzZ9xtw==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -23,8 +23,8 @@ sops:
|
||||||
NHVtWEdPZjVFdFF0UG4xNEtoU1lBckkKj6Fx2o17lrER5SAIJcqLSlcOmz/qufyE
|
NHVtWEdPZjVFdFF0UG4xNEtoU1lBckkKj6Fx2o17lrER5SAIJcqLSlcOmz/qufyE
|
||||||
P3l8RCxKtzsGoihsGME1jROMiq2hsWe5uFA7vUiOggqzWV9M9mywBQ==
|
P3l8RCxKtzsGoihsGME1jROMiq2hsWe5uFA7vUiOggqzWV9M9mywBQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-01-27T22:50:42Z"
|
lastmodified: "2024-07-04T22:54:44Z"
|
||||||
mac: ENC[AES256_GCM,data:NdTWBlMadq2Znz09J5nbELWKWkDW7wRGE3nZiJmIiWQsTWS000mqSJSg7QdZ75bOWx+jJrLEKHUg7DNrvRzrocUYCcuq6Gc4poGw5wD+CRFo7B3KEVg1q+LP5NnYLWaqOg0NrcXm68hAY4/kbhrtzAdKDSfZaewooLI4hzqjlqE=,iv:3cXHe6An9LTKGznxYru6v3mhR4XvmhKsLOVF278FVgc=,tag:67BDFWppZ/7GizWNU2/Reg==,type:str]
|
mac: ENC[AES256_GCM,data:mvoYlmiuq4m03m5shdFvM6k36uASZeEXxDXaOLlksBfDAktXGwaFm1sZS2zSbJXIodd2Ln1wfFlKNNLQQu+VKmAQPtUTXoCAzjJu1e0ds3XpdXD7J+dWdEkkgU9MN0f783wBixB2Qm/wJcLwZu+nNbRg9OaFXR7KyS5Qgdtz9Qg=,iv:f3b6vTqddwYJXDKaNZP9e35571u+rU78JtcCXlEITO8=,tag:fsNASW6tiJWhlCln3C5Sdw==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.7.3
|
version: 3.8.1
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{
|
{
|
||||||
"data": "ENC[AES256_GCM,data:rxMCpdVseLWrSaSu11GlQ7enf2MYOmcmvXgrLqmeYtmgkf2C36fHxpycErh03alnbVH2GHMZGAtGKewbQ5bsljULbB0ASHQgMu2EaaSY5JK6wxu+HSv/+o3522kzChRpl197ohZRZmiF99O2ze6WAECnpG76D3+0BrvVZ1p0ZWIwG4QSLmfAOErcm+qeyQ==,iv:5Otnin3EnkLBDDJ+NnUTYcudJvoC7XHIs5HUybs0m0A=,tag:aaZ+x6v1Oi2L0oOxda4EUQ==,type:str]",
|
"data": "ENC[AES256_GCM,data:B2ggkSHOdi9nKbfkMlBYEMG+sQTnM+Z82Ibb83gXMyMAf7QZq57QLvWf4xKS0R+KA9Mq1CUOzkgpWqopxM8XzkmIbA7tOMfD+2BwQ9HcGc1HeI+nAE23a7IN9AqZ0UJ5hJp/Pu+oTAa2Qm+Ol+CgwTfCdmHKb46fs3CRaWvGZYM8G9OaEnIaioGLXG6OsA==,iv:r17jcY1J0can8ctGOkJI0vL7hfuwrlDmVVcgfMpDZAU=,tag:quj7yYTri2x0Pi/Vun2unA==,type:str]",
|
||||||
"sops": {
|
"sops": {
|
||||||
"kms": null,
|
"kms": null,
|
||||||
"gcp_kms": null,
|
"gcp_kms": null,
|
||||||
|
@ -15,8 +15,8 @@
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBN2RlVXh0cHN0RjVtcHds\nTWxleGZpZHk0Sjl3L3NLSHA0NW1za3dLQlRVCjRCdXJiTjBJb1RoRlZqbUsrUWZE\neXgwRzg4clAyRUxWK1pPU3Z3Znpkb0UKLS0tIHd1Zy9yLysyWnJpNXg3a1FQYURN\nT1FnWXF0QmdGN0NvVm0yM2gzNHRCdm8K993lhwndBDaFKlpCOi5WSdIsTMvhoi83\n5eyiQYjhfILeJWIIzDHOMHcNqE6plei+bhFRY23dZft8IxQWcAQfOg==\n-----END AGE ENCRYPTED FILE-----\n"
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBN2RlVXh0cHN0RjVtcHds\nTWxleGZpZHk0Sjl3L3NLSHA0NW1za3dLQlRVCjRCdXJiTjBJb1RoRlZqbUsrUWZE\neXgwRzg4clAyRUxWK1pPU3Z3Znpkb0UKLS0tIHd1Zy9yLysyWnJpNXg3a1FQYURN\nT1FnWXF0QmdGN0NvVm0yM2gzNHRCdm8K993lhwndBDaFKlpCOi5WSdIsTMvhoi83\n5eyiQYjhfILeJWIIzDHOMHcNqE6plei+bhFRY23dZft8IxQWcAQfOg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"lastmodified": "2024-01-31T04:13:39Z",
|
"lastmodified": "2024-07-04T22:41:50Z",
|
||||||
"mac": "ENC[AES256_GCM,data:7LZcJloXoV+2xHrZVvHJzMHbiHQbo1ughT2TquvhbHMkP8XMSy97pig4soU+noR7cz6MkV+bOlvieGdgkjCEjkF/PZrZHIleKKJYKou6GzRyWddSts+xTVYvWSryrppKgB/pLZi/Ob8XwoWpyrMu3SltcEA8WRNjRCG7DkkshC0=,iv:+IucoD5OyEFq+NG5bAEOTQyfiL+ndiX2Y/tVurlRHJA=,tag:CbwOv47neJTgQ04HUCN/DQ==,type:str]",
|
"mac": "ENC[AES256_GCM,data:QRJ30qsa8oyNYoQJxOdZPpkU/4ULFD2du8sYDKEBdLWssbSuG49h73qSGWGiFCaBNDQiLlR0ZCTZ9de0iogcAf2DGqTLJGDEqZCRVHKc+i07glDCgzNoqz8W0ktSUYA5qgq6wnsrcSMSuSkLGYn+V55BsNxQ0fUY/DSrYSho7IA=,iv:Fuid015VEe3phejWsoKEayQSbxjRQGfD5eKoFNRjXQY=,tag:cN9x9a/HS9sn2/O/nFxxQA==,type:str]",
|
||||||
"pgp": null,
|
"pgp": null,
|
||||||
"unencrypted_suffix": "_unencrypted",
|
"unencrypted_suffix": "_unencrypted",
|
||||||
"version": "3.8.1"
|
"version": "3.8.1"
|
||||||
|
|
Loading…
Reference in a new issue