1 files changed, 98 insertions, 1 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 9418159c..07ba564d 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -1,5 +1,15 @@
 { flake, pkgs, customUtils, lib, config, path, ... }:
-{
+let
+  mwnSubnetsPublic =
+    [ "129.187.0.0/16" "141.40.0.0/16" "141.84.0.0/16"
+      "192.68.211.0/24" "192.68.212.0/24" "192.68.213.0/24" "192.68.214.0/24" "192.68.215.0/24"
+      "193.174.96.0/22"
+      "194.95.59.0/24"
+    ];
+  mwnSubnetsPrivate =
+    [ "10.153.0.0/16" "10.162.0.0/16" "10.156.0.0/16"
+    ];
+in {
  imports = with flake.nixosModules.systemProfiles; [
    ./hw.nix
    ./mail
@@ -104,6 +114,93 @@
        server=/sif.libvirt/192.168.122.1
      '';
    };
+    environment.etc."NetworkManager/dnsmasq.d/wgrz.conf" = {
+      text = ''
+        server=/mathinst.loc/10.153.88.9
+        server=/cipmath.loc/10.153.88.9
+      '';
+    };
+    environment.etc."systemd/networkd.conf" = {
+      text = ''
+        [Network]
+        RouteTable=wgrz:1025
+      '';
+    };
+    systemd.network = {
+      netdevs = {
+        wgrz = {
+          netdevConfig = {
+            Name = "wgrz";
+            Kind = "wireguard";
+          };
+          wireguardConfig = {
+            PrivateKeyFile = config.sops.secrets.wgrz.path;
+            ListenPort = 51822;
+            # FirewallMark = 1;
+          };
+          wireguardPeers = [
+            { wireguardPeerConfig = {
+                AllowedIPs = [ "10.200.116.1/32" ] ++ mwnSubnetsPrivate ++ mwnSubnetsPublic;
+                PublicKey = "YlRFLc+rD2k2KXl7pIJbOKbcPgdJCl8ZTsv0xlK4VEI=";
+                PersistentKeepalive = 25;
+                Endpoint = "wg.math.lmu.de:51820";
+              };
+            }
+          ];
+        };
+      };
+      networks = {
+        wgrz = {
+          name = "wgrz";
+          matchConfig = {
+            Name = "wgrz";
+          };
+          address = ["10.200.116.128/24"];
+          routes = map (Destination: { routeConfig = {
+            inherit Destination;
+            Gateway = "10.200.116.1";
+            GatewayOnLink = true;
+            Table = "wgrz";
+          };}) (mwnSubnetsPrivate ++ mwnSubnetsPublic);
+          routingPolicyRules = [
+            { routingPolicyRuleConfig = {
+                Table = "main";
+                # FirewallMark = 1;
+                To = "129.187.111.225";
+                Priority = 100;
+              };
+            }
+            { routingPolicyRuleConfig = {
+                Table = "wgrz";
+                From = "10.200.116.128";
+                Priority = 200;
+              };
+            }
+          ] ++ map (To: { routingPolicyRuleConfig = {
+                            Table = "wgrz";
+                            inherit To;
+                            Priority = 200;
+                          };}) (mwnSubnetsPrivate ++ mwnSubnetsPublic);
+          linkConfig = {
+            RequiredForOnline = false;
+          };
+          networkConfig = {
+            LLMNR = false;
+            MulticastDNS = false;
+            DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"];
+          };
+        };
+      };
+    };
+    sops.secrets.wgrz = {
+      format = "binary";
+      sopsFile = ./wgrz/privkey;
+      mode = "0640";
+      owner = "root";
+      group = "systemd-network";
+    };
+    networking.networkmanager.unmanaged = ["wgrz"];
    services.resolved.enable = false;

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 9418159c..07ba564d 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix
@@ -1,5 +1,15 @@
1	{ flake, pkgs, customUtils, lib, config, path, ... }:	1	{ flake, pkgs, customUtils, lib, config, path, ... }:
2	{	2	let
		3	mwnSubnetsPublic =
		4	[ "129.187.0.0/16" "141.40.0.0/16" "141.84.0.0/16"
		5	"192.68.211.0/24" "192.68.212.0/24" "192.68.213.0/24" "192.68.214.0/24" "192.68.215.0/24"
		6	"193.174.96.0/22"
		7	"194.95.59.0/24"
		8	];
		9	mwnSubnetsPrivate =
		10	[ "10.153.0.0/16" "10.162.0.0/16" "10.156.0.0/16"
		11	];
		12	in {
3	imports = with flake.nixosModules.systemProfiles; [	13	imports = with flake.nixosModules.systemProfiles; [
4	./hw.nix	14	./hw.nix
5	./mail	15	./mail
@@ -104,6 +114,93 @@
104	server=/sif.libvirt/192.168.122.1	114	server=/sif.libvirt/192.168.122.1
105	'';	115	'';
106	};	116	};
		117	environment.etc."NetworkManager/dnsmasq.d/wgrz.conf" = {
		118	text = ''
		119	server=/mathinst.loc/10.153.88.9
		120	server=/cipmath.loc/10.153.88.9
		121	'';
		122	};
		123
		124	environment.etc."systemd/networkd.conf" = {
		125	text = ''
		126	[Network]
		127	RouteTable=wgrz:1025
		128	'';
		129	};
		130	systemd.network = {
		131	netdevs = {
		132	wgrz = {
		133	netdevConfig = {
		134	Name = "wgrz";
		135	Kind = "wireguard";
		136	};
		137	wireguardConfig = {
		138	PrivateKeyFile = config.sops.secrets.wgrz.path;
		139	ListenPort = 51822;
		140	# FirewallMark = 1;
		141	};
		142	wireguardPeers = [
		143	{ wireguardPeerConfig = {
		144	AllowedIPs = [ "10.200.116.1/32" ] ++ mwnSubnetsPrivate ++ mwnSubnetsPublic;
		145	PublicKey = "YlRFLc+rD2k2KXl7pIJbOKbcPgdJCl8ZTsv0xlK4VEI=";
		146	PersistentKeepalive = 25;
		147	Endpoint = "wg.math.lmu.de:51820";
		148	};
		149	}
		150	];
		151	};
		152	};
		153	networks = {
		154	wgrz = {
		155	name = "wgrz";
		156	matchConfig = {
		157	Name = "wgrz";
		158	};
		159	address = ["10.200.116.128/24"];
		160	routes = map (Destination: { routeConfig = {
		161	inherit Destination;
		162	Gateway = "10.200.116.1";
		163	GatewayOnLink = true;
		164	Table = "wgrz";
		165	};}) (mwnSubnetsPrivate ++ mwnSubnetsPublic);
		166	routingPolicyRules = [
		167	{ routingPolicyRuleConfig = {
		168	Table = "main";
		169	# FirewallMark = 1;
		170	To = "129.187.111.225";
		171	Priority = 100;
		172	};
		173	}
		174	{ routingPolicyRuleConfig = {
		175	Table = "wgrz";
		176	From = "10.200.116.128";
		177	Priority = 200;
		178	};
		179	}
		180	] ++ map (To: { routingPolicyRuleConfig = {
		181	Table = "wgrz";
		182	inherit To;
		183	Priority = 200;
		184	};}) (mwnSubnetsPrivate ++ mwnSubnetsPublic);
		185	linkConfig = {
		186	RequiredForOnline = false;
		187	};
		188	networkConfig = {
		189	LLMNR = false;
		190	MulticastDNS = false;
		191	DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"];
		192	};
		193	};
		194	};
		195	};
		196	sops.secrets.wgrz = {
		197	format = "binary";
		198	sopsFile = ./wgrz/privkey;
		199	mode = "0640";
		200	owner = "root";
		201	group = "systemd-network";
		202	};
		203	networking.networkmanager.unmanaged = ["wgrz"];
107		204
108	services.resolved.enable = false;	205	services.resolved.enable = false;
109		206