{ config, pkgs, ... }:
{
age.secrets = {
"wireguard/dorm/private" = {
file = ../../../../secrets/falkenstein/wireguard/dorm/private.age;
owner = config.users.users.systemd-network.name;
};
"wireguard/dorm/preshared" = {
file = ../../../../secrets/falkenstein/wireguard/dorm/preshared.age;
owner = config.users.users.systemd-network.name;
};
};
environment.systemPackages = with pkgs; [
mtr
inetutils
dnsutils
wireguard-tools
];
networking = {
hostName = "falkenstein";
nftables.enable = true;
domain = "rfive.de";
useNetworkd = true;
enableIPv6 = true;
firewall = {
allowedUDPPorts = [ 51820 ];
extraInputRules = ''
ip saddr 192.168.0.0/16 tcp dport 19531 accept comment "Allow journald gateway access from local networks"
'';
};
};
services.resolved = {
dnssec = "true";
fallbackDns = [
"9.9.9.9"
"149.112.112.112"
"2620:fe::fe"
"2620:fe::9"
];
};
systemd.network = {
enable = true;
config = {
networkConfig = {
SpeedMeter = true;
};
};
networks."10-loopback" = {
matchConfig.Name = "lo";
};
networks."10-wired" = {
matchConfig.Name = "ens3";
dns = [
"2a01:4ff:ff00::add:1"
"2a01:4ff:ff00::add:2"
];
networkConfig = {
DHCP = "ipv4";
IPv6AcceptRA = "yes";
Address = "2a01:4f8:c012:49de::1/64";
Gateway = "fe80::1";
};
};
netdevs."30-dorm" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."wireguard/dorm/private".path;
ListenPort = 51820;
RouteTable = "main";
RouteMetric = 30;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "Z5lwwHTCDr6OF4lfaCdSHNveunOn4RzuOQeyB+El9mQ=";
PresharedKeyFile = config.age.secrets."wireguard/dorm/preshared".path;
Endpoint = "nuc.rfive.de:51820";
AllowedIPs = "192.168.42.0/24, 192.168.43.0/24";
};
}
];
};
networks."30-dorm" = {
matchConfig.Name = "wg0";
addresses = [
{
addressConfig = {
Address = "192.168.43.4/24";
AddPrefixRoute = false;
};
}
];
networkConfig = {
DNS = "192.168.43.1";
Domains = [
"~vpn.rfive.de"
"~42.168.192.in-addr.arpa"
"~43.168.192.in-addr.arpa"
];
DNSSEC = false;
BindCarrier = [ "ens3" ];
};
};
};
}