nix/profiles/vogon.nix

{ config, pkgs, ... }:
{
  age.secrets = {
    vogon-wg-infra-key = {
      file = ../secrets/vogon-wg-infra-key.age;
      owner = "root";
      group = "root";
    };
  };

  systemd.services.systemd-networkd.serviceConfig.LoadCredential = [
    "wg-infra-key:${config.age.secrets.vogon-wg-infra-key.path}"
  ];

  environment.systemPackages = [ pkgs.wireguard-tools ];

  # FIXME I suck. I didn't manage to configure a working ZFS rootfs with disko
  # It was 1 AM, and the server had to be up and running quickly, so I
  # partitioned the server manually
  fileSystems = {
    "/" = {
      device = "rpool/root";
      fsType = "zfs";
    };

    "/boot1" = {
      device = "/dev/disk/by-uuid/F121-2F47";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };

    "/boot2" = {
      device = "/dev/disk/by-uuid/F167-8DD8";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  };

  boot.zfs.extraPools = [ "data" ];

  # We use Grub because systemd-boot does not seem to have a simple equivalent
  # of mirroredBoots
  boot.loader.grub = {
    enable = true;
    efiSupport = true;
    zfsSupport = true; # FIXME useless?
    mirroredBoots = [
      { devices = [ "nodev" ]; path = "/boot1"; efiSysMountPoint = "/boot1"; }
      { devices = [ "nodev" ]; path = "/boot2"; efiSysMountPoint = "/boot2"; }
    ];
  };

  boot.loader.efi.canTouchEfiVariables = true;

  boot.initrd.kernelModules = [ ];

  boot.initrd.availableKernelModules = [
    "ahci"
    "ehci_pci"
    "megaraid_sas"
    "usbhid"
    "usb_storage"
    "sd_mod"
    "sr_mod"
  ];

  # FIXME
  networking.firewall.trustedInterfaces = [ "wg-infra" "vxl-infra" "br-infra" ];

  systemd.network.links = {
    "10-phy1" = {
      matchConfig.MACAddress = "18:66:da:75:da:04";
      linkConfig.Name = "phy1";
    };
    "10-phy2" = {
      matchConfig.MACAddress = "18:66:da:75:da:05";
      linkConfig.Name = "phy2";
    };
  };

  systemd.network.netdevs = {
    "10-wan".netdevConfig = {
      Name = "wan";
      Kind = "bridge";
    };
    "10-bond" = {
      netdevConfig = {
        Name = "bond";
        Kind = "bond";
      };
      bondConfig.Mode = "802.3ad";
    };
    "10-br-infra".netdevConfig = {
      Name = "br-infra";
      Kind = "bridge";
    };
    "10-vxl-infra" = {
      netdevConfig = {
        Name = "vxl-infra";
        Kind = "vxlan";
      };
      vxlanConfig = {
        Local = "fd0a:66d3:1c19:1000::1";
        VNI = 42;
        MacLearning = true;
        DestinationPort = 4789;
      };
    };
    "10-wg-infra" = {
      netdevConfig = {
        Name = "wg-infra";
        Kind = "wireguard";
      };
      wireguardConfig = {
        ListenPort = 51039;
        PrivateKey = "@wg-infra-key";
      };
      wireguardPeers = [
        {
          PublicKey = "JfTsY3+jPTDgLDrECoSvoYs+6+GpjII0ookjhFhd5SY=";
          Endpoint = "89.234.162.224:51039";
          AllowedIPs = [ "fd0a:66d3:1c19:1000::2" ];
          PersistentKeepalive = 10;
        }
        {
          PublicKey = "nOeLgmE1U6nY3UNxltQKwlID9lD7fvpEwij2XUvEGgg=";
          Endpoint = "137.194.12.129:51039";
          AllowedIPs = [ "fd0a:66d3:1c19:1000::3" ];
          PersistentKeepalive = 10;
        }
        {
          PublicKey = "9pGyE4+CQl+f8sFJ/Mkvp14yxDQJ0SJmGnher5Tgzjc=";
          Endpoint = "193.48.225.201:51039";
          AllowedIPs = [ "fd0a:66d3:1c19:1000::4" ];
          PersistentKeepalive = 10;
        }
      ];
    };
  };

  systemd.network.networks = {
    "10-phy1" = {
      matchConfig.Name = "phy1";
      networkConfig.Bond = "bond";
    };
    "10-phy2" = {
      matchConfig.Name = "phy2";
      networkConfig.Bond = "bond";
    };
    "10-bond" = {
      matchConfig.Name = "bond";
      networkConfig.Bridge = "wan";
    };
    "10-wan" = {
      matchConfig.Name = "wan";
      address = [ "193.54.193.161/28" ];
      routes = [
        {
          Gateway = "193.54.193.174";
        }
      ];
    };
    "10-br-infra" = {
      matchConfig.Name = "br-infra";
      linkConfig.MACAddress = "9E:D8:78:A1:CE:22";
      address = [
        "fd0a:66d3:1c19:42::1/64"
        "10.42.0.1/16"
      ];
    };
    "10-vxl-infra" = {
      matchConfig.Name = "vxl-infra";
      networkConfig = {
        Bridge = "br-infra";
        LinkLocalAddressing = false;
      };
      bridgeFDBs = [
        {
          MACAddress = "00:00:00:00:00:00";
          Destination = "fd0a:66d3:1c19:1000::2";
          VNI = 42;
        }
        {
          MACAddress = "00:00:00:00:00:00";
          Destination = "fd0a:66d3:1c19:1000::3";
          VNI = 42;
        }
        {
          MACAddress = "00:00:00:00:00:00";
          Destination = "fd0a:66d3:1c19:1000::4";
          VNI = 42;
        }
      ];
    };
    "10-wg-infra" = {
      matchConfig.Name = "wg-infra";
      networkConfig = {
        Address = "fd0a:66d3:1c19:1000::1/64";
        VXLAN = "vxl-infra";
      };
    };
  };
}