{ config, flake, pkgs, ... }: let inherit (flake.config.services.instances) wireGuard; inherit (flake.config.machines.devices) mars ceres; service = wireGuard; hostIP = "${ceres.wireguard.ip0}/24"; in { networking = { firewall = { allowedTCPPorts = [ service.ports.port0 ]; allowedUDPPorts = [ service.ports.port0 service.ports.port1 ]; }; nat = { enable = true; enableIPv6 = true; externalInterface = "eth0"; internalInterfaces = [ "wg0" ]; }; wg-quick.interfaces = { wg0 = { address = [ hostIP "fdc9:281f:04d7:9ee9::1/64" ]; listenPort = service.ports.port1; privateKeyFile = config.sops.secrets."${service.name}-private".path; postUp = '' ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${hostIP} -o eth0 -j MASQUERADE ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE ''; # Undo the above preDown = '' ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${hostIP} -o eth0 -j MASQUERADE ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE ''; peers = [ { publicKey = "9zfRPxkxTLHM9tABC8lIaDMrzdjcF2l1mtG82uqGKUQ="; presharedKeyFile = config.sops.secrets."${service.name}-mars-public".path; allowedIPs = [ "${mars.wireguard.ip0}/32" "fdc9:281f:04d7:9ee9::2/128" ]; } ]; }; }; }; sops = let sopsPath = secret: { path = "${service.sops.path0}/${service.name}-${secret}-pass"; owner = "root"; mode = "600"; }; in { secrets = builtins.listToAttrs ( map (secret: { name = "${service.name}-${secret}"; value = sopsPath secret; }) [ "private" "public" "mars-public" ] ); }; boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; }; }