diff options
author | tv <tv@krebsco.de> | 2022-11-29 19:54:28 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2022-11-29 19:54:28 +0100 |
commit | 43428ccca56bdf10572f1c93ebafa82cfdf7dbf5 (patch) | |
tree | b6c79e4f047ccb8842c9e5f7b73688ccbc5ff053 /lass/1systems | |
parent | 5c05e2a9b68b01e1f0f69a1e4414bce21a801f1f (diff) | |
parent | 32b23666d15861f6f4d8b1f522ee53d4f21fabb6 (diff) |
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'lass/1systems')
-rw-r--r-- | lass/1systems/prism/config.nix | 18 | ||||
-rw-r--r-- | lass/1systems/prism/physical.nix | 18 |
2 files changed, 12 insertions, 24 deletions
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 62c6f0b71..7bffc39aa 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -25,7 +25,6 @@ with import <stockholm/lib>; ]; } { # TODO make new hfos.nix out of this vv - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; users.users.riot = { uid = genid_uint31 "riot"; isNormalUser = true; @@ -33,23 +32,10 @@ with import <stockholm/lib>; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" ]; - packages = [ - (pkgs.writeDashBin "kick-routing" '' - /run/wrappers/bin/sudo ${pkgs.systemd}/bin/systemctl restart krebs-iptables.service - '') - ]; }; - security.sudo.extraConfig = '' - riot ALL=(root) NOPASSWD: ${pkgs.systemd}/bin/systemctl restart krebs-iptables.service - ''; - - # TODO write function for proxy_pass (ssl/nonssl) - krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.141"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 95.216.1.130"; target = "DNAT --to-destination 192.168.122.141"; } + { v6 = false; precedence = 1000; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "--source 95.216.1.130"; target = "ACCEPT"; } ]; } { diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index 151cfbf41..027a27b2b 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -78,29 +78,31 @@ boot.loader.grub.version = 2; boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ]; - boot.kernelParams = [ "net.ifnames=0" ]; + # we don't pay for power there and this might solve a problem we observed at least once + # https://www.thomas-krenn.com/de/wiki/PCIe_Bus_Error_Status_00001100_beheben + boot.kernelParams = [ "pcie_aspm=off" "net.ifnames=0" ]; networking.dhcpcd.enable = false; + + # bridge config + networking.bridges."ext-br".interfaces = [ "eth0" ]; networking = { hostId = "2283aaae"; defaultGateway = "95.216.1.129"; - defaultGateway6 = { address = "fe80::1"; interface = "eth0"; }; + defaultGateway6 = { address = "fe80::1"; interface = "ext-br"; }; # Use google's public DNS server nameservers = [ "8.8.8.8" ]; - interfaces.eth0.ipv4.addresses = [ + interfaces.ext-br.ipv4.addresses = [ { address = "95.216.1.150"; prefixLength = 26; } - { - address = "95.216.1.130"; - prefixLength = 26; - } ]; - interfaces.eth0.ipv6.addresses = [ + interfaces.ext-br.ipv6.addresses = [ { address = "2a01:4f9:2a:1e9::1"; prefixLength = 64; } ]; }; + } |