nixfiles/nixos/boxes/britnet.nix

{ lib, ... }:
let
  inherit (lib.my) net;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.britnet) domain pubV4 prefixes;
in
{
  nixos.systems.britnet = {
    system = "x86_64-linux";
    nixpkgs = "mine";

    assignments = {
      allhost = {
        inherit domain;
        ipv4 = {
          address = pubV4;
          mask = 24;
          gateway = "77.74.199.1";
        };
        ipv6 = {
          address = "2a12:ab46:5344:99::a";
          gateway = "2a12:ab46:5344::1";
        };
      };
      vpn = {
        ipv4 = {
          address = net.cidr.host 1 prefixes.vpn.v4;
          gateway = null;
        };
        ipv6.address = net.cidr.host 1 prefixes.vpn.v6;
      };
    };

    configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
      let
        inherit (lib) mkMerge mkForce;
        inherit (lib.my) networkdAssignment;
      in
      {
        imports = [
          "${modulesPath}/profiles/qemu-guest.nix"
        ];

        config = mkMerge [
          {
            boot = {
              initrd.availableKernelModules = [
                "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "ahci" "sr_mod" "virtio_blk"
              ];
              loader = {
                systemd-boot.enable = false;
                grub = {
                  enable = true;
                  device = "/dev/vda";
                };
              };
            };

            fileSystems = {
              "/boot" = {
                device = "/dev/disk/by-uuid/457444a1-81dd-4934-960c-650ad16c92b5";
                fsType = "ext4";
              };
              "/nix" = {
                device = "/dev/disk/by-uuid/992c0c79-5be6-45b6-bc30-dc82e3ec082a";
                fsType = "ext4";
              };
              "/persist" = {
                device = "/dev/disk/by-uuid/f020a955-54d5-4098-98ba-d3615781d96a";
                fsType = "ext4";
                neededForBoot = true;
              };
            };

            environment = {
              systemPackages = with pkgs; [
                wireguard-tools
              ];
            };

            services = {
              iperf3 = {
                enable = true;
                openFirewall = true;
              };

              tailscale = {
                enable = true;
                authKeyFile = config.age.secrets."tailscale-auth.key".path;
                openFirewall = true;
                interfaceName = "tailscale0";
                extraUpFlags = [
                  "--operator=${config.my.user.config.name}"
                  "--login-server=https://hs.nul.ie"
                  "--netfilter-mode=off"
                  "--advertise-exit-node"
                  "--accept-routes=false"
                ];
              };
            };

            networking = { inherit domain; };

            systemd.network = {
              netdevs = {
                "30-wg0" = {
                  netdevConfig = {
                    Name = "wg0";
                    Kind = "wireguard";
                  };
                  wireguardConfig = {
                    PrivateKeyFile = config.age.secrets."britnet/wg.key".path;
                    ListenPort = lib.my.c.britnet.vpn.port;
                  };
                  wireguardPeers = [
                    {
                      PublicKey = "EfPwREfZ/q3ogHXBIqFZh4k/1NRJRyq4gBkBXtegNkE=";
                      AllowedIPs = [
                        (net.cidr.host 10 prefixes.vpn.v4)
                        (net.cidr.host 10 prefixes.vpn.v6)
                      ];
                    }
                  ];
                };
              };

              links = {
                "10-veth0" = {
                  matchConfig.PermanentMACAddress = "00:db:d9:62:68:1a";
                  linkConfig.Name = "veth0";
                };
              };

              networks = {
                "20-veth0" = mkMerge [
                  (networkdAssignment "veth0" assignments.allhost)
                  {
                    dns = [ "1.1.1.1" "1.0.0.1" ];
                    routes = [
                      {
                        # Gateway is on a different network for some reason...
                        Destination = "2a12:ab46:5344::1";
                        Scope = "link";
                      }
                    ];
                  }
                ];
                "30-wg0" = mkMerge [
                  (networkdAssignment "wg0" assignments.vpn)
                  {
                    networkConfig.IPv6AcceptRA = mkForce false;
                  }
                ];
              };
            };

            my = {
              server.enable = true;
              secrets = {
                key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJIEx+1EC/lN6WKIaOB+O5LJgVHRK962YpZEPQg/m78O";
                files = {
                  "tailscale-auth.key" = {};
                  "britnet/wg.key" = {
                    owner = "systemd-network";
                  };
                };
              };

              firewall = {
                udp.allowed = [ lib.my.c.britnet.vpn.port ];
                trustedInterfaces = [ "tailscale0" ];
                extraRules = ''
                  table inet filter {
                    chain forward {
                      iifname wg0 oifname veth0 accept
                    }
                  }
                  table inet nat {
                    chain postrouting {
                      iifname { tailscale0, wg0 } oifname veth0 snat ip to ${assignments.allhost.ipv4.address}
                      iifname { tailscale0, wg0 } oifname veth0 snat ip6 to ${assignments.allhost.ipv6.address}
                    }
                  }
                '';
              };
            };
          }
        ];
      };
  };
}