Open firewall for gre

configuration/router/default.nix

@@ -10,11 +10,17 @@
     "net.ipv6.conf.all.forwarding" = true;
   };
 
+  networking.firewall.allowedTCPPorts = [
     # Open Firewall for BGP
-  networking.firewall.allowedTCPPorts = [ 179 ];
-  # Open Fireall for OSPF
+    179
+  ];
+
   networking.firewall.extraCommands = ''
+    # Open fireall for OSPF
     ip6tables -A INPUT -p ospfigp -j ACCEPT
     iptables -A INPUT -p ospfigp -j ACCEPT
+    # Open firewall for GRE
+    ip6tables -A INPUT -p gre -j ACCEPT
+    iptables -A INPUT -p gre -j ACCEPT
   '';
 }

hosts/carbon/configuration.nix

@@ -84,6 +84,17 @@
     ];
   };
 
+  clerie.gre-tunnel = {
+    enable = true;
+    ipv4 = {
+      gre-gatekeeper = {
+        remote = "10.152.101.1";
+        local = (lib.head config.networking.interfaces.lo.ipv4.addresses).address;
+        address = "169.254.201.2/24";
+      };
+    };
+  };
+
   services.bird2.enable = true;
   services.bird2.config = ''
   router id ${ (lib.head config.networking.interfaces.lo.ipv4.addresses).address };

hosts/gatekeeper/configuration.nix

@@ -136,6 +136,17 @@
     ];
   };
 
+  clerie.gre-tunnel = {
+    enable = true;
+    ipv4 = {
+      gre-carbon = {
+        remote = "10.152.104.1";
+        local = (lib.head config.networking.interfaces.lo.ipv4.addresses).address;
+        address = "169.254.201.1/24";
+      };
+    };
+  };
+
   services.bird2.enable = true;
   services.bird2.config = ''
   router id ${ (lib.head config.networking.interfaces.lo.ipv4.addresses).address };

modules/default.nix

@@ -5,6 +5,7 @@
     ./policyrouting
     ./anycast_healthchecker
     ./gitea
+    ./gre-tunnel
     ./nginx-port-forward
   ];
 }

modules/gre-tunnel/default.nix

@@ -1,11 +1,11 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 
 let
   cfg = config.clerie.gre-tunnel;
 
-  generateInterfaceUnit = isIPv6: name: tunnel:
+  generateInterfaceUnit = isIPv6: (name: tunnel:
     nameValuePair "gre-tunnel-${name}" {
         description = "GRE Tunnel - ${name}";
         requires = [ "network-online.target" ];
@@ -32,30 +32,36 @@ let
           ip tunnel del ${name}
           ${tunnel.postShutdown}
         '';
-      };
+      });
 
   checkOpts = { config, ... }@moduleAttrs: {
     options = {
       remote = mkOption {
         type = types.str;
+        description = "Address of reciever.";
       };
       local = mkOption {
         type = types.str;
+        description = "Address our packets originate from.";
       };
       address = mkOption {
         type = types.str;
+        description = "Our address in this tunnel.";
       };
       preSetup = mkOption {
         type = types.str;
         default = "";
+        description = "Commands called at the start of the interface setup.";
       };
       postSetup = mkOption {
         type = types.str;
         default = "";
+        description = "Commands called at the end of the interface setup.";
       };
       postShutdown = mkOption {
         type = types.str;
         default = "";
+        description = "Commands called after shutting down the interface.";
       };
     };
   };
@@ -77,7 +83,7 @@ in {
 
   config = mkIf cfg.enable {
     systemd.services =
-    (mapAttrsToList (generateInterfaceUnit false) cfg.ipv4)
-    ++ (mapAttrsToList (generateInterfaceUnit true) cfg.ipv6);
+    (mapAttrs' (generateInterfaceUnit false) cfg.ipv4)
+    // (mapAttrs' (generateInterfaceUnit true) cfg.ipv6);
   };
 }