{ config, ... }: {
systemd.network = {
# Wireguard
# Dump-dvb
netdevs."30-wg-dumpdvb" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-dumpdvb";
Description = "dvb.solutions enterprise network";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/dvb".path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY=";
Endpoint = "academicstrokes.com:51820";
AllowedIPs = [ "10.13.37.0/24" ];
PersistentKeepalive = 25;
};
}
];
};
networks."30-wg-dumpdvb" = {
matchConfig.Name = "wg-dumpdvb";
networkConfig = {
Address = "10.13.37.3/24";
IPv6AcceptRA = true;
};
routes = [
{ routeConfig = { Gateway = "10.13.37.1"; Destination = "10.13.37.0/24"; }; }
];
};
# oxalab
netdevs."10-wg-oxalab" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-oxalab";
Description = "lab of oxa";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/oxalab".path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E=";
Endpoint = "95.216.166.21:51820";
AllowedIPs = [ "10.66.66.0/24" ];
PersistentKeepalive = 25;
};
}
];
};
networks."10-wg-oxalab" = {
matchConfig.Name = "wg-oxalab";
networkConfig = {
Address = "10.66.66.10/24";
IPv6AcceptRA = true;
};
routes = [
{ routeConfig = { Gateway = "10.66.66.1"; Destination = "10.66.66.1/24"; }; }
];
};
# zentralwerk
netdevs."10-wg-zentralwerk" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-zentralwerk";
Description = "Tunnel to the best basement in Dresden";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/zw".path;
RouteTable = "off";
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo=";
Endpoint = "81.201.149.152:1337";
AllowedIPs = [ "172.20.72.0/21" "172.22.90.0/24" "172.22.99.0/24" ];
PersistentKeepalive = 25;
};
}
];
};
networks."10-wg-zentralwerk" = {
matchConfig.Name = "wg-zentralwerk";
networkConfig = {
Address = "172.20.76.226/21";
IPv6AcceptRA = true;
DNS = "172.20.73.8";
Domains = [
"~hq.c3d2.de"
"~serv.zentralwerk.org"
"~hq.zentralwerk.org"
"~cluster.zentralwerk.org"
];
};
routes = [
{
routeConfig = {
Gateway = "172.20.76.225";
Destination = "172.20.72.0/21";
Metric = 9999;
};
}
{
routeConfig = {
Gateway = "172.20.76.225";
Destination = "172.20.90.0/24";
Metric = 9999;
};
}
{
routeConfig = {
Gateway = "172.20.76.225";
Destination = "172.22.99.0/24";
Metric = 9999;
};
}
];
};
# VPN
netdevs."10-wg-mullvad" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-mullvad";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/mullvad".path;
FirewallMark = 34952; # 0x8888
RouteTable = "off";
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "uUYbYGKoA6UBh1hfkAz5tAWFv4SmteYC9kWh7/K6Ah0=";
Endpoint = "92.60.40.209:51820";
AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
};
}
];
};
networks."10-wg-mullvad" = {
matchConfig.Name = "wg-mullvad";
address = [ "10.66.157.228/32" "fc00:bbbb:bbbb:bb01::3:9de3/128" ];
networkConfig = {
DNS = "10.64.0.1";
DNSDefaultRoute = true;
Domains = [ "~." ];
};
routes = map
(gate: {
routeConfig = {
Gateway = gate;
Table = 1000;
};
}) [
"0.0.0.0"
"::"
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
Family = "both";
FirewallMark = 34952; # 0x8888
InvertRule = true;
Table = "1000";
Priority = 100;
};
}
{
routingPolicyRuleConfig = {
Family = "both";
SuppressPrefixLength = 0;
Table = "main";
Priority = 90;
};
}
] ++ map
(net: {
# only route global addresses over VPN
routingPolicyRuleConfig = {
Priority = 80;
To = net;
};
}) [
# Public
"92.60.40.209/32"
# "10.0.0.0/8"
"10.13.37.0/24"
"10.66.66.0/24"
# "172.16.0.0/12"
"172.16.0.0/12"
# "182.168.0.0/16"
"182.168.0.0/16"
# "fc00::/7"
];
};
};
}