hosts/pumpkin/networking.nix

   1 { pkgs, lib, ... }:
   2 {
   3   imports = [
   4     ../../nixos/profiles/dnscrypt-proxy2.nix
   5     ../../nixos/profiles/networking/ssh.nix
   6     ../../nixos/profiles/networking/wifi.nix
   7     ../../nixos/profiles/kubo.nix
   8     #../../nixos/profiles/openvpn/calyx.nix
   9     networking/nftables.nix
  10   ];
  11   install.substituteOnDestination = false;
  12   #networking.domain = "sourcephile.fr";
  13   networking.useDHCP = false;
  14
  15   services.tor = {
  16     relay = {
  17       role = "private-bridge";
  18       onionServices."radicle/1" = {
  19         map = [
  20           {
  21             port = 8776;
  22             target = {
  23               port = 8777;
  24             };
  25           }
  26         ];
  27       };
  28     };
  29     settings = {
  30       HashedControlPassword = lib.readFile tor/HashedControlPassword.clear;
  31       # https://metrics.torproject.org/rs.html#search/flag:exit%20country:be%20running:true
  32       # https://nusenu.github.io/OrNetStats/w/relay/58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.html
  33       MapAddress = [
  34         "*.gcp.cloud.es.io *.gcp.cloud.es.io.58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.exit"
  35         "*.redbee.live         *.redbee.live.58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.exit"
  36         "*.rtbf.be                 *.rtbf.be.58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.exit"
  37       ];
  38       StrictNodes = true;
  39     };
  40   };
  41
  42   networking.nftables.ruleset = lib.mkAfter ''
  43     table inet filter {
  44       chain input {
  45         ip daddr 10.0.0.0/8 counter goto input-lan
  46         ip daddr 172.16.0.0/12 counter goto input-lan
  47         ip daddr 192.168.0.0/16 counter goto input-lan
  48         ip daddr 224.0.0.0/3 counter goto input-lan
  49         goto input-net
  50       }
  51       chain output {
  52         ip daddr 10.0.0.0/8 counter goto output-lan
  53         ip daddr 172.16.0.0/12 counter goto output-lan
  54         ip daddr 192.168.0.0/16 counter goto output-lan
  55         ip daddr 224.0.0.0/3 counter goto output-lan
  56         jump output-net
  57         log level warn prefix "output-net: " counter drop
  58       }
  59     }
  60   '';
  61
  62   networking.hosts = {
  63     #"80.67.180.129" = ["salons.sourcephile.fr"];
  64   };
  65
  66   networking.interfaces = { };
  67
  68   networking.networkmanager = {
  69     enable = true;
  70     unmanaged = [
  71     ];
  72   };
  73
  74   systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
  75     "host.key:${ssh/host.key.cred}"
  76   ];
  77
  78   programs.wireshark = {
  79     enable = true;
  80     package = pkgs.wireshark-qt;
  81   };
  82 }