hosts/plover: update networking setup

hosts/plover/default.nix

@@ -55,14 +55,21 @@ in
     };
   };
 
-  services.fail2ban.ignoreIP = [
+  services.fail2ban = {
-    "172.16.0.0/12"
+    ignoreIP = [
-    "fc00::/7"
+      # VPN clients.
+      "${interfaces.wireguard0.IPv4.address}/13"
+      "${interfaces.wireguard0.IPv6.address}/64"
+    ];
 
-    # Those from the tunneling services.
+    # We're going to be unforgiving with this one since we only have key
-    "${interfaces.wireguard0.IPv4.address}/16"
+    # authentication and password authentication is disabled anyways.
-    "${interfaces.wireguard0.IPv6.address}/64"
+    jails.sshd = ''
-  ];
+      enabled = true
+      maxretry = 1
+      port = 22
+    '';
+  };
 
   # TODO: Put the secrets to the respective service module.
   sops.secrets =

hosts/plover/modules/hardware/hetzner-cloud-cx21.nix

@@ -50,11 +50,10 @@ in
     dhcpcd.enable = false;
   };
 
-  # The main DNS server (not exactly by choice).
+  # The local DNS resolver. This should be used in conjunction with an
-  services.resolved = {
+  # authoritative DNS server as a forwarder. Also, it should live in its
-    enable = true;
+  # default address at 127.0.0.53 (as of systemd v252).
-    dnssec = "true";
+  services.resolved.enable = true;
-  };
 
   # The interface configuration is based from the following discussion:
   # https://discourse.nixos.org/t/nixos-on-hetzner-cloud-servers-ipv6/221/
@@ -98,6 +97,8 @@ in
           IPv6.gateway
         ];
 
+        # Using the authoritative DNS server to enable accessing them nice
+        # internal services with domain names.
         networkConfig.DNS = [
           "127.0.0.1"
           "::1"

hosts/plover/modules/hardware/networks.nix

@@ -5,22 +5,26 @@ let
   inherit (builtins) toString;
 in
 rec {
-  privateIPv6Prefix = "fdee:b0de:5685";
+  privateIPv6Prefix = "fc00:b0de:5685::";
 
+  # These blocks should be used sparingly with how wide these blocks cover.
+  # Plus, they shouldn't be treated as subnets.
   clientNetworks = [
     "172.24.0.0/13"
     "10.128.0.0/9"
+    "fd00::/8"
   ];
   serverNetworks = [
     "172.16.0.0/13"
     "10.0.0.0/9"
+    "fc00::/8"
   ];
 
-  interfaces = let
+  interfaces =
-    ploverInternalNetworkGateway = "172.16.0.1";
+    let
-    widdeerLan = "10.0.0.1";
+      ploverInternalNetworkGateway = "172.16.0.1";
-    ipv6Gateway = "fe80::1";
+      ipv6Gateway = "fe80::1";
-  in
+    in
     {
     # This is the public-facing interface. Any interface name with a prime
     # symbol means it's a public-facing interface.
@@ -34,55 +38,52 @@ rec {
         address = "65.109.224.213";
         gateway = "172.31.1.1";
       };
-      IPv6 = {
-        address = "2a01:4f9:c012:607a::1";
-        gateway = ipv6Gateway;
-      };
-    };
 
-    # /16 block for IPv4, /64 for IPv6.
+      internal = {
-    internal = {
+        IPv4 = {
-      IPv4 = {
+          address = "172.27.0.1";
-        address = "172.27.0.1";
+          gateway = ploverInternalNetworkGateway;
-        gateway = ploverInternalNetworkGateway;
+        };
+        IPv6 = {
+          address = "${privateIPv6Prefix}1";
+          gateway = ipv6Gateway;
+        };
       };
-      IPv6 = {
-        address = "${privateIPv6Prefix}:1::";
-        gateway = ipv6Gateway;
-      };
-    };
 
-    # /16 BLOCK for IPv4, /64 for IPv6.
+      wireguard0 = {
-    wireguard0 = {
+        IPv4 = {
-      IPv4 = {
+          address = "172.28.0.1";
-        address = "10.210.0.1";
+          gateway = ploverInternalNetworkGateway;
-        gateway = widdeerLan;
+        };
-      };
+        IPv6 = {
-      IPv6 = {
+          address = "${wireguardIPv6Prefix}1";
-        address = "${privateIPv6Prefix}:12ae::";
+          gateway = ipv6Gateway;
-        gateway = ipv6Gateway;
+        };
       };
     };
-  };
 
   # Wireguard-related things.
   wireguardPort = 51820;
-  wireguardIPHostPart = "10.210.0";
-  wireguardIPv6Prefix = interfaces.wireguard0.IPv6.address;
 
-  # These are all fixed IP addresses. They should be /32 IPv4 block and /128
+  # This IPv4 network block should have /13 for the Wireguard network.
-  # IPv6 block.
+  wireguardIPv4Prefix = "172.28.0";
+
+  # This IPv6 network prefix should have /64 for the entire Wireguard network.
+  wireguardIPv6Prefix = "fd00:ffff::";
+
+  # These are all fixed IP addresses. However, they should be assigned in /16
+  # and /64 for IPv4 and IPv6 block respectively.
   wireguardPeers = {
     server = with interfaces.wireguard0; {
       IPv4 = IPv4.address;
       IPv6 = IPv6.address;
     };
     desktop = {
-      IPv4 = "${wireguardIPHostPart}.2";
+      IPv4 = "${wireguardIPv4Prefix}.2";
       IPv6 = "${wireguardIPv6Prefix}2";
     };
     phone = {
-      IPv4 = "${wireguardIPHostPart}.3";
+      IPv4 = "${wireguardIPv4Prefix}.3";
       IPv6 = "${wireguardIPv6Prefix}3";
     };
   };

hosts/plover/modules/services/wireguard.nix

@@ -9,8 +9,8 @@ let
 
   wireguardIFName = "wireguard0";
 
-  desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/24" "${IPv6}/96" ];
+  desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/14" "${IPv6}/64" ];
-  phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/24" "${IPv6}/96" ];
+  phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/14" "${IPv6}/64" ];
 
   internalDomains = [
     "~${config.networking.fqdn}"
@@ -57,14 +57,10 @@ in
     networks."99-${wireguardIFName}" = {
       matchConfig.Name = wireguardIFName;
 
-      networkConfig = {
+      networkConfig.DNS = with interfaces.internal; [
-        DNS = with interfaces.internal; [
+        "127.0.0.1"
-          "127.0.0.1"
+        "::1"
-          "::1"
+      ];
-        ];
-        Domains = lib.concatStringsSep " " internalDomains;
-        DNSDefaultRoute = false;
-      };
 
       address = with interfaces.wireguard0; [
         "${IPv4.address}/32"