From 50eac633e27d667e651aa5a5af1524d4562c56b2 Mon Sep 17 00:00:00 2001
From: catvayor <catvayor@katvayor.net>
Date: Mon, 14 Oct 2024 17:04:43 +0200
Subject: [PATCH] end with netbird

---
 machines/kat-mail-test/default.nix | 86 ++++++++++++++++++++----------
 machines/kat-manah/default.nix     | 14 +----
 machines/kat-watcher/default.nix   | 37 +++++++------
 3 files changed, 79 insertions(+), 58 deletions(-)

diff --git a/machines/kat-mail-test/default.nix b/machines/kat-mail-test/default.nix
index 69107cc..4466ddb 100644
--- a/machines/kat-mail-test/default.nix
+++ b/machines/kat-mail-test/default.nix
@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  nodes,
   sources,
   ...
 }:
@@ -21,38 +22,62 @@ in
     efi.canTouchEfiVariables = true;
   };
 
-  networking = {
-    useNetworkd = lib.mkForce false;
-    interfaces."enp1s0" = {
-      useDHCP = false;
-      ipv4.addresses = [
-        {
-          address = "192.168.122.3";
-          prefixLength = 24;
-        }
-      ];
-      ipv6.addresses = [
-        {
-          address = "fe80::3";
-          prefixLength = 64;
-        }
-      ];
+  kat.wireguardPubKey = "Znj451+hGJcPV1zFgpRMA8hg8edmUInA5zBtYBUuL3k=";
+  systemd.network = {
+    networks = {
+      "10-enp1s0" = {
+        name = "enp1s0";
+        address = [
+          "192.168.122.3/24"
+          "fe80::3/64"
+        ];
+        routes = [
+          {
+            routeConfig = {
+              Destination = "10.42.0.2/32";
+              Gateway = "192.168.122.1";
+            };
+          }
+        ];
+        dns = [ "192.168.122.1" ];
+      };
+      "50-wg0" = {
+        name = "wg0";
+        address = [ "10.42.2.1/16" ];
+        routes = [
+          {
+            routeConfig.Gateway = "10.42.0.2";
+          }
+        ];
+      };
     };
-    defaultGateway = "192.168.122.1";
-    defaultGateway6 = {
-      address = "fe80::1";
-      interface = "enp1s0";
+    netdevs = {
+      "50-wg0" = {
+        netdevConfig = {
+          Name = "wg0";
+          Kind = "wireguard";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = "/wg/private.key";
+        };
+
+        wireguardPeers = [
+          {
+            Endpoint = "10.42.0.2:1194";
+            AllowedIPs = [
+              "0.0.0.0/0"
+            ];
+            PersistentKeepalive = 20;
+            PublicKey = nodes.kat-watcher.config.kat.wireguardPubKey;
+          }
+        ];
+      };
     };
-    nameservers = [
-      "192.168.122.1"
-      "fe80::1%enp1s0"
-    ];
   };
 
-  services = {
-    openssh.enable = true;
-    netbird.enable = true;
-  };
+  networking.useDHCP = false;
+
+  services.openssh.enable = true;
 
   networking.firewall.enable = false;
 
@@ -81,7 +106,10 @@ in
     loginAccounts = {
       "root@${host}" = {
         catchAll = [ host ];
-        aliases = builtins.genList (id: "user${toString id}@${host}") 10 ++ [ "moderators@${host}" "daemon@${host}" ];
+        aliases = builtins.genList (id: "user${toString id}@${host}") 10 ++ [
+          "moderators@${host}"
+          "daemon@${host}"
+        ];
         hashedPassword = "$2b$05$FoCVDECXYG0KXPigPuIZtuNFiviwSg8RuXx0FbnzC7ZRp.Mz8VWOe";
       };
     };
diff --git a/machines/kat-manah/default.nix b/machines/kat-manah/default.nix
index 1e9414e..be28f1f 100644
--- a/machines/kat-manah/default.nix
+++ b/machines/kat-manah/default.nix
@@ -28,18 +28,7 @@
     networks = {
       "50-wg0" = {
         name = "wg0";
-        addresses = [
-          {
-            Address = "10.42.0.1/16";
-            AddPrefixRoute = false;
-          }
-        ];
-        routes = [
-          {
-            Destination = "10.42.0.0/16";
-            Source = "10.42.0.1";
-          }
-        ];
+        address = [ "10.42.0.1/16" ];
       };
     };
     netdevs = {
@@ -72,7 +61,6 @@
   ];
 
   services.openssh.enable = true;
-  services.netbird.enable = true;
 
   programs.virt-manager.enable = true;
   virtualisation.libvirtd.enable = true;
diff --git a/machines/kat-watcher/default.nix b/machines/kat-watcher/default.nix
index 277f3f8..c018856 100644
--- a/machines/kat-watcher/default.nix
+++ b/machines/kat-watcher/default.nix
@@ -17,11 +17,24 @@
     efiInstallAsRemovable = true;
   };
 
+  boot.kernel.sysctl."net.ipv4.ip_forward" = true;
   kat.wireguardPubKey = "BgLBrWG7DRj2Gwoyj+vHZTjiB3gPEnwVcDFEQH/BYgg=";
 
   networking = {
     useDHCP = false;
     firewall.allowedUDPPorts = [ 1194 ];
+    nftables = {
+      enable = true;
+      tables.nat = {
+        family = "ip";
+        content = ''
+          chain postrouting {
+            type nat hook postrouting priority 100;
+            ip saddr 10.42.0.0/16 masquerade
+          }
+        '';
+      };
+    };
   };
   systemd.network = {
     enable = true;
@@ -45,18 +58,7 @@
       };
       "50-wg0" = {
         name = "wg0";
-        addresses = [
-          {
-            Address = "10.42.0.2/16";
-            AddPrefixRoute = false;
-          }
-        ];
-        routes = [
-          {
-            Destination = "10.42.0.0/16";
-            Source = "10.42.0.2";
-          }
-        ];
+        address = [ "10.42.0.2/16" ];
       };
     };
     netdevs = {
@@ -83,6 +85,12 @@
             ];
             PublicKey = nodes.kat-probook.config.kat.wireguardPubKey;
           }
+          {
+            AllowedIPs = [
+              "10.42.2.1/32"
+            ];
+            PublicKey = nodes.kat-mail-test.config.kat.wireguardPubKey;
+          }
         ];
       };
     };
@@ -102,10 +110,7 @@
 
   environment.systemPackages = with pkgs; [ tcpdump ];
 
-  services = {
-    openssh.enable = true;
-    netbird.enable = true;
-  };
+  services.openssh.enable = true;
 
   system.stateVersion = "23.11";
 }