feat: add new machine "sentinel", a Hetzner Cloud server

2023-05-29 16:19:49 +02:00 · 2023-05-29 16:19:49 +02:00 · 97cb4e0ac5
commit 97cb4e0ac5
parent d18e86f981
11 changed files with 173 additions and 6 deletions
--- a/hosts/sentinel/net.nix
+++ b/hosts/sentinel/net.nix
@ -0,0 +1,42 @@
+{
+  config,
+  lib,
+  utils,
+  ...
+}: {
+  networking.hostId = config.repo.secrets.local.networking.hostId;
+
+  boot.initrd.systemd.network = {
+    enable = true;
+    networks = {inherit (config.systemd.network.networks) "10-wan";};
+  };
+
+  systemd.network.networks = {
+    "10-wan" = let
+      icfg = config.repo.secrets.local.networking.interfaces.wan;
+    in {
+      address = [
+        icfg.hostCidrv4
+        icfg.hostCidrv6
+      ];
+      gateway = ["fe80::1"];
+      matchConfig.MACAddress = icfg.mac;
+      networkConfig.IPv6PrivacyExtensions = "yes";
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+
+  # TODO mkForce nftables
+  networking.nftables.firewall = {
+    zones = lib.mkForce {
+      untrusted.interfaces = ["wan"];
+    };
+  };
+
+  extra.wireguard.proxy-sentinel.server = {
+    host = config.networking.fqdn;
+    port = 51443;
+    reservedAddresses = ["10.43.0.0/24" "fd00:43::/120"];
+    openFirewallRules = ["untrusted-to-local"];
+  };
+}