sshd: use LoadCredentialEncrypted=

[julm/julm-nix.git] / hosts / oignon / networking.nix

{ pkgs, lib, ... }:
{
  imports = [
    ../../nixos/profiles/dnscrypt-proxy2.nix
    ../../nixos/profiles/wireguard/wg-intra.nix
    networking/nftables.nix
  ];
  install.substituteOnDestination = false;
  #networking.domain = "sourcephile.fr";
  networking.useDHCP = false;

  networking.nftables.ruleset = lib.mkAfter ''
    table inet filter {
      chain input {
        goto input-net
      }
      chain output {
        ip daddr 10.0.0.0/8 counter goto output-lan
        ip daddr 172.16.0.0/12 counter goto output-lan
        ip daddr 192.168.0.0/16 counter goto output-lan
        ip daddr 224.0.0.0/3 counter goto output-lan
        jump output-net
        log level warn prefix "output-net: " counter drop
      }
    }
  '';

  networking.interfaces = { };

  networking.networkmanager = {
    enable = true;
    unmanaged = [
    ];
  };
  environment.etc."NetworkManager/system-connections/Prixtel.nmconnection" = {
    mode = "600";
    text = ''
      [connection]
      id=Prixtel
      uuid=b223f550-dff1-4ba3-9755-cd4557faaa5a
      type=gsm
      autoconnect=false
      permissions=user:julm:;

      [gsm]
      apn=sl2sfr
      number=*99#
      home-only=true

      [ppp]

      [ipv4]
      method=auto

      [ipv6]
      addr-gen-mode=stable-privacy
      method=disabled

      [proxy]
    '';
  };

  networking.wireguard.wg-intra.peers = {
    mermet.enable = true;
    losurdo.enable = true;
    patate.enable = true;
    aubergine.enable = true;
  };

  systemd.services.sshd.serviceConfig.LoadCredentialEncrypted =
    [ "ed25519.key:${inputs.self}/host/${hostName}/networking/ssh/ed25519.key.cred" ];
  services.openssh.hostKeys =
    [ { type = "ed25519"; path = "/run/credentials/sshd.service/ed25519.key"; }
    ];

  environment.systemPackages = [
    pkgs.iw
    pkgs.modem-manager-gui
  ];
}