Fix WireGuard nat rules

2023-09-18 03:38:09 +02:00 · 2023-09-18 03:38:09 +02:00 · 3723b4edf2
commit 3723b4edf2
parent e0d1e17bbb
11 changed files with 269 additions and 61 deletions
--- a/config/hosts/mail-1/configuration.nix
+++ b/config/hosts/mail-1/configuration.nix
@ -1,61 +1,91 @@
-{ hosts, ... }:
+{ pkgs, ... }:
 {
  boot.loader.grub = {
    enable = true;
    device = "/dev/vda";
  };

-  networking = {
-    hostName = "mail-1";
-    useDHCP = true;
-    defaultGateway = {
-      address = "172.16.50.1";
-      interface = "wg0";
-    };
-    interfaces.enp6s18.ipv4 = {
-      routes = [
-        {
-          address = "10.201.0.0";
-          prefixLength = 16;
-          via = "10.202.41.1";
-        }
-        {
-          address = "10.202.0.0";
-          prefixLength = 16;
-          via = "10.202.41.1";
-        }
-        {
-          address = "172.21.87.0"; # management VPN
-          prefixLength = 24;
-          via = "10.202.41.1";
-        }
-        {
-          address = "212.53.203.19"; # valkyrie.af.grzb.de
-          prefixLength = 32;
-          via = "10.202.41.1";
-        }
-      ];
-    };
-    wireguard = {
-      enable = true;
-      interfaces.wg0 = {
-        ips = [
-          "172.16.50.2/24"
+  systemd.network = {
+    enable = true;
+    networks = {
+      "enp6s18" = {
+        matchConfig.Name = "enp6s18";
+        address = [
+          "10.202.41.123/24"
        ];
-        peers = [
+        routes = [
          {
-            name = "valkyrie";
-            publicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ=";
-            presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret";
-            endpoint = "212.53.203.19:51822";
-            allowedIPs = [ "0.0.0.0/0" ];
-            persistentKeepalive = 25;
+            routeConfig = {
+              Gateway = "10.202.41.1";
+              Destination = "10.201.0.0/16";
+            };
+          }
+          {
+            routeConfig = {
+              Gateway = "10.202.41.1";
+              Destination = "10.202.0.0/16";
+            };
+          }
+          {
+            routeConfig = {
+              Gateway = "10.202.41.1";
+              Destination = "172.21.87.0/24";
+            };
+          }
+          {
+            routeConfig = {
+              Gateway = "10.202.41.1";
+              Destination = "212.53.203.19/32";
+            };
          }
        ];
-        privateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret";
+        linkConfig.RequiredForOnline = "routable";
+      };
+      "wg0" = {
+        matchConfig.Name = "wg0";
+        address = [
+          "172.16.50.2/24"
+        ];
+        DHCP = "no";
+        gateway = [
+          "172.16.50.1"
+        ];
+      };
+    };
+    netdevs = {
+      "wg0" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg0";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret";
+        };
+        wireguardPeers = [{
+          wireguardPeerConfig = {
+            PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ=";
+            PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret";
+            Endpoint = "212.53.203.19:51822";
+            AllowedIPs = [ "0.0.0.0/0" ];
+            PersistentKeepalive = 25;
+          };
+        }];
      };
    };
  };

+  networking = {
+    hostName = "mail-1";
+    useDHCP = false;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 25 465 993 ];
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    wireguard-tools
+  ];
+
  system.stateVersion = "23.05";
 }
--- a/config/hosts/mail-1/simple-nixos-mailserver.nix
+++ b/config/hosts/mail-1/simple-nixos-mailserver.nix
@ -59,8 +59,11 @@

  services.postfix = {
    transport = "relay:[mail-2.grzb.de]";
+<<<<<<< HEAD
    extraConfig = ''
      proxy_interfaces = 212.53.203.19
    '';
+=======
+>>>>>>> 0e55e66 (Use systemd-networkd on mail servers)
  };
 }