{ config, pkgs, ... }: { services.etcd = { advertiseClientUrls = [ "https://[2a0d:eb04:8:10::1]:2379" ]; listenClientUrls = [ "https://[2a0d:eb04:8:10::1]:2379" ]; listenPeerUrls = [ "https://[::1]:2380" ]; }; services.kubernetes = { roles = [ "master" "node" ]; flannel.enable = false; addons.dns = { enable = true; clusterIp = "2a0d:eb04:8:11::53"; reconcileMode = "EnsureExists"; }; pki.cfsslAPIExtraSANs = [ "hainich.hacc.space" ]; apiserver = { advertiseAddress = "2a0d:eb04:8:10::1"; extraSANs = [ "2a0d:eb04:8:10::1" "2a0d:eb04:8:11::1" "hainich.hacc.space" ]; bindAddress = "::"; insecureBindAddress = "::1"; etcd = { servers = [ "https://[2a0d:eb04:8:10::1]:2379" ]; }; serviceClusterIpRange = "2a0d:eb04:8:11::/120"; extraOpts = "--allow-privileged=true"; }; controllerManager = { bindAddress = "::"; clusterCidr = "2a0d:eb04:8:12::/64"; }; kubelet = { address = "::"; clusterDns = "2a0d:eb04:8:11::53"; }; proxy = { bindAddress = "::"; }; scheduler = { address = "::1" ; }; apiserverAddress = "https://[2a0d:eb04:8:10::1]:6443"; clusterCidr = "2a0d:eb04:8:12::/64"; easyCerts = true; masterAddress = "hainich.hacc.space"; }; networking.firewall = { allowedTCPPorts = [ 80 443 6443 ]; trustedInterfaces = [ "cbr0" "tunnat64" ]; extraCommands = '' iptables -t nat -A POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158 iptables -A FORWARD -i tunnat64 -j ACCEPT iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80 iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443 iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443 ip6tables -A FORWARD -i tunnat64 -j ACCEPT ip6tables -A INPUT -i tunnat64 -j ACCEPT ''; extraStopCommands = '' iptables -t nat -D POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158 iptables -D FORWARD -i tunnat64 -j ACCEPT iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80 iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443 iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443 ip6tables -A FORWARD -i tunnat64 -j ACCEPT ip6tables -A INPUT -i tunnat64 -j ACCEPT ''; }; systemd.services.tayga = (let config = pkgs.writeText "tayga.conf" '' tun-device tunnat64 ipv4-addr 10.255.255.254 prefix 2a0d:eb04:8:10:64::/96 dynamic-pool 10.255.255.0/24 map 10.255.255.1 2a0d:eb04:8:10::1 map 10.255.255.2 2a0d:eb04:8:11::2 strict-frag-hdr 1 ''; startScript = pkgs.writeScriptBin "tayga-start" '' #! ${pkgs.runtimeShell} -e ${pkgs.iproute}/bin/ip link set up tunnat64 || true ${pkgs.iproute}/bin/ip route add 10.255.255.0/24 dev tunnat64 || true ${pkgs.iproute}/bin/ip -6 route add 2a0d:eb04:8:10:64::/96 dev tunnat64 || true ${pkgs.tayga}/bin/tayga -d --config ${config} ''; in { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { ExecStart = ''${startScript}/bin/tayga-start''; }; }); networking.interfaces.cbr0.ipv6.routes = [{ address = "2a0d:eb04:8:10::"; prefixLength = 60; }]; networking.interfaces.tunnat64 = { virtual = true; }; # openebs expects some stuff to be there. system.activationScripts.openebs = '' mkdir -p /usr/lib /usr/sbin ln -sf ${pkgs.zfs.lib}/lib/* /usr/lib/ ln -sf ${pkgs.zfs}/bin/zfs /usr/sbin/ ''; }