add wg1 for poweredge and masquerade for wg1 etcHEAD master

author: Tim Keller <tjk@tjkeller.xyz> 2026-03-30 22:44:35 -0500
committer: Tim Keller <tjk@tjkeller.xyz> 2026-03-30 22:44:35 -0500
commit: d09ec6c6a3260ce3c320ce2e3f252e7fb50eef55 (patch)
tree: 04ac8f02d3c13fd6a50cc3bcef6566fdf5837092
parent: 369e8b83f082f3ac2d3f6a040c0efafe981642a7 (diff)
download: nixos-master.tar.xz
nixos-master.zip
7 files changed, 60 insertions, 19 deletions
diff --git a/hosts/poweredge/configuration.nix b/hosts/poweredge/configuration.nix
index 0c51f3c..a363592 100644
--- a/hosts/poweredge/configuration.nix
+++ b/hosts/poweredge/configuration.nix
@@ -5,6 +5,7 @@ in {
 		./ddns-updater.nix
 		./networking.nix
 		#./notification-mailer.nix  # TODO move some of this stuff to archetype
+		./wg1.nix
 	];
 
 	# Setup bootloader
diff --git a/hosts/poweredge/ddns-updater.nix b/hosts/poweredge/ddns-updater.nix
index 30f6e05..103c23b 100644
--- a/hosts/poweredge/ddns-updater.nix
+++ b/hosts/poweredge/ddns-updater.nix
@@ -1,4 +1,4 @@
-{ config, ... }: {
+{ config, lib, ... }: {
 	# Password file for mail application password
 	sops.secrets.ddns-updater-config.sopsFile = ./resources/secrets/ddns-updater-config.yaml;
 
@@ -11,4 +11,9 @@
 			PERIOD = "5m";
 		};
 	};
+
+	# FIXME Required root permissions to open secret
+	systemd.services.ddns-updater = {
+		serviceConfig.DynamicUser = lib.mkForce false;
+	};
 }
diff --git a/hosts/poweredge/networking.nix b/hosts/poweredge/networking.nix
index c293831..7632a86 100644
--- a/hosts/poweredge/networking.nix
+++ b/hosts/poweredge/networking.nix
@@ -1,5 +1,6 @@
 {
 	networking = {
+		enableIPv6 = false;
 		# Label lan and wan interfaces
 		_interfaceLabels = {
 			enable = true;
@@ -16,36 +17,40 @@
 			}];
 			wan0.useDHCP = true;
 		};
-		#defaultGateway.interface = "wan0";
-		nameservers = [ "127.0.0.1" ];
 		# Firewall rules
 		firewall = {
 			interfaces.wan0 = {
 				allowedUDPPorts = [ 51820 ];
 			};
 		};
-		#nat.forwardPorts = [
-		#	{
-		#		sourcePort = 2222;
-		#		proto = "tcp";
-		#		destination = "10.1.1.1:22";
-		#	}
-		#	{
-		#		sourcePort = 22;
-		#		proto = "tcp";
-		#		destination = "10.1.1.1:22";
-		#	}
-		#];
+		# Additional advanced rules
+		# TODO add multi NAT feature to router service
+		nftables = {
+			enable = true;
+			tables = {
+				# NAT/masquerade wg1 allowing lan0 clients to access wg1
+				wg-nat = {
+					family = "ip";
+					content = ''
+						chain post {
+							type nat hook postrouting priority srcnat; policy accept;
+							iifname "lan0" oifname "wg1" masquerade comment "lan0 => wg1"
+						}
+					'';
+				};
+			};
+		};
 	};
 
 	services._router = {
 		dnsDhcpConfig = {
-			localDomain = "wg-router.pls.lan";
+			localDomain = "home.lan";
 			dhcp = {
 				defaultGateway = "192.168.1.1";
 				localhostIp = "192.168.1.1";
 				rangeStart = "192.168.1.50";
 				rangeEnd = "192.168.1.250";
+				# TODO think about moving leases to another file
 				staticLeases = {
 					idrac-7N94GK2 = {
 						macAddress = "50:9a:4c:5d:c3:7c";
@@ -71,6 +76,10 @@
 						macAddress = "e4:54:e8:bc:ba:05";
 						staticIp = "192.168.1.12";
 					};
+					X230 = {
+						macAddress = "84:3a:4b:60:34:c4";
+						staticIp = "192.168.1.13";
+					};
 				};
 			};
 		};
diff --git a/hosts/poweredge/resources/secrets/wg1.yaml b/hosts/poweredge/resources/secrets/wg1.yaml
new file mode 100644
index 0000000..6610514
--- /dev/null
+++ b/hosts/poweredge/resources/secrets/wg1.yaml
@@ -0,0 +1,16 @@
+wg1: ENC[AES256_GCM,data:1IySjV57HcywgiCZ/ZYbcr4Y9EbLrb6bE4kpG1DmDsLiRVFSfZA1UOoMGosot+7YiuE4xfZNHGSnzDrpE73gi5E9qYlvjhOfyLq06a1lK7Q0Wo/QrH9eSH05h6SA4E8sE0w2aKY/6cWfLaXTP1d7xLJA1OOCy7y+wIXrHQcA/TI5XIxikFSe+tT7rhKz128u6MIGl8VWzCp4RmoN94MAgWp0RoVt0VSHlvNPTbMuTZI0YPN1NgHjcf7KWnit33GXydmAWr+wym/oxxdT77O6wMPcGIsxmMLOPNy3K1sTezGTPSS1CSVniKIIW2HYZepGfaTlKwBFIn7ctmMrBvqmMcHiW+QIPwWbOC8UWHJAGklv3vCa7Q8XDUKlOPNdS0o73jb+BVUJWerwR4ik6NPu/H/lWgIETg1pd/Qv//nGsPeGRIUFKyKxoL/5E67+pA==,iv:d+T6wKhV1i/2kae03VPLMaTFB2yleeDFPm1lrfjvkx8=,tag:h/41zAlfz6oBo8jqz9NW7A==,type:str]
+sops:
+    age:
+        - recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxOFFVRFl2MDhiUVRPdnZJ
+            b3BSZ0pSaG8vR3o3SGlmVENvN3ZObHU3eUc4CmJrdk8rbXpBMWhTZ2hvdlk0VWo1
+            ejdnTDR4bFlUUXc4Smd0NEp6b3crZFUKLS0tIFBsQUdRWjZLSDY1ZlFaRDdLOVhs
+            MFFGY0NSU3NaK2U0U1NndUIyYm54ZWsKZ6q9j1fNaNSzBA0rbZYyUWt3U2V/7/9/
+            FZTKd8mH/uCoxvK8unlVZ9uYNADRh2smp7LwK1AWie/6khAIFqVBeg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-31T02:00:52Z"
+    mac: ENC[AES256_GCM,data:VXBQSegpiLmT5pF0XVB8NTVzhn4QDE2WfVznANVdrXC4BqFYoQXscW+4BcMmwkUqz5MjeKNF4KgRwtpKWVyRXG7EXVEGeA/NdysAxM9eSD4YrQZLqWzG8UKStyFG7jgHw/YA3H94hJ3rYnhsA9Kb3DHEmnQSZskTOmn2ppyUunQ=,iv:/rVWmaXl149Prhv35wBDZN6c+HgQ6PYSb8RIE30t7MI=,tag:SZ7mI9XDsIjhliFyWO14ug==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
diff --git a/hosts/poweredge/wg1.nix b/hosts/poweredge/wg1.nix
new file mode 100644
index 0000000..d94efb6
--- /dev/null
+++ b/hosts/poweredge/wg1.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, inputs, ... }: {
+	sops.secrets.wg1.sopsFile = ./resources/secrets/wg1.yaml;
+
+	networking.wg-quick.interfaces = {
+		wg1.configFile = config.sops.secrets.wg1.path;
+	};
+}
diff --git a/nixos/services/router/dns-dhcp.nix b/nixos/services/router/dns-dhcp.nix
index 48e0b8e..4c041c2 100644
--- a/nixos/services/router/dns-dhcp.nix
+++ b/nixos/services/router/dns-dhcp.nix
@@ -204,5 +204,8 @@ in {
 		# Search localDomain so host can resolve short names
 		# This is eq. to dnsmasq's dhcp-option "domain-search" for clients, it just adds a search rule to resolv.conf
 		networking.search = [ cfg.localDomain ];
+
+		# Add localhost as default nameserver
+		networking.nameservers = lib.mkDefault [ cfg.dhcp.localhostIp ];
 	};
 }
diff --git a/nixos/services/router/routing.nix b/nixos/services/router/routing.nix
index 25d91dd..6682538 100644
--- a/nixos/services/router/routing.nix
+++ b/nixos/services/router/routing.nix
@@ -35,9 +35,9 @@ in {
 				'';
 			};
 			nat = {
-				enable = true;
-				externalInterface = cfg.interfaces.wan;
-				internalInterfaces = [ cfg.interfaces.lan ];
+				enable = lib.mkDefault true;
+				externalInterface = lib.mkDefault cfg.interfaces.wan;
+				internalInterfaces = lib.mkDefault [ cfg.interfaces.lan ];
 			};
 		};
 	};
author	Tim Keller <tjk@tjkeller.xyz>	2026-03-30 22:44:35 -0500
committer	Tim Keller <tjk@tjkeller.xyz>	2026-03-30 22:44:35 -0500
commit	d09ec6c6a3260ce3c320ce2e3f252e7fb50eef55 (patch)
tree	04ac8f02d3c13fd6a50cc3bcef6566fdf5837092
parent	369e8b83f082f3ac2d3f6a040c0efafe981642a7 (diff)
download	nixos-master.tar.xz nixos-master.zip