2025-10-01 19:51:55 -05:00
|
|
|
{
|
|
|
|
|
flake,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
let
|
|
|
|
|
inherit (flake.config.machines.devices) ceres;
|
2025-11-06 16:35:10 -06:00
|
|
|
inherit (flake.config.services) instances;
|
|
|
|
|
wireguardService = instances.wireGuard;
|
2025-10-01 19:51:55 -05:00
|
|
|
in
|
|
|
|
|
{
|
2025-11-07 23:54:02 -06:00
|
|
|
microvm.host.enable = true;
|
|
|
|
|
|
2025-11-27 14:49:31 -06:00
|
|
|
systemd.network = {
|
|
|
|
|
enable = true;
|
|
|
|
|
netdevs."10-br-vms" = {
|
|
|
|
|
netdevConfig = {
|
|
|
|
|
Name = "br-vms";
|
|
|
|
|
Kind = "bridge";
|
|
|
|
|
};
|
2025-11-08 01:36:52 -06:00
|
|
|
};
|
2025-11-27 14:49:31 -06:00
|
|
|
networks = {
|
|
|
|
|
"20-lan" = {
|
|
|
|
|
matchConfig.Name = [
|
2025-12-04 21:45:24 -06:00
|
|
|
"enp3s0"
|
2025-11-27 14:49:31 -06:00
|
|
|
"vm-*"
|
|
|
|
|
];
|
|
|
|
|
networkConfig = {
|
|
|
|
|
Bridge = "br-vms";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
"30-br-vms" = {
|
|
|
|
|
matchConfig.Name = "br-vms";
|
|
|
|
|
networkConfig = {
|
2025-12-04 21:45:24 -06:00
|
|
|
Address = "192.168.50.245/24";
|
2025-11-27 14:49:31 -06:00
|
|
|
Gateway = "192.168.50.1";
|
|
|
|
|
DNS = [ "192.168.50.1" ];
|
|
|
|
|
};
|
|
|
|
|
linkConfig.RequiredForOnline = "routable";
|
|
|
|
|
};
|
2025-11-08 01:36:52 -06:00
|
|
|
};
|
|
|
|
|
};
|
2025-10-01 19:51:55 -05:00
|
|
|
networking = {
|
|
|
|
|
hostName = ceres.name;
|
2025-11-06 18:20:03 -06:00
|
|
|
networkmanager.enable = false;
|
2025-10-01 19:51:55 -05:00
|
|
|
nftables.enable = true;
|
2025-11-08 00:57:17 -06:00
|
|
|
useDHCP = false;
|
2025-10-01 19:51:55 -05:00
|
|
|
firewall = {
|
|
|
|
|
enable = true;
|
|
|
|
|
allowedTCPPorts = [
|
|
|
|
|
22 # SSH
|
|
|
|
|
25 # SMTP
|
|
|
|
|
139 # SMTP
|
|
|
|
|
587 # SMTP
|
|
|
|
|
2525 # SMTP
|
2025-11-03 02:39:55 -06:00
|
|
|
9999 # NC
|
2025-11-06 16:35:10 -06:00
|
|
|
wireguardService.ports.port0 # WireGuard
|
|
|
|
|
];
|
|
|
|
|
allowedUDPPorts = [
|
|
|
|
|
wireguardService.ports.port0 # WireGuard
|
|
|
|
|
wireguardService.ports.port1 # WireGuard
|
2025-10-01 19:51:55 -05:00
|
|
|
];
|
2025-11-27 14:49:31 -06:00
|
|
|
# Add port ranges for VPN dynamic port forwarding
|
|
|
|
|
allowedTCPPortRanges = [
|
|
|
|
|
{
|
|
|
|
|
from = 30000;
|
|
|
|
|
to = 65535;
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
allowedUDPPortRanges = [
|
|
|
|
|
{
|
|
|
|
|
from = 30000;
|
|
|
|
|
to = 65535;
|
|
|
|
|
}
|
|
|
|
|
];
|
2025-10-01 19:51:55 -05:00
|
|
|
};
|
|
|
|
|
};
|
2025-11-06 17:47:14 -06:00
|
|
|
|
2025-10-01 19:51:55 -05:00
|
|
|
services = {
|
|
|
|
|
avahi = {
|
|
|
|
|
enable = true;
|
|
|
|
|
openFirewall = true;
|
|
|
|
|
nssmdns4 = true;
|
|
|
|
|
publish = {
|
|
|
|
|
enable = true;
|
|
|
|
|
userServices = true;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
sshd.enable = true;
|
|
|
|
|
openssh = {
|
|
|
|
|
enable = true;
|
|
|
|
|
settings.PasswordAuthentication = false;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
