{ system = "x86_64-linux"; nixpkgsStable = true; id = 2; domain = "fc9f.de"; sshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFfZ86/2bpfOY6G2pcEWPlmIS7Mf47lG+s+lmaD/ZL0Z"; wgPublicKey = "pLPU3QizJjY7QkCItenm/zRKKx5chCj5dTHBLtWHFQs="; hardware = { cpuVendor = "intel"; allowHibernation = false; }; networking = { ip4IsPrivate = false; ip4Address = "91.132.144.50"; ip4PrefixLength = 22; defaultGateway4 = "91.132.144.1"; ip6IsPrivate = false; ip6Address = "2a03:4000:37:65f::1"; ip6PrefixLength = 64; dn42 = { ip6Address = "fd6b:6174:6a61::2"; ip6PrefixLength = 128; }; }; nixosConfiguration = { machines, machineConfig, config, lib, ... }: { sops.secrets = { wgPrivateKey = { owner = "systemd-network"; group = "systemd-network"; }; }; common = { profiles.netcup.enable = true; configure = { primaryNetworkInterface.enable = true; rootDisk.swap = { enable = true; size = "2G"; }; }; }; zpha = { configure = { dnsServer.enable = true; xmppServer.enable = true; mailServer.enable = true; matrixBridges.enable = true; }; profiles = { zaphyra.enable = true; dn42 = { enable = true; addresses = [ "${machineConfig.networking.dn42.ip6Address}/${toString machineConfig.networking.dn42.ip6PrefixLength}" "fd6b:6174:6a61:53::${toString machineConfig.id}/128" ]; }; }; websites = { "zaphyra.eu".enable = true; "oeffi.zaphyra.eu".enable = true; "notes.zaphyra.eu".enable = true; "dav.zaphyra.eu".enable = true; "continuwuity.zaphyra.eu".enable = true; "vault.zaphyra.eu".enable = true; "git.zaphyra.eu".enable = true; "bikemap.zaphyra.eu".enable = true; "gts.zaphyra.eu".enable = true; }; }; services.babeld = { enable = true; interfaces = { wg-sorrah = { }; }; interfaceDefaults = { type = "tunnel"; }; extraConfig = '' local-port-readwrite 33123 export-table 254 # main import-table 255 # local kernel-priority 1000 # allow own prefixes in ip fd6b:6174:6a61::/48 allow # allow external routes in ip fd00::/8 allow in deny redistribute ip fd6b:6174:6a61::${toString machineConfig.id} eq 48 allow redistribute local deny redistribute deny ''; }; networking.firewall = { checkReversePath = "loose"; trustedInterfaces = [ "wg-sorrah" ]; allowedUDPPorts = [ config.systemd.network.netdevs."42-wg-sorrah".wireguardConfig.ListenPort ]; }; systemd.network = { config.networkConfig = { IPv6Forwarding = true; }; netdevs = { "42-wg-sorrah" = { netdevConfig = { Kind = "wireguard"; Name = "wg-sorrah"; MTUBytes = 1280; }; wireguardConfig = { PrivateKeyFile = config.sops.secrets."wgPrivateKey".path; ListenPort = 4200 + machineConfig.id; FirewallMark = 4200 + machineConfig.id; }; wireguardPeers = lib.singleton { PublicKey = machines.sorrah.wgPublicKey; AllowedIPs = lib.singleton "::/0"; Endpoint = "[${machines.sorrah.networking.ip6Address}]:${toString (4200 + machines.sorrah.id)}"; PersistentKeepalive = 10; }; }; }; networks = { "42-wg-sorrah" = { matchConfig.Name = "wg-sorrah"; linkConfig = { RequiredForOnline = false; Multicast = true; }; networkConfig = { DHCP = false; IPv6AcceptRA = false; }; address = [ "fe80:fc9f::${toString machineConfig.id}/64" "fd6b:6174:6a61:fc9f::${toString machineConfig.id}/48" ]; }; }; }; }; }