network/nix/nixos-module/container/yggdrasil.nix

{ pkgs, lib, config, hostName, ... }:

lib.mkIf config.site.hosts.${hostName}.services.yggdrasil.enable {
  networking.firewall.enable = false;

  boot.postBootCommands = ''
    if [ ! -c /dev/net/tun ]; then
      mkdir -p /dev/net
      mknod -m 666 /dev/net/tun c 10 200
    fi
  '';

  # Forward traffic under the prefix.
  boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
  networking.nat = {
    enable = true;
    # Provide NAT66 for everyone with addresses foreign to Yggdrasil
    extraCommands = ''
        ip6tables -t nat -A POSTROUTING ! --src 200::/7 -o ygg -j MASQUERADE
      '';
  };

  services.yggdrasil = {
    enable = true;
    persistentKeys = true;
    config = {
      IfName = "ygg";
      Peers = # https://publicpeers.neilalexander.dev/
        [
          # deutschland
          "tcp://ygg.mkg20001.io:80"

          # czechia
          "tcp://[2a03:3b40:fe:ab::1]:46370" # emery vpsfree.cz

          # nederlands
          "tls://77.249.167.165:8084" # emery nijmegen
        ];
      NodeInfo = {
        # This information is visible to the network.
        name = "y.c3d2.de";
        location = "Dresden";
        email = "ehmry@c3d2.de";
      };
    };
  };

}