{ config, secrets, ... }: { systemd.network = { # Main interface # https://nixos.wiki/wiki/Install_NixOS_on_Hetzner_Cloud networks."10-lan" = { name = "enp1s0"; address = [ "116.203.179.206/32" "2a01:4f8:c2c:71c0::/64" ]; routes = [ {routeConfig = {Destination = "172.31.1.1";};} { routeConfig = { Gateway = "172.31.1.1"; GatewayOnLink = true; }; } {routeConfig = {Gateway = "fe80::1";};} ]; }; # The following routes traffic destined for 49.13.33.75 (floating IP) to # sigma through wireguard. This allows the server to have a public address # even though it is behind NAT. netdevs."50-wg-sigma-public" = { netdevConfig = { Name = "wg-sigma-public"; Kind = "wireguard"; }; wireguardConfig = { ListenPort = 51820; PrivateKeyFile = config.age.secrets.wireguard-private-key-file-alpha.path; }; wireguardPeers = [ { wireguardPeerConfig = { PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0="; PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path; # Add to the main routing table that traffic for the address should # be sent to sigma. AllowedIPs = ["49.13.33.75/32"]; RouteTable = "main"; }; } ]; }; networks."wg-sigma-public" = { name = "wg-sigma-public"; }; # The following routes traffic destined for the sigma-p2p address (floating # IP) to sigma through wireguard. This allows the server to have a public # address and help others sail the high seas even though it is behind NAT. netdevs."51-wg-sigma-p2p" = { netdevConfig = { Name = "wg-sigma-p2p"; Kind = "wireguard"; }; wireguardConfig = { ListenPort = 51821; PrivateKeyFile = config.age.secrets.wireguard-private-key-file-alpha.path; }; wireguardPeers = [ { wireguardPeerConfig = { PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0="; PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path; AllowedIPs = ["${secrets.alpha.sigma-p2p-ip-address}/32"]; RouteTable = "main"; }; } ]; }; networks."wg-sigma-p2p" = { name = "wg-sigma-p2p"; }; }; # Enable forwarding of packets boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; "net.ipv4.conf.all.forwarding" = true; }; networking = { firewall.allowedUDPPorts = [51820 51821]; }; age.secrets.wireguard-preshared-key-file = { file = "${secrets}/secrets/wireguard-preshared-key-file.age"; mode = "640"; owner = "root"; group = "systemd-network"; }; age.secrets.wireguard-private-key-file-alpha = { file = "${secrets}/secrets/wireguard-private-key-file-alpha.age"; mode = "640"; owner = "root"; group = "systemd-network"; }; }