{ pkgs, ... }: { boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true; networking = { hostName = "valkyrie"; nftables.enable = true; firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; allowedUDPPorts = [ 51820 51821 51827 51828 ]; }; wireguard = { enable = true; interfaces = { # Site-to-site WireGuard setup also used for nftables dnat IP refresh thingy wg0 = { listenPort = 51820; ips = [ "10.203.10.3/24" ]; peers = [ { name = "site1-grzb"; publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg="; presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret"; endpoint = "site1.grzb.de:51826"; allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ]; } { name = "site2-grzb"; publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4="; presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret"; endpoint = "site2.grzb.de:51826"; allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ]; } { name = "site2-jsts"; publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE="; presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret"; endpoint = "site1.jsts.xyz:51823"; allowedIPs = [ "10.203.10.4/32" ]; } ]; privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret"; }; # mail-1 VPN wg1 = { listenPort = 51821; ips = [ "172.16.50.1/24" ]; peers = [ { name = "mail-1"; publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs="; presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-valkyrie-psk.secret"; allowedIPs = [ "172.16.50.2/32" ]; } ]; postSetup = '' ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE ''; postShutdown = '' ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE ''; privateKeyFile = "/secrets/wireguard-valkyrie-wg1-privatekey.secret"; }; }; }; nat = { enable = true; internalInterfaces = [ "wg1" ]; externalInterface = "ens3"; forwardPorts = [ { destination = "172.16.50.2:25"; proto = "tcp"; sourcePort = 25; } { destination = "172.16.50.2:465"; proto = "tcp"; sourcePort = 465; } { destination = "172.16.50.2:993"; proto = "tcp"; sourcePort = 993; } ]; }; }; services.prometheus.exporters.node.enable = false; system.stateVersion = "23.05"; }