nix-infra/config/hosts/mail-1/configuration.nix

{ pkgs, ... }:
{
  boot.loader.grub = {
    enable = true;
    device = "/dev/vda";
  };

  systemd.network = {
    enable = true;
    networks = {
      "enp6s18" = {
        matchConfig.Name = "enp6s18";
        address = [
          "10.202.41.123/24"
        ];
        routes = [
          {
            Gateway = "10.202.41.1";
            Destination = "10.201.0.0/16";
          }
          {
            Gateway = "10.202.41.1";
            Destination = "10.202.0.0/16";
          }
          {
            Gateway = "10.202.41.1";
            Destination = "172.21.87.0/24";
          }
          {
            Gateway = "10.202.41.1";
            Destination = "212.53.203.19/32";
          }
        ];
        linkConfig.RequiredForOnline = "routable";
      };
      "wg0" = {
        matchConfig.Name = "wg0";
        address = [
          "172.18.50.2/24"
        ];
        DHCP = "no";
        gateway = [
          "172.18.50.1"
        ];
      };
    };
    netdevs = {
      "wg0" = {
        netdevConfig = {
          Kind = "wireguard";
          Name = "wg0";
        };
        wireguardConfig = {
          PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret";
        };
        wireguardPeers = [{
          PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ=";
          PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret";
          Endpoint = "212.53.203.19:51822";
          AllowedIPs = [ "0.0.0.0/0" ];
          PersistentKeepalive = 25;
        }];
      };
    };
  };

  networking = {
    hostName = "mail-1";
    useDHCP = false;
    firewall = {
      enable = true;
      allowedTCPPorts = [ 25 465 993 ];
    };
  };

  environment.systemPackages = with pkgs; [
    wireguard-tools
  ];

  system.stateVersion = "23.05";
}