server-configuration/services/vm-test.nix

{
  config,
  pkgs,
  ...
}: let
  vm-index = 1;
  vm-mac = "02:00:00:00:00:02";
in {
  config.microvm.vms."vm-test" = {
    config = {...}: {
      microvm.interfaces = [
        {
          id = "vm${toString vm-index}";
          type = "tap";
          mac = vm-mac;
        }
      ];

      microvm.shares = [
        {
          tag = "ro-store";
          source = "/nix/store";
          mountPoint = "/nix/.ro-store";
        }
      ];

      networking.useNetworkd = true;
      networking.usePredictableInterfaceNames = false;
      systemd.network.networks."10-eth" = {
        matchConfig.MACAddress = vm-mac;
        address = [
          "10.0.0.${toString vm-index}/32"
        ];
        routes = [
          # Host Route
          {
            Destination = "10.0.0.0/32";
            GatewayOnLink = true;
          }
          # Default route
          {
            Destination = "0.0.0.0/0";
            Gateway = "10.0.0.0";
            GatewayOnLink = true;
          }
        ];
        networkConfig = {
          DNS = [
            "9.9.9.9"
            "8.8.8.8"
            "8.8.4.4"
          ];
        };
      };

      networking.useDHCP = false;
      networking.nameservers = [
        "10.0.101.1"
        "8.8.8.8"
        "8.8.4.4"
      ];

      systemd.services."wireguard-kill-switch" = {
        description = "Wireguard Kill Switch";
        after = ["network-online.target"];
        wants = ["network-online.target"];
        wantedBy = ["multi-user.target"];

        serviceConfig = {
          type = "oneshot";
          ExecStart = pkgs.writeShellScript "wgconf.sh" ''
            # Stay a while and listen
            # ${pkgs.toybox}/bin/sleep 5
            # Route local traffic through wg0 except local traffic
            ${pkgs.iproute2}/bin/ip route add 10.0.0.0/32 dev eth0 && \
            ${pkgs.iproute2}/bin/ip route add 0.0.0.0/1 dev wg0
            # Block all traffic that isnt local or through the vpn
            ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark 42 -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/32 -j REJECT
          '';
          RemainAfterExit = "yes";
        };
      };

      networking.wireguard.enable = true;
      systemd.network = {
        netdevs."10-wg0" = {
          netdevConfig = {
            Kind = "wireguard";
            Name = "wg0";
            MTUBytes = "1300";
          };
          wireguardConfig = {
            PrivateKeyFile = "${./wireguard-secret}";
            FirewallMark = 42;
            ListenPort = 51820;
          };
          wireguardPeers = [
            {
              PublicKey = "0qSP0VxoIhEhRK+fAHVvmfRdjPs2DmmpOCNLFP/7cGw=";
              AllowedIPs = ["0.0.0.0/0"];
              Endpoint = "193.32.248.66:51820";
              # PersistentKeepalive = 25;
            }
          ];
        };
        networks."wg0" = {
          matchConfig.Name = "wg0";
          address = [
            " 10.65.241.123/32"
          ];
          DHCP = "no";
          dns = ["10.64.0.1"];
          gateway = [
            "10.0.0.0"
          ];
        };
      };

      users.users.root = {
        password = "1234";
      };
      services.openssh = {
        enable = true;
        settings = {
          PermitRootLogin = "yes";
          AllowUsers = null;
          PasswordAuthentication = true;
          KbdInteractiveAuthentication = true;
        };
      };
    };
  };
}