{ nodes, config, lib, pkgs, ... }: { deployment.buildOnTarget = false; #this enables the following services: dns deployment.tags = [ "dnsServer" ]; documentation.nixos.enable = false; imports = [ ./hardware-configuration.nix ./rclone-restic-server.nix ./3proxy.nix ./websites ] ++ (if nodes.briefkasten.config.networking.usePBBUplink != true then [ ./reverse-proxy-briefkasten.nix ] else [ ]); dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP); age.secrets.wireguard-privkey.file = ../../secrets/wanderduene/wireguard-privkey.age; boot = { # Use the systemd-boot EFI boot loader. loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = true; initrd.network = { enable = true; ssh = { enable = true; port = 22; hostKeys = [ /etc/ssh/ssh_host_rsa_key ]; authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); }; postCommands = '' ip link set dev ens3 up ip addr add ${config.networking.primaryIP}/128 dev ens3 ip route add default via fe80::1 dev ens3 onlink ip addr add ${config.networking.primaryIP4}/22 dev ens3 ip route add default via ${config.networking.defaultGateway.address} dev ens3 onlink echo 'cryptsetup-askpass' >> /root/.profile ''; }; }; networking = { primaryIP = "2a03:4000:4d:5e::1"; primaryIP4 = "194.36.145.49"; resolvconf.enable = false; nameservers = [ "8.8.8.8" "1.1.1.1" ]; defaultGateway = { interface = "ens3"; address = "194.36.144.1"; }; defaultGateway6 = { interface = "ens3"; address = "fe80::1"; }; interfaces.ens3 = { ipv4.addresses = [{ address = config.networking.primaryIP4; prefixLength = 24; }]; ipv6.addresses = [{ address = config.networking.primaryIP; prefixLength = 64; }]; }; wireguard = { enable = true; interfaces.wg-mikrotik = { listenPort = 51820; privateKeyFile = config.age.secrets.wireguard-privkey.path; generatePrivateKeyFile = true; postSetup = "ip link set dev wg-mikrotik mtu 1500"; ips = [ "172.16.0.1/24" ]; peers = [ { persistentKeepalive = 10; allowedIPs = [ "172.16.0.0/24" "10.0.0.0/8" ]; publicKey = "nvyhYuWJl/dKyV/2+bDrUisvL3mi38PsNzfdIDDwSjY="; } ]; }; interfaces.wg-briefkasten = { listenPort = 51821; privateKeyFile = config.age.secrets.wireguard-privkey.path; generatePrivateKeyFile = true; postSetup = "ip link set dev wg-briefkasten mtu 1500"; ips = [ "172.17.0.1/24" ]; peers = [ { persistentKeepalive = 10; allowedIPs = [ "172.17.0.0/24" ]; publicKey = "nvyhYuWJl/dKyV/2+bDrUisvL3mi38PsNzfdIDDwSjY="; } ]; }; interfaces.wg-stasicont = { listenPort = 51822; privateKeyFile = config.age.secrets.wireguard-privkey.path; generatePrivateKeyFile = true; postSetup = "ip link set dev wg-stasicont mtu 1500"; ips = [ "172.18.0.1/24" ]; peers = [ { persistentKeepalive = 10; allowedIPs = [ "172.18.0.0/24" ]; publicKey = "Sh5le4IsR5jW1+jSrR5N/dcuTE+OEcEB6ou7bqwriAg="; } ]; }; }; firewall.allowedTCPPorts = [ 5201 2201 2202 2203 ]; firewall.allowedUDPPorts = [ 5201 51820 51821 51822 ]; firewall.extraCommands = '' iptables -A nixos-fw -i wg-mikrotik -j nixos-fw-accept iptables -A nixos-fw -i wg-briefkasten -j nixos-fw-accept iptables -A nixos-fw -i wg-stasicont -j nixos-fw-accept ''; }; ctucxConfig.programs = { gpg.enable = false; ssh.enable = false; git.enable = false; }; services.iperf3 = { enable = true; bind = "172.17.0.1"; }; system.stateVersion = "23.05"; home-manager.users.leah.home.stateVersion = "23.05"; }