From 8807ce4435501db921e6c29cb0cdcfba9f68c1e7 Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Tue, 6 Apr 2021 21:02:09 +0200
Subject: [PATCH] nixos-module/container/anon: route

---
 nix/nixos-module/container/anon.nix | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/nix/nixos-module/container/anon.nix b/nix/nixos-module/container/anon.nix
index c45c1c8..d72f660 100644
--- a/nix/nixos-module/container/anon.nix
+++ b/nix/nixos-module/container/anon.nix
@@ -1,6 +1,8 @@
 { hostName, config, lib, pkgs, ... }:
 
 let
+  gateway = "upstream1";
+
   tunnels = lib.filterAttrs (_: wireguard:
     wireguard != null
   ) config.site.hosts.${hostName}.wireguard;
@@ -9,6 +11,7 @@ let
     then builtins.head (builtins.attrNames tunnels)
     else null;
   enabled = firstTunnel != null;
+
   privateKeyFile = ifName:
     "/run/wireguard-keys/${ifName}.key";
 in
@@ -53,15 +56,29 @@ in
       };
     } ];
   }) tunnels;
-  # TODO: qdisc from upstream pillar
 
-  systemd.network.networks = builtins.mapAttrs (ifName: wireguard: {
+  systemd.network.networks = {
+    # Endpoint host-routes
+    core.routes = map (wireguard: {
+      routeConfig = {
+        Destination = builtins.head (builtins.match "(.+):.*" wireguard.endpoint) + "/32";
+        Gateway = config.site.net.core.hosts4.${gateway};
+      };
+    }) (builtins.attrValues tunnels);
+  } // builtins.mapAttrs (ifName: wireguard: {
+    # Wireguard interfaces
     matchConfig.Name = ifName;
+
     addresses = map (addr: {
       addressConfig.Address = addr;
     }) wireguard.addresses;
 
+    # IPv4 default route
     networkConfig.DefaultRouteOnDevice = true;
+    # IPv6 default route
+    routes = [ {
+      routeConfig.Destination = "::/0";
+    } ];
 
     extraConfig = ''
       [CAKE]
@@ -74,6 +91,8 @@ in
 
   networking.nat = lib.optionalAttrs (firstTunnel != null) {
     enable = true;
+    enableIPv6 = true;
+    internalInterfaces = [ "core" ];
     externalInterface = firstTunnel;
     forwardPorts = config.site.hosts.${hostName}.forwardedPorts;
   };