{ pkgs, nodes, ... }: { deployment.targetHost = "manah.kat"; imports = [ ./hardware-configuration.nix ]; boot = { loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; kernel.sysctl."net.ipv4.ip_forward" = true; kernelModules = [ "kvm-intel" "kvm-amd" ]; }; kat = { fqdn = "manah.katvayor.net"; proxies = { ip = "10.42.0.1"; open-tcp = [ 9000 9500 ]; redirects = [ "kat-orchid" "kat-son" "kat-www" "kat-degette" "kat-betamail" ]; }; wireguardPubKey = "2rMQV5fyBhl7t/0j70iPOfEr/lAWQfLXQKMwtzaXxnM="; }; systemd.network = { enable = true; networks = { "50-wg0" = { name = "wg0"; address = [ "10.42.0.1/16" ]; }; }; netdevs = { "50-wg0" = { netdevConfig = { Name = "wg0"; Kind = "wireguard"; }; wireguardConfig = { PrivateKeyFile = "/etc/wg/private.key"; }; wireguardPeers = [ { Endpoint = "watcher.katvayor.net:1194"; AllowedIPs = [ "10.42.0.2/32" ]; PersistentKeepalive = 20; PublicKey = nodes.kat-watcher.config.kat.wireguardPubKey; } ]; }; }; }; environment.systemPackages = with pkgs; [ dnsmasq tcpdump ]; programs.virt-manager.enable = true; virtualisation.libvirtd = { enable = true; qemu.vhostUserPackages = [ pkgs.virtiofsd ]; }; security.acme = { acceptTerms = true; defaults.email = "root@katvayor.net"; }; services = { openssh.enable = true; weechat = { enable = true; binary = "${pkgs.weechat}/bin/weechat-headless"; }; }; networking.firewall = { allowedTCPPorts = [ 9000 9500 53 ]; allowedUDPPorts = [ 67 ]; }; system.stateVersion = "23.11"; }