{ pkgs, lib, meta, kat-path, ssh-keys, sources, self-meta, ... }: { deployment.targetHost = "watcher.kat"; imports = [ ./hardware-configuration.nix ./disks.nix ]; boot = { loader.grub = { enable = true; efiSupport = true; efiInstallAsRemovable = true; }; kernel.sysctl."net.ipv4.ip_forward" = true; }; kat = { proxies.redirects = [ "kat-manah" ]; }; networking = { useDHCP = false; firewall.allowedUDPPorts = [ 1194 ]; nftables.tables = { nat = { family = "ip"; content = '' chain postrouting { type nat hook postrouting priority 100; ip saddr 192.168.121.2 masquerade }; ''; }; filter = { family = "inet"; content = '' set vpn { type ipv4_addr flags interval auto-merge elements = { 100.80.0.0/16, 10.42.0.0/16, 192.168.1.0/24, 192.168.122.0/24, } }; chain forward { type filter hook forward priority filter; policy accept; ct state vmap { invalid: drop, established: accept, related: accept, new: jump forward_decide, untracked: jump forward_decide, }; } chain forward_decide { # Allow vpn inside ip saddr @vpn ip daddr @vpn accept; ip saddr 192.168.121.2 ip daddr != @vpn accept; jump forward_reject; } chain forward_reject { reject with icmpx type admin-prohibited; } ''; }; }; }; systemd.network = { enable = true; networks = { "10-ens3" = { name = "ens3"; address = [ "51.83.69.54/32" "2001:41d0:305:2100::5c52/56" ]; routes = [ { Destination = "51.83.68.1/32"; } { Destination = "213.186.33.99/32"; Gateway = "51.83.68.1"; } { Gateway = "51.83.68.1"; } { Gateway = "2001:41d0:305:2100::1"; } ]; dns = [ "213.186.33.99" ]; }; "50-wg0" = { name = "wg0"; address = [ "10.42.0.2/16" ]; }; "25-netbird" = { name = "ve-dgnum-neoKM9"; routes = [ { Destination = "100.80.0.0/16"; Gateway = "192.168.121.2"; } ]; }; }; netdevs = { "50-wg0" = { netdevConfig = { Name = "wg0"; Kind = "wireguard"; }; wireguardConfig = { ListenPort = 1194; PrivateKeyFile = "/etc/wg/private.key"; RouteTable = "main"; RouteMetric = 2000; }; wireguardPeers = meta.lib.mkPeers; }; }; }; containers.dgnum-netbird = { privateNetwork = true; hostAddress = "192.168.121.1"; localAddress = "192.168.121.2"; autoStart = true; specialArgs = { inherit kat-path ssh-keys sources self-meta ; }; config = { imports = [ kat-path ]; kat.addArgs = false; boot.kernel = { enable = false; sysctl."net.ipv4.ip_forward" = true; }; systemd.network.networks."10-eth0" = { name = "eth0"; dns = [ "8.8.8.8" "1.1.1.1" ]; }; networking = { useHostResolvConf = false; firewall.allowedUDPPorts = [ 53 ]; nftables.tables.nat = { family = "ip"; content = '' chain postrouting { type nat hook postrouting priority 100; ip daddr 100.80.0.0/16 masquerade }; ''; }; }; services = { resolved.enable = lib.mkForce true; openssh.enable = true; netbird.enable = true; }; system.stateVersion = "24.11"; }; }; security.acme = { acceptTerms = true; defaults.email = "root@katvayor.net"; }; environment.systemPackages = with pkgs; [ tcpdump ]; services.openssh.enable = true; system.stateVersion = "23.11"; }