nixos/hosts/omega/network.nix

{ config, ... }: {
  systemd.network = {
    config = {
      routeTables = {
        "wg-sigma-public" = 822944075;
      };
    };
    # The following establishes a wireguard tunnel to alpha and configures
    # receiving traffic destined for 49.13.33.75. This allows us to have a
    # public address even though we are behind NAT.
    netdevs."50-wg-sigma-public" = {
      netdevConfig = {
        Name = "wg-sigma-public";
        Kind = "wireguard";
      };
      wireguardConfig = {
        PrivateKeyFile = config.age.secrets.wireguard-private-key-file-omega.path;
      };
      wireguardPeers = [
        {
          wireguardPeerConfig = {
            PublicKey = "AlphazUR/z+1DRCFSvxTeKPIJnyPQvYsDoSgESvqJhM=";
            PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
            Endpoint = "alpha.caspervk.net:51820";
            # Keep NAT mappings and stateful firewalls open at the ISP
            PersistentKeepalive = 25;
            # AllowedIPs is both an ACL for incoming traffic, as well as a
            # routing table specifying to which peer outgoing traffic should be
            # sent. We want to allow incoming traffic from any address on the
            # internet (routed through alpha), but only replies to this should
            # be routed back over wireguard. Unlike if we had used NAT, IP
            # routes are stateless, so we have no notion of "replies". Instead,
            # we add these routes to a specific routing table and configure a
            # routing policy rule to only use it for packets being sent as the
            # public IP.
            AllowedIPs = [ "0.0.0.0/0" ];
            RouteTable = "wg-sigma-public";
          };
        }
      ];
    };
    networks."wg-sigma-public" = {
      name = "wg-sigma-public";
      address = [ "49.13.33.75/32" ];
      routingPolicyRules = [
        {
          routingPolicyRuleConfig = {
            From = "49.13.33.75/32";
            Table = "wg-sigma-public";
          };
        }
      ];
    };
  };

  age.secrets.wireguard-preshared-key-file = {
    file = ../../secrets/wireguard-preshared-key-file.age;
    mode = "640";
    owner = "root";
    group = "systemd-network";
  };

  age.secrets.wireguard-private-key-file-omega = {
    file = ../../secrets/wireguard-private-key-file-omega.age;
    mode = "640";
    owner = "root";
    group = "systemd-network";
  };
}