mirror of
https://github.com/JulienMalka/snowfield.git
synced 2025-03-25 21:30:52 +01:00
124 lines
2.7 KiB
Nix
124 lines
2.7 KiB
Nix
{ inputs, profiles, ... }:
|
|
{
|
|
imports = [
|
|
./hardware.nix
|
|
./home-julien.nix
|
|
./stalwart.nix
|
|
./nsd.nix
|
|
];
|
|
|
|
machine.meta = {
|
|
arch = "x86_64-linux";
|
|
nixpkgs_version = inputs.unstable;
|
|
hm_version = inputs.home-manager-unstable;
|
|
ips = {
|
|
public.ipv4 = "163.172.91.82";
|
|
public.ipv6 = "2001:0bc8:3d24::45";
|
|
vpn.ipv4 = "100.100.45.33";
|
|
};
|
|
profiles = with profiles; [ server ];
|
|
};
|
|
|
|
disko = import ./disko.nix;
|
|
|
|
environment.persistence."/persistent" = {
|
|
hideMounts = true;
|
|
directories = [
|
|
"/var/lib"
|
|
"/var/log"
|
|
"/srv"
|
|
];
|
|
files = [
|
|
"/etc/machine-id"
|
|
"/etc/ssh/ssh_host_ed25519_key"
|
|
"/etc/ssh/ssh_host_ed25519_key.pub"
|
|
];
|
|
};
|
|
|
|
fileSystems."/srv".neededForBoot = true;
|
|
fileSystems."/persistent".neededForBoot = true;
|
|
|
|
services.fail2ban.enable = true;
|
|
|
|
networking.useNetworkd = true;
|
|
systemd.network = {
|
|
enable = true;
|
|
config.networkConfig.IPv4Forwarding = true;
|
|
|
|
networks = {
|
|
"10-wan" = {
|
|
matchConfig.Name = "enp0s20";
|
|
networkConfig = {
|
|
DHCP = "ipv6";
|
|
IPv6AcceptRA = true;
|
|
};
|
|
addresses = [
|
|
{ Address = "163.172.91.82/24"; }
|
|
{ Address = "2001:0bc8:3d24::45/64"; }
|
|
];
|
|
routes = [
|
|
{
|
|
Gateway = "163.172.91.1";
|
|
Destination = "0.0.0.0/0";
|
|
}
|
|
];
|
|
dhcpV6Config = {
|
|
DUIDRawData = "00:01:62:7c:0e:d3:27:5b";
|
|
DUIDType = "link-layer";
|
|
UseAddress = "no";
|
|
WithoutRA = "solicit";
|
|
};
|
|
ipv6AcceptRAConfig = {
|
|
DHCPv6Client = "always";
|
|
UseOnLinkPrefix = false;
|
|
UseAutonomousPrefix = false;
|
|
};
|
|
|
|
linkConfig.RequiredForOnline = "routable";
|
|
};
|
|
|
|
"30-wg0" = {
|
|
matchConfig.Name = "wg0";
|
|
address = [
|
|
"10.100.45.1/24"
|
|
"fc00::1/64"
|
|
];
|
|
networkConfig.IPMasquerade = "ipv4";
|
|
};
|
|
};
|
|
|
|
netdevs = {
|
|
"10-wg0" = {
|
|
netdevConfig = {
|
|
Kind = "wireguard";
|
|
Name = "wg0";
|
|
MTUBytes = "1300";
|
|
};
|
|
wireguardConfig = {
|
|
PrivateKeyFile = "/srv/wg-private";
|
|
ListenPort = 51821;
|
|
};
|
|
wireguardPeers = [
|
|
{
|
|
PublicKey = "axigTezuClSoQlxWvpdzXKXUDjrrQlswE50ox0uDLR0=";
|
|
AllowedIPs = [ "10.100.45.2/32" ];
|
|
}
|
|
{
|
|
PublicKey = "ElVrxNiYvV13hEDtqZNw4kLF7UiPTXziz8XgqABB0AU=";
|
|
AllowedIPs = [ "10.100.45.3/32" ];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
};
|
|
|
|
networking.firewall.allowedUDPPorts = [
|
|
51821
|
|
];
|
|
networking.firewall.allowedTCPPorts = [
|
|
51821
|
|
];
|
|
|
|
system.stateVersion = "24.11";
|
|
}
|