hosts/aubergine/networking.nix

   1 { lib, ... }:
   2 with lib;
   3 with (import networking/names-and-numbers.nix);
   4 {
   5   imports = [
   6     networking/ftth.nix
   7     networking/ethernet.nix
   8     networking/wifi.nix
   9     networking/lte.nix
  10     networking/nftables.nix
  11     ../../nixos/profiles/dnscrypt-proxy2.nix
  12     ../../nixos/profiles/wireguard/wg-intra.nix
  13     ../../nixos/profiles/networking/ssh.nix
  14   ];
  15   install.substituteOnDestination = false;
  16   networking.domain = "wg";
  17   networking.useDHCP = false;
  18
  19   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  20   networking.nftables.ruleset = mkAfter ''
  21     table inet filter {
  22       chain forward-to-net {
  23         #jump forward-connectivity
  24         counter accept
  25       }
  26       chain forward-from-net {
  27         ct state { established, related } accept
  28         log level warn prefix "forward-from-net: " counter drop
  29       }
  30       chain forward {
  31         log level warn prefix "forward: " counter drop
  32       }
  33     }
  34   '';
  35
  36   services.avahi.enable = true;
  37   services.avahi.openFirewall = true;
  38   services.avahi.publish.enable = true;
  39   # WARNING: settings.listen_addresses are not merged...
  40   # hence there all defined here.
  41   services.dnscrypt-proxy2.settings.listen_addresses = [
  42     "127.0.0.1:53"
  43     "[::1]:53"
  44     "${eth1IPv4}.1:53"
  45     "${eth2IPv4}.1:53"
  46     "${eth3IPv4}.1:53"
  47     "${wifiIPv4}.1:53"
  48   ];
  49
  50   networking.wireguard.wg-intra.peers = {
  51     mermet.enable = true;
  52     losurdo.enable = true;
  53     oignon.enable = true;
  54     patate.enable = true;
  55   };
  56
  57 }