infra/nix/os/devices/router0-hosthatch/configuration.nix

{
  repoFlake,
  pkgs,
  lib,
  config,
  nodeFlake,
  nodeName,
  system,
  variables,
  ...
}:
{
  system.stateVersion = "24.05";

  imports = [
    nodeFlake.inputs.disko.nixosModules.disko
    nodeFlake.inputs.srvos.nixosModules.mixins-terminfo

    repoFlake.inputs.sops-nix.nixosModules.sops

    ../../snippets/nix-settings.nix
    ../../profiles/common/user.nix

    nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default

    {
      services.openssh.enable = true;
      services.openssh.settings.PermitRootLogin = "yes";

      users.commonUsers = {
        enable = true;
        enableNonRoot = false;
        rootPasswordFile = config.sops.secrets.passwords-root.path;
      };

      # sops.age.keyFile = "/etc/age.key";
      # sops.age.sshKeyPaths = [];

      sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
      sops.defaultSopsFormat = "yaml";

      sops.secrets.passwords-root.neededForUsers = true;
    }

    # TODO: extract this into single-disk VM BIOS module
    {
      boot.loader.systemd-boot.enable = false;
      boot.loader.grub.efiSupport = false;

      # forcing seems required or else there's an error about duplicated devices
      boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ];

      disko.devices.disk.vda = {
        device = "/dev/vda";
        type = "disk";
        content = {
          type = "gpt";
          partitions = {
            boot = {
              size = "1M";
              type = "EF02"; # for grub MBR
            };
            root = {
              size = "100%";
              content = {
                type = "btrfs";
                extraArgs = [ "-f" ]; # Override existing partition
                subvolumes = {
                  # Subvolume name is different from mountpoint
                  "/rootfs" = {
                    mountpoint = "/";
                  };
                  "/nix" = {
                    mountOptions = [ "noatime" ];
                    mountpoint = "/nix";
                  };
                  "/boot" = {
                    mountpoint = "/boot";
                  };
                };
              };
            };
          };
        };
      };

      boot.initrd.kernelModules = [
        "virtio_balloon"
        "virtio_scsi"
        "virtio_net"
        "virtio_pci"
        "virtio_ring"
        "virtio"
        "scsi_mod"

        "virtio_blk"
        "virtio_ring"
        "ata_piix"
        "pata_acpi"
        "ata_generic"
      ];
    }
  ];

  # sops.secrets.ssh_host_ed25519_key = {
  #   sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
  #   format = "yaml";

  #   path = "/etc/ssh/ssh_host_ed25519_key";
  #   mode = "0600";
  # };
  # sops.secrets.ssh_host_ed25519_key_pub = {
  #   sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
  #   format = "yaml";

  #   path = "/etc/ssh/ssh_host_ed25519_key.pub";
  #   mode = "0600";
  # };
  # sops.secrets.ssh_host_rsa_key = {
  #   sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
  #   format = "yaml";

  #   path = "/etc/ssh/ssh_host_rsa_key";
  #   mode = "0600";
  # };
  # sops.secrets.ssh_host_rsa_key_pub = {
  #   sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
  #   format = "yaml";

  #   path = "/etc/ssh/ssh_host_rsa_key.pub";
  #   mode = "0644";
  # };

  boot = {
    kernel = {
      sysctl = {
        "net.ipv4.conf.all.forwarding" = true;
        "net.ipv6.conf.all.forwarding" = true;
      };
    };
  };

  networking = {
    hostName = nodeName;
    useNetworkd = true;
    useDHCP = true;
    usePredictableInterfaceNames = false;

    interfaces.eth0.ipv4.addresses = [
      {
        address = variables.ipv4;
        prefixLength = variables.ipv4length;
      }
    ];
    defaultGateway = {
      interface = "eth0";
      address = variables.ipv4gateway;
    };
    nameservers = [ variables.ipv4dns ];

    # these will be configured via nftables
    nat.enable = lib.mkForce false;
    firewall.enable = lib.mkForce false;

    # Use the nftables firewall instead of the base nixos scripted rules.
    # This flake provides a similar utility to the base nixos scripting.
    # https://github.com/thelegy/nixos-nftables-firewall/tree/main

    nftables = {
      enable = true;

      firewall = {
        enable = true;
        snippets.nnf-common.enable = true;

        zones.wan = {
          interfaces = [ "eth0" ];
        };

        zones.vpn = {
          interfaces = [
            "wg0"
            "wg1"
          ];
        };

        rules = {
          to-fw = {
            from = "all";
            to = [ "fw" ];
            verdict = "drop";

            allowedTCPPorts = [
              22
              5201
            ];
            allowedUDPPorts = [
              22
              5201
              config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort
              config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort
            ];
          };

          vpn-to-wan-nat = {
            from = [ "vpn" ];
            to = [ "wan" ];
            masquerade = true;
            verdict = "accept";
          };
        };
      };
    };
  };

  sops.secrets.wg0-privatekey = {
    mode = "440";
    group = "systemd-network";
  };
  sops.secrets.wg0-peer0-psk = {
    mode = "440";
    group = "systemd-network";
  };
  sops.secrets.wg1-privatekey = {
    mode = "440";
    group = "systemd-network";
  };
  sops.secrets.wg1-peer0-psk = {
    mode = "440";
    group = "systemd-network";
  };

  systemd.network.enable = true;
  systemd.network.netdevs.wg0 = {
    enable = true;
    netdevConfig = {
      Name = "wg0";
      Kind = "wireguard";
    };
    wireguardConfig = {
      ListenPort = 51820;
      # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=
      PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path;
    };
    wireguardPeers = [
      {
        wireguardPeerConfig = {
          AllowedIPs = [
            "10.0.1.1/32"
            "192.168.0.0/16"
          ];
          PersistentKeepalive = 15;
          PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
          PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04=";
        };
      }
    ];
  };
  systemd.network.netdevs.wg1 = {
    enable = true;
    netdevConfig = {
      Name = "wg1";
      Kind = "wireguard";
    };
    wireguardConfig = {
      ListenPort = 51821;
      # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=
      PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path;
    };
    wireguardPeers = [
      {
        wireguardPeerConfig = {
          AllowedIPs = [
            "10.0.1.3/31"
            "192.168.0.0/16"
          ];
          PersistentKeepalive = 15;
          PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
          PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4=";
        };
      }
    ];
  };
  systemd.network.networks.wg0 = {
    enable = true;
    matchConfig.Name = "wg0";
    address = [ "10.0.1.0/31" ];

    routes = [
      {
        routeConfig = {
          Destination = "192.168.0.0/16";
          MultiPathRoute = "10.0.1.1 1";
        };
      }
    ];
  };
  systemd.network.networks.wg1 = {
    enable = true;
    matchConfig.Name = "wg1";
    address = [ "10.0.1.2/31" ];

    routes = [
      {
        routeConfig = {
          Destination = "192.168.0.0/16";
          MultiPathRoute = "10.0.1.3 1";
        };
      }
    ];
  };

  environment.systemPackages = [
    pkgs.ethtool
    pkgs.neovim
    pkgs.tmux

    pkgs.wireguard-tools
    pkgs.tshark

    (pkgs.writeShellScriptBin "dbg-ip" ''
      echo links:
      ip -br -c l
      echo
      echo addresses:
      ip -br -c a
      echo
      echo vlans:
      bridge -c vlan
    '')

    (pkgs.writeShellScriptBin "dbg-dnsmasq" ''
      # get the rendered in-use config
      pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat |  grep -Eo '[^=]*conf' | xargs cat
    '')
  ];
}