{ hostname, pkgs, ... }: {
# Allow these hosts to directly communicate with their hostnames
networking.extraHosts = ''
10.100.0.1 osaka-linode-01
10.100.0.2 headscale.sysctl.io
10.100.0.3 backups-rpi4
10.100.0.4 frankfurt-linode-01
'';
networking.firewall.allowedUDPPorts = [ 51820 ];
networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ];
# Set up the secrets file:
sops.secrets."wireguard_key" = {
owner = "root";
sopsFile = ../../../secrets/hosts/${hostname}.yaml;
};
sops.secrets."preshared_key" = {
owner = "root";
sopsFile = ../../../secrets/wireguard.yaml;
};
# Wireguard Forwarder
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = 1;
"net.ipv4.conf.default.forwarding" = 1;
};
networking.wireguard = {
enable = true;
interfaces = {
"wireguard0" = {
ips = [
"10.100.0.4/24"
"10.100.1.4/24"
];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard_key";
postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp0s4 -j MASQUERADE'';
postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp0s4 -j MASQUERADE'';
peers = [
{ # framework-server / ovh-server
publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";
presharedKeyFile = "/run/secrets/preshared_key";
allowedIPs = [ "10.100.0.2/32" ];
persistentKeepalive = 5;
}
{ # backups-rpi4
publicKey = "cqocpMyY8Z0Jl0hoAdghn3dR3VhkkOYyeSwW6UKk9Fs=";
presharedKeyFile = "/run/secrets/preshared_key";
allowedIPs = [ "10.100.0.3/32" ];
persistentKeepalive = 5;
}
{ # framewrk-server docker:wg-enshrouded
publicKey = "ucV6LgUwSbEyyxPlS83OayFPK6ysQKu6cVBV97S07mI=";
presharedKeyFile = "/run/secrets/preshared_key";
allowedIPs = [ "10.100.1.2/32" ];
persistentKeepalive = 5;
}
{ # framewrk-server docker:wg-mailserver
publicKey = "5C1ft3LIGmyFwi00pyLeYjvJpqHLTQFNMRlXlva6uEI=";
presharedKeyFile = "/run/secrets/preshared_key";
allowedIPs = [ "10.100.1.3/32" ];
persistentKeepalive = 5;
}
];
};
};
};
}