]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/aubergine/networking.nix
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
aubergine: add host
[julm/julm-nix.git] / hosts / aubergine / networking.nix
1 { config, pkgs, lib, hostName, ... }:
2 let
3 wifiIface = "wlp5s0";
4 wwanIface = "wwp0s19u1u3i3"; # usb_modeswitch -W -v 12d1 -p 1573 -u 1
5 ftthIface = "enp1s0";
6 eth1Iface = "enp2s0";
7 eth2Iface = "enp3s0";
8 eth3Iface = "enp4s0";
9 wifiIPv4 = "192.168.5";
10 eth1IPv4 = "192.168.2";
11 eth2IPv4 = "192.168.3";
12 eth3IPv4 = "192.168.4";
13 in
14 {
15 imports = [
16 ../../nixos/profiles/networking.nix
17 ../../nixos/profiles/dnscrypt-proxy2.nix
18 ../../nixos/profiles/wireguard/wg-intra.nix
19 networking/nftables.nix
20 ];
21 install.substituteOnDestination = false;
22 networking.domain = "sourcephile.fr";
23 networking.useDHCP = false;
24
25 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
26 networking.nftables.ruleset = ''
27 add rule inet filter input iifname { ${wwanIface}, ${ftthIface} } jump net2fw
28 add rule inet filter input iifname { ${wwanIface}, ${ftthIface} } log level warn prefix "net2fw: " counter drop
29 add rule inet filter output oifname { ${wwanIface}, ${ftthIface} } jump fw2net
30 add rule inet filter output oifname { ${wwanIface}, ${ftthIface} } log level warn prefix "fw2net: " counter drop
31
32 add rule inet filter input iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump lan2fw
33 add rule inet filter input iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "lan2fw: " counter drop
34 add rule inet filter output oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump fw2lan
35 add rule inet filter output oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "fw2lan: " counter drop
36
37 # Forwarding
38 add rule inet filter forward iifname ${wifiIface} oifname ${wwanIface} counter accept
39 add rule inet filter forward iifname ${wwanIface} oifname ${wifiIface} counter accept
40 add rule inet filter forward iifname ${eth1Iface} oifname ${wwanIface} counter accept
41 add rule inet filter forward iifname ${wwanIface} oifname ${eth1Iface} counter accept
42 add rule inet filter forward iifname ${eth2Iface} oifname ${wwanIface} counter accept
43 add rule inet filter forward iifname ${wwanIface} oifname ${eth2Iface} counter accept
44 add rule inet filter forward iifname ${eth3Iface} oifname ${wwanIface} counter accept
45 add rule inet filter forward iifname ${wwanIface} oifname ${eth3Iface} counter accept
46
47 # Masquerading
48 add rule inet nat postrouting iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname ${wwanIface} masquerade
49
50 # Servicing
51 add rule inet filter lan2fw meta l4proto { udp, tcp } th dport 53 counter accept comment "DNS"
52 add rule inet filter lan2fw meta l4proto { udp, tcp } th dport 67 counter accept comment "DHCP"
53 '';
54
55 services.avahi.openFirewall = true;
56 services.dnscrypt-proxy2.settings.listen_addresses = [
57 "127.0.0.1:53"
58 "[::1]:53"
59 "${wifiIPv4}.1:53"
60 "${eth1IPv4}.1:53"
61 "${eth2IPv4}.1:53"
62 "${eth3IPv4}.1:53"
63 ];
64 networking.interfaces = {
65 ${ftthIface} = {
66 useDHCP = false;
67 };
68 ${wifiIface} = {
69 useDHCP = false;
70 ipv4.addresses = [ { address = "${wifiIPv4}.1"; prefixLength = 24; } ];
71 };
72 ${eth1Iface} = {
73 useDHCP = false;
74 ipv4.addresses = [ { address = "${eth1IPv4}.1"; prefixLength = 24; } ];
75 };
76 ${eth2Iface} = {
77 useDHCP = false;
78 ipv4.addresses = [ { address = "${eth2IPv4}.1"; prefixLength = 24; } ];
79 };
80 ${eth3Iface} = {
81 useDHCP = false;
82 ipv4.addresses = [ { address = "${eth3IPv4}.1"; prefixLength = 24; } ];
83 };
84 };
85
86
87 systemd.services.dhcpd4 = {
88 onFailure = [
89 "network-addresses-${wifiIface}.service"
90 "network-addresses-${eth1Iface}.service"
91 "network-addresses-${eth2Iface}.service"
92 "network-addresses-${eth3Iface}.service"
93 ];
94 };
95 services.dhcpd4 = {
96 enable = true;
97 interfaces = [
98 wifiIface
99 eth1Iface
100 eth2Iface
101 eth3Iface
102 ];
103 extraConfig = ''
104 option subnet-mask 255.255.255.0;
105
106 option broadcast-address ${wifiIPv4}.255;
107 option routers ${wifiIPv4}.1;
108 option domain-name-servers ${wifiIPv4}.1;
109 subnet ${wifiIPv4}.0 netmask 255.255.255.0 {
110 range ${wifiIPv4}.100 ${wifiIPv4}.200;
111 }
112
113 option broadcast-address ${eth1IPv4}.255;
114 option routers ${eth1IPv4}.1;
115 option domain-name-servers ${eth1IPv4}.1;
116 subnet ${eth1IPv4}.0 netmask 255.255.255.0 {
117 range ${eth1IPv4}.100 ${eth1IPv4}.200;
118 }
119
120 option broadcast-address ${eth2IPv4}.255;
121 option routers ${eth2IPv4}.1;
122 option domain-name-servers ${eth2IPv4}.1;
123 subnet ${eth2IPv4}.0 netmask 255.255.255.0 {
124 range ${eth2IPv4}.100 ${eth2IPv4}.200;
125 }
126
127 option broadcast-address ${eth3IPv4}.255;
128 option routers ${eth3IPv4}.1;
129 option domain-name-servers ${eth3IPv4}.1;
130 subnet ${eth3IPv4}.0 netmask 255.255.255.0 {
131 range ${eth3IPv4}.100 ${eth3IPv4}.200;
132 }
133 '';
134 };
135
136 systemd.services.NetworkManager.wants = [ "ModemManager.service" ];
137 networking.networkmanager = {
138 #enable = true;
139 unmanaged = [
140 ftthIface
141 wifiIface
142 eth1Iface
143 eth2Iface
144 eth3Iface
145 ];
146 };
147 environment.etc."NetworkManager/system-connections/Prixtel.nmconnection" = {
148 mode = "600";
149 text = ''
150 [connection]
151 id=Prixtel
152 uuid=b223f550-dff1-4ba3-9755-cd4557faaa5a
153 type=gsm
154 autoconnect=true
155 permissions=user:julm:;
156
157 [gsm]
158 apn=sl2sfr
159 number=*99#
160 #home-only=true
161
162 [ppp]
163
164 [ipv4]
165 method=auto
166
167 [ipv6]
168 addr-gen-mode=stable-privacy
169 method=auto
170
171 [proxy]
172 '';
173 };
174
175 networking.wireguard.wg-intra.peers = {
176 mermet.enable = true;
177 losurdo.enable = true;
178 oignon.enable = true;
179 patate.enable = true;
180 };
181
182 services.openssh.listenAddresses = [
183 { addr = "${wifiIPv4}.1"; port = 22; }
184 { addr = "${eth1IPv4}.1"; port = 22; }
185 { addr = "${eth2IPv4}.1"; port = 22; }
186 { addr = "${eth3IPv4}.1"; port = 22; }
187 ];
188
189 environment.systemPackages = [
190 pkgs.iw
191 pkgs.modem-manager-gui
192 ];
193
194 # iw dev wlp4s0 station dump
195 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
196 services.hostapd = {
197 enable = true;
198 logLevel = 2;
199 interface = wifiIface;
200 # 0 means the AP will search for the channel with the least interferences (ACS)
201 channel = 1;
202 hwMode = "g";
203 ssid = hostName;
204 wpa = false;
205 #wpaPassphrase = "bidonpoissonmaisonronron";
206 countryCode = "FR";
207 extraConfig = ''
208 # WLAN
209 beacon_int=100
210 dtim_period=2 # DTIM (delivery trafic information message)
211 preamble=1
212 # limit the frequencies used to those allowed in the country
213 ieee80211d=1
214
215 # WPA2
216 #wpa_key_mgmt=WPA-PSK
217 #wpa_pairwise=CCMP
218 #rsn_pairwise=CCMP
219 #auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
220 macaddr_acl=0
221 # QoS support, also required for full speed on 802.11n/ac/ax
222 wmm_enabled=1
223 eap_reauth_period=360000
224 wpa_group_rekey=600
225 wpa_ptk_rekey=600
226 wpa_gmk_rekey=86400
227
228 # N-WLAN
229 ieee80211n=1
230 # See Capabilities in iw list
231 #ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-3839]
232 require_ht=1
233 obss_interval=0
234
235 # 802.11ac support
236 ieee80211ac=0
237 '';
238 };
239 }
julm's NixOS and home-manager configs