hosts/aubergine/networking.nix

   1 { pkgs, lib, config, ... }:
   2 with (import networking/names-and-numbers.nix);
   3 {
   4   imports = [
   5     networking/ftth.nix
   6     networking/ethernet.nix
   7     networking/wifi.nix
   8     networking/lte.nix
   9     networking/nftables.nix
  10     ../../nixos/profiles/dnscrypt-proxy2.nix
  11     ../../nixos/profiles/printing.nix
  12     ../../nixos/profiles/networking/ssh.nix
  13   ];
  14   install.substituteOnDestination = false;
  15   networking.domain = "sp";
  16   networking.useDHCP = false;
  17
  18   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  19   networking.nftables.ruleset = lib.mkAfter ''
  20     table inet filter {
  21       chain input-lan {
  22         meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
  23         meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
  24       }
  25       chain output-lan {
  26         meta skuid ${config.users.users."systemd-network".name} \
  27           meta l4proto { udp, tcp } th sport bootps \
  28           meta l4proto { udp, tcp } th dport bootpc \
  29           counter accept comment "DHCP rebinding/renewing"
  30       }
  31       chain forward-to-lan {
  32         #jump forward-connectivity
  33         counter accept
  34       }
  35       chain forward-to-net {
  36         #jump forward-connectivity
  37         counter accept
  38       }
  39       chain forward-from-net {
  40         ct state established accept
  41         ct state related accept
  42         log level warn prefix "forward-from-net: " counter drop
  43       }
  44       chain forward {
  45         log level warn prefix "forward: " counter drop
  46       }
  47     }
  48   '';
  49
  50   networking.networkmanager.enable = true;
  51   services.avahi = {
  52     enable = true;
  53     openFirewall = true;
  54     publish = {
  55       enable = true;
  56       addresses = true;
  57       domain = true;
  58       hinfo = true;
  59       userServices = true;
  60       workstation = true;
  61     };
  62     reflector = true;
  63   };
  64   # WARNING: settings.listen_addresses are not merged...
  65   # hence there all defined here.
  66   services.dnscrypt-proxy2.settings.listen_addresses = [
  67     "127.0.0.1:53"
  68     "[::1]:53"
  69     "${eth1IPv4}.1:53"
  70     "${eth2IPv4}.1:53"
  71     "${eth3IPv4}.1:53"
  72     "${wifiIPv4}.1:53"
  73   ];
  74
  75   services.openssh.settings.X11Forwarding = true;
  76
  77   services.vnstat.enable = true;
  78
  79   systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
  80     "host.key:${ssh/host.key.cred}"
  81   ];
  82
  83   programs.wireshark = {
  84     enable = true;
  85     package = pkgs.wireshark-cli;
  86   };
  87 }