Lander Van den Bulcke
a373a0dc20
Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
101 lines
1.8 KiB
Nix
101 lines
1.8 KiB
Nix
{ config, ... }:
|
|
{
|
|
imports = [
|
|
./disk-config.nix
|
|
{
|
|
_module.args.disks = [ "/dev/sda" ];
|
|
}
|
|
|
|
../common/servers
|
|
];
|
|
|
|
time.timeZone = "Europe/Berlin";
|
|
|
|
networking.hostName = "hosting-02";
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
allowedUDPPorts = [
|
|
51820
|
|
];
|
|
};
|
|
|
|
networking.iproute2.enable = true;
|
|
systemd.network.config = {
|
|
routeTables = {
|
|
vpn = 133;
|
|
};
|
|
addRouteTablesToIPRoute2 = true;
|
|
};
|
|
|
|
systemd.network.networks."30-wan" = {
|
|
address = [
|
|
"2a01:4f8:c013:7fc0::/64"
|
|
];
|
|
|
|
routingPolicyRules = [
|
|
{
|
|
From = "10.64.244.95/32";
|
|
Table = "vpn";
|
|
}
|
|
{
|
|
From = "fc00:bbbb:bbbb:bb01::1:f45e/128";
|
|
Table = "vpn";
|
|
}
|
|
{
|
|
User = config.users.users.vpn.uid;
|
|
Table = "vpn";
|
|
Family = "both";
|
|
}
|
|
];
|
|
};
|
|
|
|
users.groups.vpn = { };
|
|
users.users.vpn = {
|
|
isSystemUser = true;
|
|
group = "vpn";
|
|
uid = 51280;
|
|
};
|
|
|
|
networking.wireguard = {
|
|
enable = true;
|
|
|
|
interfaces.wg0 = {
|
|
ips = [
|
|
"10.64.244.95/32"
|
|
"fc00:bbbb:bbbb:bb01::1:f45e/128"
|
|
];
|
|
|
|
peers = [
|
|
{
|
|
publicKey = "KkShcqgwbkX2A9n1hhST6qu+m3ldxdJ2Lx8Eiw6mdXw=";
|
|
allowedIPs = [
|
|
"0.0.0.0/0"
|
|
"::0/0"
|
|
];
|
|
endpoint = "146.70.117.226:51820";
|
|
persistentKeepalive = 25;
|
|
}
|
|
];
|
|
|
|
listenPort = 51820;
|
|
privateKeyFile = config.sops.secrets.wireguardKey.path;
|
|
table = "133";
|
|
};
|
|
};
|
|
|
|
sops.secrets = {
|
|
wireguardKey = {
|
|
owner = "root";
|
|
sopsFile = ./secrets.yaml;
|
|
};
|
|
};
|
|
|
|
security.acme.defaults.email = "landervandenbulcke@gmail.com";
|
|
security.acme.acceptTerms = true;
|
|
|
|
system.stateVersion = "25.05";
|
|
}
|