Fix WireGuard nat rules

2023-09-18 03:38:09 +02:00 · 2023-09-18 03:38:09 +02:00 · 3723b4edf2
commit 3723b4edf2
parent e0d1e17bbb
11 changed files with 269 additions and 61 deletions
--- a/config/hosts/mail-2/configuration.nix
+++ b/config/hosts/mail-2/configuration.nix
@ -0,0 +1,91 @@
+{ pkgs, ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  systemd.network = {
+    enable = true;
+    networks = {
+      "enp6s18" = {
+        matchConfig.Name = "enp6s18";
+        address = [
+          "10.201.41.100/24"
+        ];
+        routes = [
+          {
+            routeConfig = {
+              Gateway = "10.201.41.1";
+              Destination = "10.201.0.0/16";
+            };
+          }
+          {
+            routeConfig = {
+              Gateway = "10.201.41.1";
+              Destination = "10.202.0.0/16";
+            };
+          }
+          {
+            routeConfig = {
+              Gateway = "10.201.41.1";
+              Destination = "172.21.87.0/24";
+            };
+          }
+          {
+            routeConfig = {
+              Gateway = "10.201.41.1";
+              Destination = "217.160.117.160/32";
+            };
+          }
+        ];
+        linkConfig.RequiredForOnline = "routable";
+      };
+      "wg0" = {
+        matchConfig.Name = "wg0";
+        address = [
+          "172.16.50.2/24"
+        ];
+        DHCP = "no";
+        gateway = [
+          "172.16.50.1"
+        ];
+      };
+    };
+    netdevs = {
+      "wg0" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg0";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = "/secrets/wireguard-mail-2-wg0-privatekey.secret";
+        };
+        wireguardPeers = [{
+          wireguardPeerConfig = {
+            PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4=";
+            PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret";
+            Endpoint = "217.160.117.160:51820";
+            AllowedIPs = [ "0.0.0.0/0" ];
+            PersistentKeepalive = 25;
+          };
+        }];
+      };
+    };
+  };
+
+  networking = {
+    hostName = "mail-2";
+    useDHCP = false;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 25 ];
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    wireguard-tools
+  ];
+
+  system.stateVersion = "23.05";
+}
--- a/config/hosts/mail-2/default.nix
+++ b/config/hosts/mail-2/default.nix
@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./postfix.nix
+  ];
+}
--- a/config/hosts/mail-2/postfix.nix
+++ b/config/hosts/mail-2/postfix.nix
@ -0,0 +1,17 @@
+{ ... }: {
+  # Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
+  services.postfix = {
+    enable = true;
+    hostname = "mail-2.grzb.de";
+    relayDomains = [
+      "grzb.de"
+      "nekover.se"
+    ];
+    extraConfig = ''
+      message_size_limit = 20971520
+      smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
+      proxy_interfaces = 217.160.117.160
+      relay_recipient_maps =
+    '';
+  };
+}
--- a/config/hosts/mail-2/secrets.nix
+++ b/config/hosts/mail-2/secrets.nix
@ -0,0 +1,19 @@
+{ ... }:
+{
+  deployment.keys."wireguard-mail-2-wg0-privatekey.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/mail-2-wg0-privatekey" ];
+    destDir = "/secrets";
+    user = "root";
+    group = "systemd-network";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+  deployment.keys."wireguard-lifeline-mail-2-mail-2-psk.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ];
+    destDir = "/secrets";
+    user = "root";
+    group = "systemd-network";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+}