nixos/hosts/alpha/network.nix

112 lines
3.3 KiB
Nix
Raw Normal View History

2024-03-28 16:35:03 +01:00
{
config,
secrets,
...
}: {
2024-02-24 19:36:29 +01:00
systemd.network = {
# Main interface
2024-06-27 20:37:34 +02:00
# https://wiki.nixos.org/wiki/Install_NixOS_on_Hetzner_Cloud
2024-02-24 19:36:29 +01:00
networks."10-lan" = {
matchConfig.Name = "enp1s0";
address = [
2024-03-31 03:56:59 +02:00
"116.203.179.206/32"
"2a01:4f8:c2c:71c0::/64"
];
routes = [
2024-03-31 03:56:59 +02:00
{routeConfig = {Destination = "172.31.1.1";};}
{
routeConfig = {
Gateway = "172.31.1.1";
GatewayOnLink = true;
};
}
2024-03-05 22:57:41 +01:00
{routeConfig = {Gateway = "fe80::1";};}
];
2024-06-03 23:35:23 +02:00
# Enable proxy ARP to answer ARP requests for the floating IP addresses,
# intended for the wireguard peers, from Hetzner's router. Without this,
# the router will not send traffic to us.
networkConfig.IPv4ProxyARP = true;
};
2024-02-24 19:36:29 +01:00
# The following routes traffic destined for 49.13.33.75 (floating IP) to
# sigma through wireguard. This allows the server to have a public address
# even though it is behind NAT.
netdevs."50-wg-sigma-public" = {
netdevConfig = {
Name = "wg-sigma-public";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 51820;
PrivateKeyFile = config.age.secrets.wireguard-private-key-file-alpha.path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0=";
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
# Add to the main routing table that traffic for the address should
# be sent to sigma.
2024-03-05 22:57:41 +01:00
AllowedIPs = ["49.13.33.75/32"];
2024-02-24 19:36:29 +01:00
RouteTable = "main";
};
}
];
};
networks."50-wg-sigma-public" = {
matchConfig.Name = "wg-sigma-public";
2024-02-24 19:36:29 +01:00
};
2024-02-28 00:49:48 +01:00
2024-03-29 20:36:24 +01:00
# The following routes traffic destined for the sigma-p2p address (floating
# IP) to sigma through wireguard. This allows the server to have a public
# address and help others sail the high seas even though it is behind NAT.
netdevs."50-wg-sigma-p2p" = {
2024-02-28 00:49:48 +01:00
netdevConfig = {
Name = "wg-sigma-p2p";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 51821;
PrivateKeyFile = config.age.secrets.wireguard-private-key-file-alpha.path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0=";
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
2024-05-10 18:50:22 +02:00
AllowedIPs = ["${secrets.hosts.alpha.sigma-p2p-ip-address}/32"];
2024-02-28 00:49:48 +01:00
RouteTable = "main";
};
}
];
};
networks."50-wg-sigma-p2p" = {
matchConfig.Name = "wg-sigma-p2p";
2024-02-28 00:49:48 +01:00
};
};
2024-02-24 19:36:29 +01:00
# Enable forwarding of packets
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
};
networking = {
2024-10-12 02:52:58 +02:00
firewall.allowedTCPPorts = [25];
2024-03-05 22:57:41 +01:00
firewall.allowedUDPPorts = [51820 51821];
2024-02-24 19:36:29 +01:00
};
age.secrets.wireguard-preshared-key-file = {
2024-03-28 16:35:03 +01:00
file = "${secrets}/secrets/wireguard-preshared-key-file.age";
2024-05-09 17:26:55 +02:00
mode = "440";
2024-02-24 19:36:29 +01:00
owner = "root";
group = "systemd-network";
};
age.secrets.wireguard-private-key-file-alpha = {
2024-03-28 16:35:03 +01:00
file = "${secrets}/secrets/wireguard-private-key-file-alpha.age";
2024-05-09 17:26:55 +02:00
mode = "440";
2024-02-24 19:36:29 +01:00
owner = "root";
group = "systemd-network";
};
}