{ hostname, pkgs, ... }: { # Allow these hosts to directly communicate with their hostnames networking.extraHosts = '' 10.100.0.1 ${hostname} 10.100.0.3 backups-rpi4 10.100.0.2 headscale.sysctl.io ''; networking.firewall.allowedUDPPorts = [ 51820 ]; networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ]; # Set up the secrets file: sops.secrets."wireguard_key" = { owner = "root"; sopsFile = ../../../secrets/hosts/${hostname}.yaml; }; sops.secrets."preshared_key" = { owner = "root"; sopsFile = ../../../secrets/wireguard.yaml; }; # Wireguard Forwarder boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = 1; "net.ipv4.conf.default.forwarding" = 1; }; networking.wireguard = { enable = true; interfaces = { "wireguard0" = { ips = [ "10.100.0.1/24" "10.100.1.1/24" ]; listenPort = 51820; privateKeyFile = "/run/secrets/wireguard_key"; postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp0s4 -j MASQUERADE''; postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp0s4 -j MASQUERADE''; peers = [ { # framework-server / ovh-server publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek="; presharedKeyFile = "/run/secrets/preshared_key"; allowedIPs = [ "10.100.0.2/32" ]; persistentKeepalive = 5; } { # backups-rpi4 publicKey = "cqocpMyY8Z0Jl0hoAdghn3dR3VhkkOYyeSwW6UKk9Fs="; presharedKeyFile = "/run/secrets/preshared_key"; allowedIPs = [ "10.100.0.3/32" ]; persistentKeepalive = 5; } { # framewrk-server docker:wg-enshrouded publicKey = "ucV6LgUwSbEyyxPlS83OayFPK6ysQKu6cVBV97S07mI="; presharedKeyFile = "/run/secrets/preshared_key"; allowedIPs = [ "10.100.1.2/32" ]; persistentKeepalive = 5; } { # framewrk-server docker:wg-mailserver publicKey = "5C1ft3LIGmyFwi00pyLeYjvJpqHLTQFNMRlXlva6uEI="; presharedKeyFile = "/run/secrets/preshared_key"; allowedIPs = [ "10.100.1.3/32" ]; persistentKeepalive = 5; } ]; }; }; }; }