66 lines
1.7 KiB
Nix
66 lines
1.7 KiB
Nix
{ pkgs, ... }:
|
|
{
|
|
boot.loader.grub = {
|
|
enable = true;
|
|
device = "/dev/vda";
|
|
};
|
|
|
|
boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
|
|
|
|
networking = {
|
|
hostName = "lifeline";
|
|
useDHCP = true;
|
|
firewall = {
|
|
enable = true;
|
|
allowedUDPPorts = [ 51820 ];
|
|
};
|
|
# mail-2 VPN
|
|
wireguard = {
|
|
enable = true;
|
|
interfaces.wg0 = {
|
|
listenPort = 51820;
|
|
ips = [
|
|
"172.18.50.1/24"
|
|
];
|
|
peers = [
|
|
{
|
|
name = "mail-2";
|
|
publicKey = "OIBOJlFzzM3P/u1ftVW2HWt8kA6NveB4PaBOIXhCYhM=";
|
|
presharedKeyFile = "/secrets/wireguard-lifeline-mail-2-lifeline-psk.secret";
|
|
allowedIPs = [ "172.18.50.2/32" ];
|
|
}
|
|
];
|
|
postSetup = ''
|
|
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
|
|
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.18.50.0/24 -o ens6 -j MASQUERADE
|
|
'';
|
|
postShutdown = ''
|
|
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
|
|
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens6 -j MASQUERADE
|
|
'';
|
|
privateKeyFile = "/secrets/wireguard-lifeline-wg0-privatekey.secret";
|
|
};
|
|
};
|
|
nat = {
|
|
enable = true;
|
|
internalInterfaces = [ "wg0" ];
|
|
externalInterface = "ens6";
|
|
forwardPorts = [
|
|
{
|
|
destination = "172.18.50.2:25";
|
|
proto = "tcp";
|
|
sourcePort = 25;
|
|
}
|
|
{
|
|
destination = "172.18.50.2:80";
|
|
proto = "tcp";
|
|
sourcePort = 80;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
services.prometheus.exporters.node.enable = false;
|
|
|
|
system.stateVersion = "23.05";
|
|
}
|