{ config, lib, pkgs, modulesPath, desktop, username, ... }: { imports = [ ./disks.nix ]; # Enable distributed Builds nix.distributedBuilds = true; nixpkgs.config.allowUnfree = false; boot.initrd.availableKernelModules = [ "ata_piix" "ohci_pci" "virtio_pci" "virtio_blk" "sr_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; virtualisation.hypervGuest.enable = true; networking.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; time.timeZone = "Asia/Tokyo"; networking.hostName = "osaka-vultr-01"; networking.firewall.allowedTCPPorts = [ 22 80 443 ]; networking.firewall.allowedUDPPorts = [ 51820 ]; # Set up the secrets file: sops.secrets."wireguard_keys/osaka-vultr-01" = { owner = "root"; sopsFile = ../../../secrets/wireguard.yaml; }; sops.secrets."wireguard_keys/preshared_key" = { owner = "root"; sopsFile = ../../../secrets/wireguard.yaml; }; # Wireguard Forwarder boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; }; networking.firewall.allowPing = true; networking.wireguard = { enable = true; interfaces = { "wireguard0" = { ips = [ "10.100.0.1/24" ]; listenPort = 51820; privateKeyFile = "/run/secrets/wireguard_keys/osaka-vultr-01"; postSetup = '' ${pkgs.iptables}/bin/iptables -A FORWARD -i %i -j ACCEPT ${pkgs.iptables}/bin/iptables -A FORWARD -o %i -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -d 10.100.0.2 --dport 80 -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE ''; postShutdown = '' ${pkgs.iptables}/bin/iptables -D FORWARD -i %i -j ACCEPT ${pkgs.iptables}/bin/iptables -D FORWARD -o %i -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -d 10.100.0.2 --dport 80 -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE ''; # Testing peers = [ { # nixos-rpi4-03 publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek="; presharedKeyFile = "/run/secrets/wireguard_keys/preshared_key"; persistentKeepalive = 5; allowedIPs = [ "10.100.0.2/32" ]; } ]; }; }; }; networking.nat = { enable = true; externalInterface = "eno3"; internalInterfaces = [ "wireguard0" ]; internalIPs = [ "10.100.0.0/24" ]; forwardPorts = [ { sourcePort = 80; destination = "10.100.0.2:80"; proto = "tcp"; } ]; }; }