# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0

{ config, depot, lib, pkgs, ... }:
let
  inherit (depot.ops) secrets;
in {
  imports = [
    ../lib/bvm.nix
    ../lib/as205479-web.nix
    ./radius.nix
  ];

  # Networking!
  networking = {
    hostName = "bvm-radius";
    hostId = "dcc75f10";
    tempAddresses = "disabled";

    interfaces.enp1s0 = {
      ipv4.addresses = [{ address = "10.100.0.207"; prefixLength = 23; }];
    };
    interfaces.enp2s0 = {
      ipv4.addresses = [{ address = "92.118.28.9"; prefixLength = 24; }];
      ipv6.addresses = [{ address = "2a09:a441::9"; prefixLength = 32; }];
    };
    defaultGateway = { address = "92.118.28.1"; interface = "enp2s0"; };
    defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; };

    firewall = {
      allowedTCPPorts = [ 80 443 ];
      allowedUDPPorts = [ 443 ];
      extraCommands = ''
        # Allow JANET inbound RADIUS traffic.
        # roaming0.ja.net
        iptables -A nixos-fw -p udp --dport 1812 --src 194.82.174.185 -j nixos-fw-accept
        ip6tables -A nixos-fw -p udp --dport 1812 --src 2001:630:1:128::185 -j nixos-fw-accept
        # roaming1.ja.net
        iptables -A nixos-fw -p udp --dport 1812 --src 194.83.56.233 -j nixos-fw-accept
        ip6tables -A nixos-fw -p udp --dport 1812 --src 2001:630:1:12a::233 -j nixos-fw-accept
        # roaming2.ja.net (old)
        iptables -A nixos-fw -p udp --dport 1812 --src 194.83.56.249 -j nixos-fw-accept
        ip6tables -A nixos-fw -p udp --dport 1812 --src 2001:630:1:129::249 -j nixos-fw-accept
        # roaming2.ja.net (new)
        iptables -A nixos-fw -p udp --dport 1812 --src 193.63.195.50 -j nixos-fw-accept
        ip6tables -A nixos-fw -p udp --dport 1812 --src 2001:630:1:133::50 -j nixos-fw-accept

        # Allow inbound RADIUS from authenticators.
        ip6tables -A nixos-fw -p udp --dport 1812 --src 2a09:a443::/64 -j nixos-fw-accept
        iptables -A nixos-fw -p udp --dport 1812 --src 92.118.30.0/24 -j nixos-fw-accept
      '';
    };
  };
  my.ip.tailscale = "100.120.98.116";
  my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6278:6274";

  my.vault.acmeCertificates."as205479.net" = {
    group = "acme";
    hostnames = [ "as205479.net" ];
    reloadOrRestartUnits = [ "freeradius.service" ];
  };
  users.users.nginx.extraGroups = lib.mkAfter [ "acme" ];
  users.groups.acme = {};

  system.stateVersion = "21.05";
}