{ config, ... }: { imports = [ ../../modules/server/mogma ]; # Networking networking = { hostName = "zora"; domain = "lyes.eu"; hostId = "233c35ca"; enableIPv6 = false; nameservers = [ "9.9.9.9" "149.112.112.112" "1.1.1.1" "1.0.0.1" ]; firewall = { enable = true; allowedTCPPorts = [ 22 80 443 ]; allowedUDPPorts = [ 80 443 ]; }; interfaces = { ens2f0 = { ipv4 = { addresses = [ { address = "185.230.78.13"; prefixLength = 24; } ]; routes = [ { address = "0.0.0.0"; prefixLength = 0; via = "185.230.78.99"; } ]; }; }; }; }; # VPN networking.vpn-netns = { wireguardInterface = "mogma"; nameserver = "10.2.0.1"; interfaceNamespace = "netns-mogma"; vethInterfaceName = "veth-mogma"; vethIP = "192.168.2.2"; vethOuterIP = "192.168.2.1"; wireguardOptions = { privateKeyFile = config.age.secrets.mogma-privatekey.path; ips = [ "10.2.0.2/32" ]; peers = [ { publicKey = "W4XqVNXMdnhtiRxWNzWThy3f7hRoT9NTx/HYu/jTaRU="; allowedIPs = [ "0.0.0.0/0" "::/0" ]; endpoint = "79.127.169.89:51820"; persistentKeepalive = 25; } ]; }; restrictedServices = [ "qbittorrent" "suwayomi-server" ]; portForwarding = { enable = true; }; }; age.secrets = { mogma-privatekey = { file = ../../secrets/zora/services/mogma-privatekey.age; mode = "755"; }; }; # Imposing a bandwidth limit to avoid Aurore/Crans disruptions networking.nftables = { tables.rate_limit = { name = "rate_limit"; family = "inet"; enable = true; content = '' limit ratelimit { rate 1250 kbytes/second burst 2500 kbytes ; comment "used to limit taffic" ; } chain input { type filter hook input priority 0; policy drop; iifname lo accept tcp dport 22 accept iifname ens2f0 limit name "ratelimit" accept iifname veth-mogma limit name "ratelimit" accept } ''; # chain output { # type filter hook output priority 0; policy drop; # iifname lo accept # tcp dport 22 accept # iifname ens2f0 limit name "ratelimit" accept # } }; }; }