2024-03-28 16:35:03 +01:00
|
|
|
{
|
|
|
|
config,
|
|
|
|
secrets,
|
|
|
|
...
|
|
|
|
}: {
|
2024-02-24 19:36:29 +01:00
|
|
|
systemd.network = {
|
|
|
|
# Main interface
|
2024-03-31 03:56:59 +02:00
|
|
|
# https://nixos.wiki/wiki/Install_NixOS_on_Hetzner_Cloud
|
2024-02-24 19:36:29 +01:00
|
|
|
networks."10-lan" = {
|
2024-02-24 16:43:10 +01:00
|
|
|
name = "enp1s0";
|
|
|
|
address = [
|
2024-03-31 03:56:59 +02:00
|
|
|
"116.203.179.206/32"
|
2024-02-24 16:43:10 +01:00
|
|
|
"2a01:4f8:c2c:71c0::/64"
|
|
|
|
];
|
|
|
|
routes = [
|
2024-03-31 03:56:59 +02:00
|
|
|
{routeConfig = {Destination = "172.31.1.1";};}
|
|
|
|
{
|
|
|
|
routeConfig = {
|
|
|
|
Gateway = "172.31.1.1";
|
|
|
|
GatewayOnLink = true;
|
|
|
|
};
|
|
|
|
}
|
2024-03-05 22:57:41 +01:00
|
|
|
{routeConfig = {Gateway = "fe80::1";};}
|
2024-02-24 16:43:10 +01:00
|
|
|
];
|
|
|
|
};
|
2024-02-24 19:36:29 +01:00
|
|
|
|
|
|
|
# The following routes traffic destined for 49.13.33.75 (floating IP) to
|
|
|
|
# sigma through wireguard. This allows the server to have a public address
|
|
|
|
# even though it is behind NAT.
|
|
|
|
netdevs."50-wg-sigma-public" = {
|
|
|
|
netdevConfig = {
|
|
|
|
Name = "wg-sigma-public";
|
|
|
|
Kind = "wireguard";
|
|
|
|
};
|
|
|
|
wireguardConfig = {
|
|
|
|
ListenPort = 51820;
|
|
|
|
PrivateKeyFile = config.age.secrets.wireguard-private-key-file-alpha.path;
|
|
|
|
};
|
|
|
|
wireguardPeers = [
|
|
|
|
{
|
|
|
|
wireguardPeerConfig = {
|
|
|
|
PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0=";
|
|
|
|
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
|
|
|
|
# Add to the main routing table that traffic for the address should
|
|
|
|
# be sent to sigma.
|
2024-03-05 22:57:41 +01:00
|
|
|
AllowedIPs = ["49.13.33.75/32"];
|
2024-02-24 19:36:29 +01:00
|
|
|
RouteTable = "main";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
networks."wg-sigma-public" = {
|
|
|
|
name = "wg-sigma-public";
|
|
|
|
};
|
2024-02-28 00:49:48 +01:00
|
|
|
|
2024-03-29 20:36:24 +01:00
|
|
|
# The following routes traffic destined for the sigma-p2p address (floating
|
|
|
|
# IP) to sigma through wireguard. This allows the server to have a public
|
|
|
|
# address and help others sail the high seas even though it is behind NAT.
|
2024-02-28 00:49:48 +01:00
|
|
|
netdevs."51-wg-sigma-p2p" = {
|
|
|
|
netdevConfig = {
|
|
|
|
Name = "wg-sigma-p2p";
|
|
|
|
Kind = "wireguard";
|
|
|
|
};
|
|
|
|
wireguardConfig = {
|
|
|
|
ListenPort = 51821;
|
|
|
|
PrivateKeyFile = config.age.secrets.wireguard-private-key-file-alpha.path;
|
|
|
|
};
|
|
|
|
wireguardPeers = [
|
|
|
|
{
|
|
|
|
wireguardPeerConfig = {
|
|
|
|
PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0=";
|
|
|
|
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
|
2024-05-10 18:50:22 +02:00
|
|
|
AllowedIPs = ["${secrets.hosts.alpha.sigma-p2p-ip-address}/32"];
|
2024-02-28 00:49:48 +01:00
|
|
|
RouteTable = "main";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
networks."wg-sigma-p2p" = {
|
|
|
|
name = "wg-sigma-p2p";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-02-24 19:36:29 +01:00
|
|
|
# Enable forwarding of packets
|
|
|
|
boot.kernel.sysctl = {
|
|
|
|
"net.ipv4.ip_forward" = true;
|
|
|
|
"net.ipv4.conf.all.forwarding" = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
networking = {
|
2024-03-05 22:57:41 +01:00
|
|
|
firewall.allowedUDPPorts = [51820 51821];
|
2024-02-24 19:36:29 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
age.secrets.wireguard-preshared-key-file = {
|
2024-03-28 16:35:03 +01:00
|
|
|
file = "${secrets}/secrets/wireguard-preshared-key-file.age";
|
2024-05-09 17:26:55 +02:00
|
|
|
mode = "440";
|
2024-02-24 19:36:29 +01:00
|
|
|
owner = "root";
|
|
|
|
group = "systemd-network";
|
|
|
|
};
|
|
|
|
|
|
|
|
age.secrets.wireguard-private-key-file-alpha = {
|
2024-03-28 16:35:03 +01:00
|
|
|
file = "${secrets}/secrets/wireguard-private-key-file-alpha.age";
|
2024-05-09 17:26:55 +02:00
|
|
|
mode = "440";
|
2024-02-24 19:36:29 +01:00
|
|
|
owner = "root";
|
|
|
|
group = "systemd-network";
|
2024-02-24 16:43:10 +01:00
|
|
|
};
|
|
|
|
}
|