From c314409d3b346486355379b598d508f73fc48d21 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Fri, 10 Oct 2025 18:23:13 +0200 Subject: [PATCH] feat: make rossby-manage a subnet router and dns server --- rossby/manage/default.nix | 46 ++++++--------------------------------- 1 file changed, 7 insertions(+), 39 deletions(-) diff --git a/rossby/manage/default.nix b/rossby/manage/default.nix index 5906b13..157e710 100644 --- a/rossby/manage/default.nix +++ b/rossby/manage/default.nix @@ -147,7 +147,8 @@ in { useNetworkd = true; hostName = name; firewall = { - allowedTCPPorts = [ 6443 4725 ]; + allowedTCPPorts = [ 53 6443 4725 ]; + allowedUDPPorts = [ 53 ]; extraCommands = '' # needed for nodeport access on k1 and k2 # iptables -t nat -A POSTROUTING -s 172.16.239.0/24 ! -d 10.255.0.0/16 -j SNAT --to-source 10.255.242.3 @@ -235,19 +236,6 @@ in { ''; }; - services.coredns.enable = false; - services.coredns.config = { - - }; - services.dnsmasq.enable = false; - services.dnsmasq.settings = { - address = [ - "/rossby-manage.cluster.local/172.16.239.221" - "/slurmctld.cluster.local/127.0.0.1" - ]; - srv-host = "_slurmctld._tcp.cluster.local,slurmctld.cluster.local,6817,0,5"; - }; - # ssh-rsa is deprecated, but putty/winscp users use it services.openssh.extraConfig = '' # pubkeyacceptedalgorithms ssh-rsa,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 @@ -258,29 +246,6 @@ in { virtualisation.docker.enable = pkgs.lib.mkForce true; -# Configuration for the coordination server for a tailscale network run using headscale. -# -# We can set it up to provide several exit nodes through which traffic can be routed. -# -# Servers can join using this command: -# `tailscale up --login-server net.b0.itpartner.no --accept-dns=false --advertise-exit-node` -# -# with the following config: -# -# service.tailscale = { -# enable = true; -# useRoutingFeatures = "server"; # for exit-node usage -# }; -# -# Clients can join using this command: -# `tailscale up --login-server net.b0.itpartner.no --accept-dns=false` -# - # services.headscale = { - # enable = true; - # address = "0.0.0.0"; - # port = 4725; # hscl - # settings = import ./headscale/settings.nix; - # }; services.tailscale = { enable = true; @@ -288,8 +253,10 @@ in { useRoutingFeatures = "both"; # for exit-node usage extraUpFlags = [ "--login-server=https://headscale.svc.oceanbox.io" - "--accept-dns=false" # see dnsmasq - "--accept-routes=false" + "--accept-dns=true" + "--accept-routes=true" + "--advertise-routes=172.16.238.0/24,172.16.239.0/24" + "--snat-subnet-routes=false" ]; }; services.networkd-dispatcher = { @@ -311,6 +278,7 @@ in { ../default.nix ../mounts.nix ../myvnc.nix + ../../dns.nix ]; }