oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat: make rossby-manage a subnet router and dns server

Browse Source
This commit is contained in:
Jonas Juselius
2025-10-10 18:23:13 +02:00
parent 86f1e0d974
commit c314409d3b
1 changed files with 7 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
rossby/manage/default.nix
View File

@@ -147,7 +147,8 @@ in {
useNetworkd = true; useNetworkd = true;
hostName = name; hostName = name;
firewall = { firewall = {
allowedTCPPorts = [ 6443 4725 ]; allowedTCPPorts = [ 53 6443 4725 ];
allowedUDPPorts = [ 53 ];
extraCommands = '' extraCommands = ''
# needed for nodeport access on k1 and k2 # needed for nodeport access on k1 and k2
# iptables -t nat -A POSTROUTING -s 172.16.239.0/24 ! -d 10.255.0.0/16 -j SNAT --to-source 10.255.242.3 # iptables -t nat -A POSTROUTING -s 172.16.239.0/24 ! -d 10.255.0.0/16 -j SNAT --to-source 10.255.242.3
@@ -235,19 +236,6 @@ in {
''; '';
}; };
services.coredns.enable = false;
services.coredns.config = {
};
services.dnsmasq.enable = false;
services.dnsmasq.settings = {
address = [
"/rossby-manage.cluster.local/172.16.239.221"
"/slurmctld.cluster.local/127.0.0.1"
];
srv-host = "_slurmctld._tcp.cluster.local,slurmctld.cluster.local,6817,0,5";
};
# ssh-rsa is deprecated, but putty/winscp users use it # ssh-rsa is deprecated, but putty/winscp users use it
services.openssh.extraConfig = '' services.openssh.extraConfig = ''
# pubkeyacceptedalgorithms ssh-rsa,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 # pubkeyacceptedalgorithms ssh-rsa,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
@@ -258,29 +246,6 @@ in {
virtualisation.docker.enable = pkgs.lib.mkForce true; virtualisation.docker.enable = pkgs.lib.mkForce true;
# Configuration for the coordination server for a tailscale network run using headscale.
#
# We can set it up to provide several exit nodes through which traffic can be routed.
#
# Servers can join using this command:
# `tailscale up --login-server net.b0.itpartner.no --accept-dns=false --advertise-exit-node`
#
# with the following config:
#
# service.tailscale = {
# enable = true;
# useRoutingFeatures = "server"; # for exit-node usage
# };
#
# Clients can join using this command:
# `tailscale up --login-server net.b0.itpartner.no --accept-dns=false`
#
# services.headscale = {
# enable = true;
# address = "0.0.0.0";
# port = 4725; # hscl
# settings = import ./headscale/settings.nix;
# };
services.tailscale = { services.tailscale = {
enable = true; enable = true;
@@ -288,8 +253,10 @@ in {
useRoutingFeatures = "both"; # for exit-node usage useRoutingFeatures = "both"; # for exit-node usage
extraUpFlags = [ extraUpFlags = [
"--login-server=https://headscale.svc.oceanbox.io" "--login-server=https://headscale.svc.oceanbox.io"
"--accept-dns=false" # see dnsmasq "--accept-dns=true"
"--accept-routes=false" "--accept-routes=true"
"--advertise-routes=172.16.238.0/24,172.16.239.0/24"
"--snat-subnet-routes=false"
]; ];
}; };
services.networkd-dispatcher = { services.networkd-dispatcher = {
@@ -311,6 +278,7 @@ in {
../default.nix ../default.nix
../mounts.nix ../mounts.nix
../myvnc.nix ../myvnc.nix
../../dns.nix
]; ];
} }