nixos-config/nixos/machines/hera/network.nix

{ pkgs, config, ... }:
let
  wireguard = import ../../../common/wireguard.nix;
  inherit (config.m-0) hosts;
in
{
  boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
  networking = {
    hostName = "hera";
    domain = "m-0.eu";
    interfaces.ens18 = {
      proxyARP = true;
      ipv4.addresses = [{
        address = "213.136.94.190";
        prefixLength = 24;
      }];
      ipv6.addresses = [
        {
          address = hosts.hera;
          prefixLength = 128;
        }
        {
          address = hosts.hera-wg-host;
          prefixLength = 128;
        }
      ];
    };
    defaultGateway = "213.136.94.1";
    defaultGateway6 = {
      address = "fe80::1";
      interface = "ens18";
    };

    firewall = {
      extraCommands = ''
        ip6tables -A INPUT -i m0wire -j ACCEPT
        ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
        ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        ip6tables -A FORWARD ! -i m0wire -j nixos-fw-log-refuse
      '';
    };

    bridges.bridge.interfaces = [ ];
    interfaces.bridge = {
      proxyARP = true;
      ipv6.addresses = [{
        address = hosts.hera-intern;
        prefixLength = 112;
      }];
      ipv4.addresses = [{
        address = "10.0.0.1";
        prefixLength = 24;
      }];
    };
    nat = {
      enable = true;
      externalInterface = "ens18";
      internalInterfaces = [ "bridge" ];
    };
    nameservers = [ "213.136.95.10" "2a02:c207::1:53" "2a02:c207::2:53" ];
    firewall.allowedTCPPorts = [ 8666 ];
    firewall.allowedUDPPorts = [ wireguard.port ];
    wireguard.interfaces = {
      m0wire = {
        ips = [ "${hosts.hera-wg}/112" "${hosts.vpn.hera}/64" ];
        privateKeyFile = pkgs.privatePath "wireguard/hera-private";
        listenPort = wireguard.port;
        peers = [
          {
            publicKey = wireguard.pub.zeus;
            allowedIPs = [ "${hosts.zeus-wg}/128" "${hosts.vpn.zeus}/128" ];
            presharedKeyFile = pkgs.privatePath "wireguard/psk";
          }
          {
            publicKey = wireguard.pub.apollo;
            allowedIPs = [ "${hosts.apollo-wg}/128" "${hosts.vpn.apollo}/128" ];
            presharedKeyFile = pkgs.privatePath "wireguard/psk";
          }
          {
            publicKey = wireguard.pub.fluffy;
            allowedIPs = [ "${hosts.vpn.fluffy}/128" ];
            presharedKeyFile = pkgs.privatePath "wireguard/psk";
          }
          {
            publicKey = wireguard.pub.pegasus;
            allowedIPs = [ "${hosts.vpn.pegasus}/128" ];
            presharedKeyFile = pkgs.privatePath "wireguard/psk";
          }
        ];
      };
    };
  };
  services = {
    ndppd = {
      enable = true;
      configFile = pkgs.writeText "ndppd.conf" ''
        proxy ens18 {
          rule ${config.m-0.prefix}::/64 {
            static
          }
        }
      '';
    };
  };

}