{ config, lib, pkgs, nodes, ... }: { imports = [ ./hardware-configuration.nix ./disks.nix ]; boot.loader.grub = { enable = true; efiSupport = true; efiInstallAsRemovable = true; }; boot.kernel.sysctl."net.ipv4.ip_forward" = true; kat.wireguardPubKey = "BgLBrWG7DRj2Gwoyj+vHZTjiB3gPEnwVcDFEQH/BYgg="; networking = { useDHCP = false; firewall.allowedUDPPorts = [ 1194 ]; nftables = { enable = true; tables.nat = { family = "ip"; content = '' chain postrouting { type nat hook postrouting priority 100; ip saddr 10.42.0.0/16 masquerade } ''; }; }; }; systemd.network = { enable = true; networks = { "10-ens3" = { name = "ens3"; address = [ "51.83.69.54/32" "2001:41d0:305:2100::5c52/56" ]; routes = [ { Destination = "51.83.68.1/32"; } { Destination = "213.186.33.99/32"; Gateway = "51.83.68.1"; } { Gateway = "51.83.68.1"; } { Gateway = "2001:41d0:305:2100::1"; } ]; dns = [ "213.186.33.99" ]; }; "50-wg0" = { name = "wg0"; address = [ "10.42.0.2/16" ]; }; }; netdevs = { "50-wg0" = { netdevConfig = { Name = "wg0"; Kind = "wireguard"; }; wireguardConfig = { ListenPort = 1194; PrivateKeyFile = "/etc/wg/private.key"; }; wireguardPeers = [ { AllowedIPs = [ "10.42.0.1/32" ]; PublicKey = nodes.kat-manah.config.kat.wireguardPubKey; } { AllowedIPs = [ "10.42.1.1/32" ]; PublicKey = nodes.kat-probook.config.kat.wireguardPubKey; } { AllowedIPs = [ "10.42.2.1/32" ]; PublicKey = nodes.kat-mail-test.config.kat.wireguardPubKey; } ]; }; }; }; security.acme = { acceptTerms = true; defaults.email = "root@katvayor.net"; }; kat-proxies = { enable = true; internal-webroot = pkgs.runCommand "watcher" { } '' mkdir -p $out/.kat-watcher/ ln -nsf ${./error} $out/.kat-watcher/error ''; }; environment.systemPackages = with pkgs; [ tcpdump ]; services.openssh.enable = true; system.stateVersion = "23.11"; }