fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
nix-infra/config/hosts/valkyrie/configuration.nix

100 lines
3.2 KiB
Nix
Raw Blame History

{ pkgs, ... }:
{
boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
networking = {
hostName = "valkyrie";
nftables.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ 51820 51821 51822 51824 51827 51828 51829 51830 ];
};
wireguard = {
enable = true;
interfaces = {
# Site-to-site WireGuard setup also used for nftables dnat IP refresh thingy
wg0 = {
listenPort = 51820;
ips = [
"10.203.10.3/24"
];
peers = [
{
name = "site1-grzb";
publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg=";
presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret";
endpoint = "site1.grzb.de:51826";
allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ];
}
{
name = "site2-grzb";
publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4=";
presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret";
endpoint = "site2.grzb.de:51826";
allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ];
}
{
name = "site1-jsts";
publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE=";
presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret";
endpoint = "site1.jsts.xyz:51823";
allowedIPs = [ "10.203.10.4/32" ];
}
];
privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret";
};
# mail-1 VPN
wg1 = {
listenPort = 51822;
ips = [
"172.18.50.1/24"
];
peers = [
{
name = "mail-1";
publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs=";
presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-valkyrie-psk.secret";
allowedIPs = [ "172.18.50.2/32" ];
}
];
postSetup = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg1 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.18.50.0/24 -o ens3 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg1 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens3 -j MASQUERADE
'';
privateKeyFile = "/secrets/wireguard-valkyrie-wg1-privatekey.secret";
};
};
};
nat = {
enable = true;
internalInterfaces = [ "wg1" ];
externalInterface = "ens3";
forwardPorts = [
{
destination = "172.18.50.2:25";
proto = "tcp";
sourcePort = 25;
}
{
destination = "172.18.50.2:465";
proto = "tcp";
sourcePort = 465;
}
{
destination = "172.18.50.2:993";
proto = "tcp";
sourcePort = 993;
}
];
};
};
services.prometheus.exporters.node.enable = false;
system.stateVersion = "24.11";
}
Reference in a new issue View git blame Copy permalink