{ pkgs, lib, secret, ... }: let inherit (lib) getExe; in { boot.kernel.sysctl = {"net.ipv4.ip_forward" = "1";}; # https://github.com/NixOS/nixpkgs/issues/76671 # the rpc.statd daemon is not running when not mounting any nfs filesystems on boot # and can't be manually started... boot.supportedFilesystems = [ "nfs" ]; services.rpcbind.enable = true; networking = { hostName = "toothpick"; nameservers = [ (secret.network.ips.blowhole.ip or "") "93.184.77.2" "67.207.67.3" ]; wireguard = { enable = true; interfaces."wg0" = { postSetup = '' ${getExe pkgs.iptables} -I FORWARD -i wg0 -o wg0 -j ACCEPT ''; postShutdown = '' ${getExe pkgs.iptables} -D FORWARD -i wg0 -o wg0 -j ACCEPT ''; } // secret.wireguard."toothpick" or { privateKey = ""; }; }; defaultGateway = "64.225.96.1"; defaultGateway6 = ""; dhcpcd.enable = false; usePredictableInterfaceNames = lib.mkForce false; nat.forwardPorts = [ { destination = "127.0.0.1:6666"; proto = "udp"; sourcePort = 500; } ]; firewall = { extraCommands = '' iptables -P FORWARD DROP ''; interfaces."eth0" = { allowedTCPPorts = [ 80 443 6001 ]; allowedUDPPorts = [ 6666 500 ]; }; interfaces."nomad" = { allowedTCPPorts = [ 8500 ]; }; interfaces."wg0" = { allowedTCPPorts = [ ## Consul 8600 # DNS 8500 # HTTP 8502 # gRPC 8300 # server 8301 # LAN serf 8302 # WAN serf 4646 # Nomad 4647 4648 10000 ]; allowedTCPPortRanges = [ { from = 21000; to = 21255; } ]; allowedUDPPorts = [ ## Consul 8600 # DNS 8301 # LAN serf 8302 # WAN serf ]; allowedUDPPortRanges = [ { from = 21000; to = 21255; } ]; }; }; interfaces = { eth0 = { ipv4.addresses = [ { address = "64.225.104.221"; prefixLength = 20; } { address = "10.19.0.6"; prefixLength = 16; } ]; ipv6.addresses = [ { address = "fe80::8ce0:84ff:fefb:f981"; prefixLength = 64; } ]; ipv4.routes = [ { address = "64.225.96.1"; prefixLength = 32; } ]; }; }; }; services.udev.extraRules = '' ATTR{address}=="8e:e0:84:fb:f9:81", NAME="eth0" ''; }