feat: make rossby-manage a subnet router and dns server

2025-10-10 18:23:13 +02:00
parent 86f1e0d974
commit c314409d3b
1 changed files with 7 additions and 39 deletions
--- a/rossby/manage/default.nix
+++ b/rossby/manage/default.nix
@@ -147,7 +147,8 @@ in {
      useNetworkd = true;
      hostName = name;
      firewall = {
-        allowedTCPPorts = [ 6443 4725 ];
+        allowedTCPPorts = [ 53 6443 4725 ];
+        allowedUDPPorts = [ 53 ];
        extraCommands = ''
          # needed for nodeport access on k1 and k2
          # iptables -t nat -A POSTROUTING -s 172.16.239.0/24 ! -d 10.255.0.0/16 -j SNAT --to-source 10.255.242.3
@@ -235,19 +236,6 @@ in {
        '';
    };

-    services.coredns.enable = false;
-    services.coredns.config = {
-
-    };
-    services.dnsmasq.enable = false;
-    services.dnsmasq.settings = {
-      address = [
-        "/rossby-manage.cluster.local/172.16.239.221"
-        "/slurmctld.cluster.local/127.0.0.1"
-      ];
-      srv-host = "_slurmctld._tcp.cluster.local,slurmctld.cluster.local,6817,0,5";
-    };
-
    # ssh-rsa is deprecated, but putty/winscp users use it
    services.openssh.extraConfig = ''
      # pubkeyacceptedalgorithms ssh-rsa,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
@@ -258,29 +246,6 @@ in {

    virtualisation.docker.enable = pkgs.lib.mkForce true;

-# Configuration for the coordination server for a tailscale network run using headscale.
-#
-# We can set it up to provide several exit nodes through which traffic can be routed.
-#
-# Servers can join using this command:
-#  `tailscale up --login-server net.b0.itpartner.no --accept-dns=false --advertise-exit-node`
-#
-# with the following config:
-#
-#  service.tailscale = {
-#    enable = true;
-#    useRoutingFeatures = "server"; # for exit-node usage
-#   };
-#
-# Clients can join using this command:
-#  `tailscale up --login-server net.b0.itpartner.no --accept-dns=false`
-#
-  # services.headscale = {
-  #   enable = true;
-  #   address = "0.0.0.0";
-  #   port = 4725; # hscl
-  #   settings = import ./headscale/settings.nix;
-  # };

  services.tailscale =  {
    enable = true;
@@ -288,8 +253,10 @@ in {
    useRoutingFeatures = "both"; # for exit-node usage
    extraUpFlags = [
      "--login-server=https://headscale.svc.oceanbox.io"
-      "--accept-dns=false" # see dnsmasq
-      "--accept-routes=false"
+      "--accept-dns=true"
+      "--accept-routes=true"
+      "--advertise-routes=172.16.238.0/24,172.16.239.0/24"
+      "--snat-subnet-routes=false"
    ];
  };
  services.networkd-dispatcher = {
@@ -311,6 +278,7 @@ in {
      ../default.nix
      ../mounts.nix
      ../myvnc.nix
+      ../../dns.nix
  ];
 }