{ modulesPath, inputs, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
./hardware.nix
./home-julien.nix
];
machine.meta = {
arch = "x86_64-linux";
nixpkgs_version = inputs.nixpkgs;
hm_version = inputs.home-manager;
ips = {
public.ipv4 = "212.129.40.11";
vpn.ipv4 = "100.100.45.12";
public.ipv6 = "2a01:e0a:5f9:9681:5880:c9ff:fe9f:3dfb";
vpn.ipv6 = "fd7a:115c:a1e0::c";
};
};
luj = {
docs = {
enable = true;
nginx = {
enable = true;
subdomain = "docs";
};
};
mailserver.enable = true;
};
deployment.tags = [ "server" ];
services.fail2ban.enable = true;
networking.hostId = "fbb334ae";
networking.useNetworkd = true;
systemd.network = {
enable = true;
networks = {
"10-wan" = {
matchConfig.Name = "ens20";
address = [ "212.129.40.11/32" ];
routes = [
{
routeConfig = {
Gateway = "212.129.40.11";
Destination = "0.0.0.0/0";
};
}
];
linkConfig.RequiredForOnline = "routable";
};
"20-wan" = {
matchConfig.Name = "ens18";
networkConfig.DHCP = "yes";
linkConfig.RequiredForOnline = "routable";
};
"30-wg0" = {
matchConfig.Name = "wg0";
address = [
"10.100.45.1/24"
"fc00::1/64"
];
networkConfig = {
IPMasquerade = "ipv4";
IPForward = true;
};
};
};
netdevs = {
"10-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
MTUBytes = "1300";
};
wireguardConfig = {
PrivateKeyFile = "/srv/wg-private";
ListenPort = 51821;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "axigTezuClSoQlxWvpdzXKXUDjrrQlswE50ox0uDLR0=";
AllowedIPs = [ "10.100.45.2/32" ];
};
}
{
wireguardPeerConfig = {
PublicKey = "ElVrxNiYvV13hEDtqZNw4kLF7UiPTXziz8XgqABB0AU=";
AllowedIPs = [ "10.100.45.3/32" ];
};
}
];
};
};
};
services.openssh.extraConfig = ''
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
HostKey /etc/ssh/ssh_host_ed25519_key
TrustedUserCAKeys /etc/ssh/ssh_user_key.pub
MaxAuthTries 20
'';
networking.firewall.allowedTCPPorts = [
51820
51821
];
networking.firewall.allowedUDPPorts = [
51820
51821
];
system.stateVersion = "21.11";
}