{ config, pkgs, ...}: { networking.vlans."net-services" = { id = 10; interface = "ens18"; }; networking.wireguard = { enable = true; interfaces = { wg-services = { ips = [ "fe80::42:10:1/64" ]; privateKeyFile = "/var/src/secrets/wireguard/wg-services"; allowedIPsAsRoutes = false; peers = [{ publicKey = "Y++eB9SfU17zB4mJ/6AaN761tngXAyTNoVaPNKmuvls="; allowedIPs = [ "::/0" ]; endpoint = "78.47.183.82:51876"; #endpoint = "gatekeeper.net.clerie.de:51876"; persistentKeepalive = 25; }]; }; }; }; networking.localCommands = '' ip -6 route add default dev wg-services table 20003 ''; clerie.policyrouting.rules6 = [ { rule = "from 2a01:4f8:1c0c:8221::/64 lookup 20003"; prio = 19000; } ]; networking.interfaces.net-services.ipv4.addresses = [ { address = "10.42.10.1"; prefixLength = 24; } { address = "10.42.10.2"; prefixLength = 24; } ]; networking.interfaces.net-services.ipv6.addresses = [ { address = "fe80::1"; prefixLength = 64; } { address = "fd00:10:42:10::1"; prefixLength = 64; } { address = "fd00:10:42:10::2"; prefixLength = 64; } { address = "2a01:4f8:1c0c:8221::1"; prefixLength = 64; } { address = "2a01:4f8:1c0c:8221::2"; prefixLength = 64; } ]; networking.interfaces.net-services.ipv4.routes = [ { address = "10.42.132.0"; prefixLength = 23; via = "10.42.10.6"; } ]; services.radvd.config = '' interface net-services { AdvSendAdvert on; MaxRtrAdvInterval 30; prefix ::/64 { AdvValidLifetime 60; AdvPreferredLifetime 30; }; RDNSS 2a01:4f8:1c0c:8221::8 {}; DNSSL bula22.de {}; }; ''; services.kea.dhcp4 = { settings = { interfaces-config = { interfaces = [ "net-services" ]; }; subnet4 = [ { id = 10; subnet = "10.42.10.1/24"; pools = [ { pool = "10.42.10.100 - 10.42.10.240"; } ]; option-data = [ { name = "routers"; data = "10.42.10.1"; } ]; } ]; }; }; # Everyone is allowed reaching this, no firewall therefore clerie.uplink-selector.interfaces.net-services.uplink = "uplink-a"; }