asonix/sbc-deploys
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

IPv6 Hosting

Browse source
This commit is contained in:
asonix 2024-07-04 19:28:45 -05:00
parent 7d01f776e4
commit be9309abcd
5 changed files with 25 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
flake.nix
View file

@ -789,7 +789,7 @@
selfIp6 = "2001:db8:20::27";
macAddress = "02:ff:ce:a9:d3:74";
keyFile = "whitestormKeyFile";
primaryIp = "192.168.20.26";
# primaryIp = "192.168.20.26";
};
build2 = makeBuildConfig system {

2
modules/k3s/default.nix
View file

@ -16,7 +16,7 @@
services.k3s = {
inherit enable;
environmentFile = config.sops.secrets.k3s_env.path;
extraFlags = "--disable traefik --disable servicelb";
extraFlags = "--disable traefik --disable servicelb --cluster-cidr=10.42.0.0/16,2001:cafe:42::/56 --service-cidr=10.43.0.0/16,2001:cafe:43::/112";
role = "server";
};
};

19
modules/router/default.nix
View file

@ -164,9 +164,14 @@ in
define WIFI=${wifi}
define HTTP_HOST=192.168.20.200
define HTTP_HOST_V6=2001:db8:20::200
define FORGEJO_HOST=192.168.20.201
define FORGEJO_HOST_V6=2001:db8:20::201
define FORGEJO_SSH_PORT=2222
define DRAWPILE_HOST=192.168.20.202
define DRAWPILE_HOST_V6=2001:db8:20::202
define DRAWPILE_TCP_PORT=27750
table inet filter {
@ -207,9 +212,14 @@ in
}
chain bridge_in {
ip daddr $HTTP_HOST tcp dport { 80, 443 } ct state new accept comment "Allow HTTP/S to http host"
ip daddr $FORGEJO_HOST tcp dport $FORGEJO_SSH_PORT ct state new accept comment "Allow ssh to forgejo"
ip daddr $DRAWPILE_HOST tcp dport $DRAWPILE_TCP_PORT ct state new accept comment "Allow drawpile traffic to drawpile"
tcp dport { 80, 443 } ip daddr $HTTP_HOST ct state new accept comment "Allow HTTP/S to http host"
tcp dport { 80, 443 } ip6 daddr $HTTP_HOST_V6 ct state new accept comment "Allow HTTP/S to http host"
tcp dport $FORGEJO_SSH_PORT ip daddr $FORGEJO_HOST ct state new accept comment "Allow ssh to forgejo"
tcp dport $FORGEJO_SSH_PORT ip6 daddr $FORGEJO_HOST_V6 ct state new accept comment "Allow ssh to forgejo"
tcp dport $DRAWPILE_TCP_PORT ip daddr $DRAWPILE_HOST ct state new accept comment "Allow drawpile traffic to drawpile"
tcp dport $DRAWPILE_TCP_PORT ip6 daddr $DRAWPILE_HOST_V6 ct state new accept comment "Allow drawpile traffic to drawpile"
}
chain bridge_out {
accept
@ -306,6 +316,9 @@ in
table ip6 nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
fib daddr type local tcp dport { 80, 443 } dnat to $HTTP_HOST_V6
fib daddr type local tcp dport 22 dnat to $FORGEJO_HOST_V6:$FORGEJO_SSH_PORT
fib daddr type local tcp dport $DRAWPILE_TCP_PORT dnat to $DRAWPILE_HOST_V6
}
chain postrouting {

8
secrets/k3s.yaml
View file

@ -1,4 +1,4 @@
k3s_token: ENC[AES256_GCM,data:zbRNNqY95zovQ9IMlpUHPYRoyKL56WsmJQf9mmAqegsT+j3OJhRf0IMAv3k2xZsnvkKKcNaiJomLb/filK1Lg4GMrXoA5eQ83K3B0kP9v3zw1Nvs4ySWHmP/vfENeU0v/FuyHWNCtEeBEm8E,iv:6y2hfaxL3VV/HTlOxNc29RTHHfErXD5PMzfuRc/EtQk=,tag:+Pi1u5sKZSYsAOBUUcOlpg==,type:str]
k3s_token: ENC[AES256_GCM,data:tQuF03fY+qw62/09w63qMDQ5OfRvmh/j5pQMsfahDEHOxaFHIULo74LTHlVMeDkxTJ9IclnCXHLCa8i/TcvHlKARG1NC4BdxZSJ5oEukefN8HNXwnIc93ZyUm0JJvtSqp7PdFAWWNDQj4tDl,iv:G2OqDwYYxrbtFsOfsUB9I9GKw0qMzbFR3+7eYlN+wNI=,tag:2qQnqM6gRBa09b5FzZ9xtw==,type:str]
sops:
kms: []
gcp_kms: []
@ -23,8 +23,8 @@ sops:
NHVtWEdPZjVFdFF0UG4xNEtoU1lBckkKj6Fx2o17lrER5SAIJcqLSlcOmz/qufyE
P3l8RCxKtzsGoihsGME1jROMiq2hsWe5uFA7vUiOggqzWV9M9mywBQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-27T22:50:42Z"
mac: ENC[AES256_GCM,data:NdTWBlMadq2Znz09J5nbELWKWkDW7wRGE3nZiJmIiWQsTWS000mqSJSg7QdZ75bOWx+jJrLEKHUg7DNrvRzrocUYCcuq6Gc4poGw5wD+CRFo7B3KEVg1q+LP5NnYLWaqOg0NrcXm68hAY4/kbhrtzAdKDSfZaewooLI4hzqjlqE=,iv:3cXHe6An9LTKGznxYru6v3mhR4XvmhKsLOVF278FVgc=,tag:67BDFWppZ/7GizWNU2/Reg==,type:str]
lastmodified: "2024-07-04T22:54:44Z"
mac: ENC[AES256_GCM,data:mvoYlmiuq4m03m5shdFvM6k36uASZeEXxDXaOLlksBfDAktXGwaFm1sZS2zSbJXIodd2Ln1wfFlKNNLQQu+VKmAQPtUTXoCAzjJu1e0ds3XpdXD7J+dWdEkkgU9MN0f783wBixB2Qm/wJcLwZu+nNbRg9OaFXR7KyS5Qgdtz9Qg=,iv:f3b6vTqddwYJXDKaNZP9e35571u+rU78JtcCXlEITO8=,tag:fsNASW6tiJWhlCln3C5Sdw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3
version: 3.8.1

6
secrets/k3s_env.bin
View file

@ -1,5 +1,5 @@
{
"data": "ENC[AES256_GCM,data:rxMCpdVseLWrSaSu11GlQ7enf2MYOmcmvXgrLqmeYtmgkf2C36fHxpycErh03alnbVH2GHMZGAtGKewbQ5bsljULbB0ASHQgMu2EaaSY5JK6wxu+HSv/+o3522kzChRpl197ohZRZmiF99O2ze6WAECnpG76D3+0BrvVZ1p0ZWIwG4QSLmfAOErcm+qeyQ==,iv:5Otnin3EnkLBDDJ+NnUTYcudJvoC7XHIs5HUybs0m0A=,tag:aaZ+x6v1Oi2L0oOxda4EUQ==,type:str]",
"data": "ENC[AES256_GCM,data:B2ggkSHOdi9nKbfkMlBYEMG+sQTnM+Z82Ibb83gXMyMAf7QZq57QLvWf4xKS0R+KA9Mq1CUOzkgpWqopxM8XzkmIbA7tOMfD+2BwQ9HcGc1HeI+nAE23a7IN9AqZ0UJ5hJp/Pu+oTAa2Qm+Ol+CgwTfCdmHKb46fs3CRaWvGZYM8G9OaEnIaioGLXG6OsA==,iv:r17jcY1J0can8ctGOkJI0vL7hfuwrlDmVVcgfMpDZAU=,tag:quj7yYTri2x0Pi/Vun2unA==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
@ -15,8 +15,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBN2RlVXh0cHN0RjVtcHds\nTWxleGZpZHk0Sjl3L3NLSHA0NW1za3dLQlRVCjRCdXJiTjBJb1RoRlZqbUsrUWZE\neXgwRzg4clAyRUxWK1pPU3Z3Znpkb0UKLS0tIHd1Zy9yLysyWnJpNXg3a1FQYURN\nT1FnWXF0QmdGN0NvVm0yM2gzNHRCdm8K993lhwndBDaFKlpCOi5WSdIsTMvhoi83\n5eyiQYjhfILeJWIIzDHOMHcNqE6plei+bhFRY23dZft8IxQWcAQfOg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-01-31T04:13:39Z",
"mac": "ENC[AES256_GCM,data:7LZcJloXoV+2xHrZVvHJzMHbiHQbo1ughT2TquvhbHMkP8XMSy97pig4soU+noR7cz6MkV+bOlvieGdgkjCEjkF/PZrZHIleKKJYKou6GzRyWddSts+xTVYvWSryrppKgB/pLZi/Ob8XwoWpyrMu3SltcEA8WRNjRCG7DkkshC0=,iv:+IucoD5OyEFq+NG5bAEOTQyfiL+ndiX2Y/tVurlRHJA=,tag:CbwOv47neJTgQ04HUCN/DQ==,type:str]",
"lastmodified": "2024-07-04T22:41:50Z",
"mac": "ENC[AES256_GCM,data:QRJ30qsa8oyNYoQJxOdZPpkU/4ULFD2du8sYDKEBdLWssbSuG49h73qSGWGiFCaBNDQiLlR0ZCTZ9de0iogcAf2DGqTLJGDEqZCRVHKc+i07glDCgzNoqz8W0ktSUYA5qgq6wnsrcSMSuSkLGYn+V55BsNxQ0fUY/DSrYSho7IA=,iv:Fuid015VEe3phejWsoKEayQSbxjRQGfD5eKoFNRjXQY=,tag:cN9x9a/HS9sn2/O/nFxxQA==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"