{ self, ... } @ inputs: let pkgs = self.inputs.nixpkgs.legacyPackages.x86_64-linux; in { imports = [ ./hardware-configuration.nix ../../users/root ../../users/erwin ]; eboskma = { users.erwin.enable = true; nix-common = { enable = true; remote-builders = true; }; }; networking = { hostName = "vpn"; useDHCP = false; nat = { enable = true; externalInterface = "br0"; internalInterfaces = [ "wg0" ]; }; interfaces = { br0 = { ipv4.addresses = [{ address = "10.0.0.250"; prefixLength = 24; }]; }; eth1 = { ipv4.addresses = [{ address = "10.2.0.20"; prefixLength = 24; }]; }; }; firewall.trustedInterfaces = [ "eth1" ]; bridges = { br0 = { interfaces = [ "eth0" ]; rstp = true; }; }; defaultGateway = { address = "10.2.0.1"; interface = "eth1"; }; nameservers = [ "10.0.0.254" ]; wireguard.interfaces = { wg0 = { ips = [ "10.1.0.0/24" ]; listenPort = 51820; privateKeyFile = "/run/secrets/wireguard_key"; postSetup = [ "${pkgs.iptables}/bin/iptables -A FORWARD -i %i -j ACCEPT" "${pkgs.iptables}/bin/iptables -A FORWARD -o %i -j ACCEPT" "${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE" ]; postShutdown = [ "${pkgs.iptables}/bin/iptables -D FORWARD -i %i -j ACCEPT" "${pkgs.iptables}/bin/iptables -D FORWARD -o %i -j ACCEPT" "${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o br0 -j MASQUERADE" ]; peers = [ # horus # { # publicKey = ""; # persistentKeepalive = 25; # allowedIPs = [ # "10.1.0.0/24" # "10.0.0.0/24" # ]; # } # iphone { publicKey = "SlJSLRMaqoujNsTkzQRZlNLBGB0Q/tt3b8KijFEaH2s="; persistentKeepalive = 25; allowedIPs = [ "10.1.0.0/24" "10.0.0.0/24" ]; } ]; }; }; }; boot.isContainer = true; time.timeZone = "Europe/Amsterdam"; system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; environment.noXlibs = true; services.openssh.enable = true; sops.defaultSopsFile = ./secrets.yaml; sops.secrets = { wireguard_key = { }; }; system.stateVersion = "22.05"; }