katja's git: nixfiles

ctucx' nixfiles

path: /nodes/wanderduene/default.nix 2.41 KB | plain
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 
59 
60 
61 
62 
63 
64 
65 
66 
67 
68 
69 
70 
71 
72 
73 
74 
75 
76 
77 
78 
79 
80 
81 
82 
83 
84 
85 
86 
87 
88 
89 
90 
91 
92 
93 
94 
95 
96 
97 
{

  system          = "x86_64-linux";

  sshPubKey       = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8uAvUnwhg3pnCdaaoclWDKV275SyNSyrkJON+R5Boi";

  mainInterface   = "ens3";

  ip4IsPrivate    = false;
  ip4Address      = "194.36.145.49";
  ip4PrefixLength = 22;
  defaultGateway4 = "194.36.144.1";

  ip6IsPrivate    = false;
  ip6Address      = "2a03:4000:4d:5e::1";
  ip6PrefixLength = 64;
  defaultGateway6 = "fe80::1";

  configuration = { node, secrets, config, dnsNix, ctucxConfig, lib, pkgs, ... }: {

    imports = [
      ./hardware-configuration.nix

      ctucxConfig.services.prometheus-exporters
      ctucxConfig.services.dns-server

      ctucxConfig.websites."ip.ctu.cx"
      ctucxConfig.websites."flauschehorn.katja.wtf"

      ctucxConfig.websites."conduwuit.ctucx.de"
      ctucxConfig.websites."grapevine.ctucx.de"

      ./rclone-restic-server.nix
      ./syncthing.nix
    ];

    documentation.nixos.enable = false;

    age.secrets.wireguardPrivKey = {
      file  = secrets.wanderduene.wireguardPrivKey;
      owner = "systemd-network";
      group = "systemd-network";
    };

    boot.kernel.sysctl."net.ipv6.conf.all.proxy_ndp" = true;
    networking.firewall.allowedUDPPorts = [ config.systemd.network.netdevs."20-wg0".wireguardConfig.ListenPort ];

    systemd.network = {
      config.networkConfig = {
        IPv6Forwarding = true;
      };

      netdevs."20-wg0" = {
        netdevConfig = {
          Kind = "wireguard";
          Name = "wg0";
        };

        wireguardConfig = {
          PrivateKeyFile = config.age.secrets.wireguardPrivKey.path;
          ListenPort     = 51820;
          FirewallMark   = 51820;
        };

        wireguardPeers = [{
          PublicKey           = "nvyhYuWJl/dKyV/2+bDrUisvL3mi38PsNzfdIDDwSjY=";
          AllowedIPs          = [ "2a03:4000:4d:5e:acab::/112" ];
          PersistentKeepalive = 10;
        }];
      };

      networks."5-mainInterface".enable = true;

      networks."20-wg0" = {
        name   = "wg0";
        routes = [{
          Destination = "2a03:4000:4d:5e:acab::/112";
        }];
        linkConfig.RequiredForOnline = false;
      };
    };

    services.ntfysh-notify.enable = true;
    services.ndppd = {
      enable = true;
      proxies.ens3.rules."2a03:4000:4d:5e:acab::/112" = {
        method    = "iface";
        interface = "wg0";
      };
    };

    system.stateVersion = "23.05";
    home-manager.users.katja.home.stateVersion = "23.05";

  };

}