diff --git a/README.md b/README.md index 17472ff..47700ba 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,12 @@ tailscale up --accept-routes --advertise-routes=$IPV4_SUBNET,$IPV6_SUBNET --acce ### 5. Configure `NAT`, `DHCP`. +Once tailscale is up and manually configured (see the config files for guide). +We can use automated way of maintaining config. + +``` +just deploy-config nevaroo 10.0.48.0 fd9b:5314:0:3000:: +``` # TODO diff --git a/justfile b/justfile index 88b5efe..ed51e58 100644 --- a/justfile +++ b/justfile @@ -20,3 +20,21 @@ destroy: #!/usr/bin/env sh cd {{justfile_directory()}}/terraform tofu destroy + +deploy-config node ipv4_subnet ipv6_subnet: + #!/usr/bin/env sh + echo "Configuring {{node}}.network.tjo.cloud" + echo " - IPv4: {{ipv4_subnet}}" + echo " - IPv6: {{ipv6_subnet}}" + + for file in {{justfile_directory()}}/openwrt/etc/config/* + do + echo "Deploying /etc/config/$(basename $file)" + export IPV4_SUBNET="{{ipv4_subnet}}" + export IPV6_SUBNET="{{ipv6_subnet}}" + export HOSTNAME="{{node}}.network.tjo.cloud" + cat $file | envsubst | tailscale ssh "root@{{node}}-network-tjo-cloud" "cat > /etc/config/$(basename $file)" + done + + echo "Reloading network configuration" + tailscale ssh "root@{{node}}-network-tjo-cloud" "/etc/init.d/network reload" diff --git a/openwrt/etc/config/dhcp b/openwrt/etc/config/dhcp index ae0055b..ad00baf 100644 --- a/openwrt/etc/config/dhcp +++ b/openwrt/etc/config/dhcp @@ -1,21 +1,17 @@ config dnsmasq option domainneeded '1' - option boguspriv '1' - option filterwin2k '0' option localise_queries '1' option rebind_protection '1' option rebind_localhost '1' option expandhosts '1' - option nonegcache '0' option cachesize '1000' option authoritative '1' option readethers '1' option leasefile '/tmp/dhcp.leases' option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto' - option nonwildcard '1' option localservice '1' option ednspacket_max '1232' - list interface 'lan' + list interface 'lan' config dhcp 'lan' option interface 'lan' @@ -25,7 +21,6 @@ config dhcp 'lan' option dhcpv4 'server' option dhcpv6 'server' option ra 'server' - option ra_slaac '1' list ra_flags 'managed-config' list ra_flags 'other-config' diff --git a/openwrt/etc/config/firewall b/openwrt/etc/config/firewall index 4b63a51..9ce8566 100644 --- a/openwrt/etc/config/firewall +++ b/openwrt/etc/config/firewall @@ -1,8 +1,8 @@ config defaults - option syn_flood '1' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' + option synflood_protect '1' config zone option name 'lan' @@ -10,7 +10,6 @@ config zone option output 'ACCEPT' option forward 'ACCEPT' list network 'lan' - list network 'tailscale' config zone option name 'wan' @@ -118,3 +117,20 @@ config rule option dest_port '500' option proto 'udp' option target 'ACCEPT' + +config zone + option name 'tailscale' + option input 'ACCEPT' + option output 'ACCEPT' + option forward 'ACCEPT' + option masq '1' + option mtu_fix '1' + list network 'tailscale' + +config forwarding + option src 'tailscale' + option dest 'lan' + +config forwarding + option src 'lan' + option dest 'tailscale' diff --git a/openwrt/etc/config/network b/openwrt/etc/config/network index 55fa3ea..525b7c7 100644 --- a/openwrt/etc/config/network +++ b/openwrt/etc/config/network @@ -24,10 +24,20 @@ config interface 'lan' config interface 'wan' option device 'eth0' option proto 'dhcp' + option peerdns '0' + list dns '1.1.1.1' # cloudflare primary + list dns '9.9.9.9' # quad9 primary + list dns '1.0.0.1' # cloudflare backup + list dns '149.112.112.112' # quad9 backup config interface 'wan6' option device 'eth0' option proto 'dhcpv6' + option peerdns '0' + list dns '2606:4700:4700::1111' # cloudflare primary + list dns '2620:fe::fe' # quad9 primary + list dns '2606:4700:4700::1001' # cloudflare backup + list dns '2620:fe::9' # quad9 backup # TAILSCALE config interface 'tailscale' diff --git a/openwrt/etc/config/system b/openwrt/etc/config/system new file mode 100644 index 0000000..b88cb34 --- /dev/null +++ b/openwrt/etc/config/system @@ -0,0 +1,14 @@ +config system + option hostname '${HOSTNAME}' + option timezone 'UTC' + option ttylogin '0' + option log_size '64' + option urandom_seed '0' + +config timeserver 'ntp' + option enabled '1' + option enable_server '0' + list server '0.openwrt.pool.ntp.org' + list server '1.openwrt.pool.ntp.org' + list server '2.openwrt.pool.ntp.org' + list server '3.openwrt.pool.ntp.org'