auri.ee / nix-config
my terrible dotfiles
fork atom
nix-config / modules / server / network.nix
at main 79 lines 1.9 kB view raw
1{ lib, config, ... }: 2let 3 endpoint = "146.70.199.194"; 4in 5{ 6 sops.secrets = { 7 "mullvad/peer-pubkey" = { 8 owner = "systemd-network"; 9 group = "systemd-network"; 10 }; 11 "mullvad/privkey" = { 12 owner = "systemd-network"; 13 group = "systemd-network"; 14 }; 15 }; 16 17 systemd.network = { 18 enable = true; 19 networks = { 20 "50-lan" = { 21 matchConfig.Name = "enp5s0"; 22 networkConfig.DHCP = "ipv4"; 23 }; 24 "50-ignore-ve" = { 25 matchConfig.Name = "ve-*"; 26 linkConfig.Unmanaged = true; 27 }; 28 "50-wg0" = { 29 matchConfig.Name = "wg0"; 30 gateway = [ "10.65.20.240" ]; 31 networkConfig.IPv6AcceptRA = "no"; 32 linkConfig.RequiredForOnline = "no"; 33 address = [ "10.65.20.241/32" ]; 34 routingPolicyRules = 35 lib.forEach config.forest.proxiedUsers (user: { 36 Table = 1000; 37 User = user; 38 Priority = 30001; 39 Family = "both"; 40 }) 41 ++ lib.forEach config.forest.proxiedUsers (user: { 42 Table = "main"; 43 User = user; 44 SuppressPrefixLength = 0; 45 Priority = 30000; 46 Family = "both"; 47 }); 48 }; 49 }; 50 netdevs."50-wg0" = { 51 netdevConfig = { 52 Kind = "wireguard"; 53 Name = "wg0"; 54 }; 55 wireguardConfig = { 56 PrivateKeyFile = config.sops.secrets."mullvad/privkey".path; 57 RouteTable = "main"; 58 FirewallMark = 42; 59 }; 60 wireguardPeers = [ 61 { 62 PublicKeyFile = config.sops.secrets."mullvad/peer-pubkey".path; 63 Endpoint = "${endpoint}:51820"; 64 AllowedIPs = [ "0.0.0.0/0" ]; 65 RouteTable = 1000; 66 } 67 ]; 68 }; 69 }; 70 71 networking = { 72 firewall.checkReversePath = "loose"; 73 nat = { 74 enable = true; 75 internalInterfaces = [ "ve-+" ]; 76 externalInterface = "enp5s0"; 77 }; 78 }; 79}