infrastructure/hosts/phoenix.lewd.wtf/networking.nix

76 lines
2.3 KiB
Nix

{ pkgs, ... }:
{
networking.useDHCP = false;
networking.bridges = {
"br0" = {
interfaces = [
"eno2"
"enp2s0"
"enp101s0"
"enp101s0d1"
];
};
};
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "br0";
enableIPv6 = true;
};
networking.interfaces.br0.ipv4.addresses = [
{
address = "192.168.0.42";
prefixLength = 22;
}
];
# networking.defaultGateway = "10.0.0.1";
networking.defaultGateway = "192.168.0.1";
networking.nameservers = [ "1.1.1.1" ];
networking.firewall.enable = false;
networking.wireguard.interfaces = {
wg0 = {
ips = [ "10.175.197.82/32" "fd7d:76ee:e68f:a993:f6b2:9dab:ddd3:a02/128" ];
privateKeyFile = "/run/secrets/services/wireguard/airvpn.private";
allowedIPsAsRoutes = false;
peers = [
{
publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
presharedKeyFile = "/run/secrets/services/wireguard/airvpn.psk";
allowedIPs = [ "0.0.0.0/0" ];
endpoint = "134.19.179.213:1637";
persistentKeepalive = 25;
}
];
postSetup = [
# Force traffic from container networks through wg0
"ip route add table 2 default dev wg0"
"ip rule add from 192.168.100.0/24 table 2"
"ip rule add from 192.168.5.0/24 table 2"
# NAT
"${pkgs.iptables}/bin/iptables -I POSTROUTING -t nat -o wg0 -j MASQUERADE"
# c3moc NAT
"${pkgs.iptables}/bin/iptables -I POSTROUTING -t nat -o br0 -j MASQUERADE"
# Port forwarding
"${pkgs.iptables}/bin/iptables -A PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
];
};
};
systemd.services.wireguard-wg0.preStop =
# Force traffic from container networks through wg0
"ip rule del from 192.168.100.0/24 table 2" +
"ip rule del from 192.168.5.0/24 table 2" +
"ip route del table 2 default dev wg0" +
# NAT
"${pkgs.iptables}/bin/iptables -D POSTROUTING -t nat -o wg0 -j MASQUERADE" +
# c3moc NAT
"${pkgs.iptables}/bin/iptables -D POSTROUTING -t nat -o br0 -j MASQUERADE" +
# Port Forwarding
"${pkgs.iptables}/bin/iptables -D PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
;
}