1 { config, pkgs, lib, hostName, ... }:
4 wwanIface = "wwp0s19u1u3i3"; # usb_modeswitch -W -v 12d1 -p 1573 -u 1
9 wifiIPv4 = "192.168.5";
10 eth1IPv4 = "192.168.2";
11 eth2IPv4 = "192.168.3";
12 eth3IPv4 = "192.168.4";
16 ../../nixos/profiles/networking.nix
17 ../../nixos/profiles/dnscrypt-proxy2.nix
18 ../../nixos/profiles/wireguard/wg-intra.nix
19 networking/nftables.nix
21 install.substituteOnDestination = false;
22 networking.domain = "sourcephile.fr";
23 networking.useDHCP = false;
25 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
26 networking.nftables.ruleset = ''
27 add rule inet filter input iifname { ${wwanIface}, ${ftthIface} } jump net2fw
28 add rule inet filter input iifname { ${wwanIface}, ${ftthIface} } log level warn prefix "net2fw: " counter drop
29 add rule inet filter output oifname { ${wwanIface}, ${ftthIface} } jump fw2net
30 add rule inet filter output oifname { ${wwanIface}, ${ftthIface} } log level warn prefix "fw2net: " counter drop
32 add rule inet filter input iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump lan2fw
33 add rule inet filter input iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "lan2fw: " counter drop
34 add rule inet filter output oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump fw2lan
35 add rule inet filter output oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "fw2lan: " counter drop
38 add rule inet filter forward iifname ${wifiIface} oifname ${wwanIface} counter accept
39 add rule inet filter forward iifname ${wwanIface} oifname ${wifiIface} counter accept
40 add rule inet filter forward iifname ${eth1Iface} oifname ${wwanIface} counter accept
41 add rule inet filter forward iifname ${wwanIface} oifname ${eth1Iface} counter accept
42 add rule inet filter forward iifname ${eth2Iface} oifname ${wwanIface} counter accept
43 add rule inet filter forward iifname ${wwanIface} oifname ${eth2Iface} counter accept
44 add rule inet filter forward iifname ${eth3Iface} oifname ${wwanIface} counter accept
45 add rule inet filter forward iifname ${wwanIface} oifname ${eth3Iface} counter accept
48 add rule inet nat postrouting iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname ${wwanIface} masquerade
51 add rule inet filter lan2fw meta l4proto { udp, tcp } th dport 53 counter accept comment "DNS"
52 add rule inet filter lan2fw meta l4proto { udp, tcp } th dport 67 counter accept comment "DHCP"
55 services.avahi.openFirewall = true;
56 services.dnscrypt-proxy2.settings.listen_addresses = [
64 networking.interfaces = {
70 ipv4.addresses = [ { address = "${wifiIPv4}.1"; prefixLength = 24; } ];
74 ipv4.addresses = [ { address = "${eth1IPv4}.1"; prefixLength = 24; } ];
78 ipv4.addresses = [ { address = "${eth2IPv4}.1"; prefixLength = 24; } ];
82 ipv4.addresses = [ { address = "${eth3IPv4}.1"; prefixLength = 24; } ];
87 systemd.services.dhcpd4 = {
89 "network-addresses-${wifiIface}.service"
90 "network-addresses-${eth1Iface}.service"
91 "network-addresses-${eth2Iface}.service"
92 "network-addresses-${eth3Iface}.service"
104 option subnet-mask 255.255.255.0;
106 option broadcast-address ${wifiIPv4}.255;
107 option routers ${wifiIPv4}.1;
108 option domain-name-servers ${wifiIPv4}.1;
109 subnet ${wifiIPv4}.0 netmask 255.255.255.0 {
110 range ${wifiIPv4}.100 ${wifiIPv4}.200;
113 option broadcast-address ${eth1IPv4}.255;
114 option routers ${eth1IPv4}.1;
115 option domain-name-servers ${eth1IPv4}.1;
116 subnet ${eth1IPv4}.0 netmask 255.255.255.0 {
117 range ${eth1IPv4}.100 ${eth1IPv4}.200;
120 option broadcast-address ${eth2IPv4}.255;
121 option routers ${eth2IPv4}.1;
122 option domain-name-servers ${eth2IPv4}.1;
123 subnet ${eth2IPv4}.0 netmask 255.255.255.0 {
124 range ${eth2IPv4}.100 ${eth2IPv4}.200;
127 option broadcast-address ${eth3IPv4}.255;
128 option routers ${eth3IPv4}.1;
129 option domain-name-servers ${eth3IPv4}.1;
130 subnet ${eth3IPv4}.0 netmask 255.255.255.0 {
131 range ${eth3IPv4}.100 ${eth3IPv4}.200;
136 systemd.services.NetworkManager.wants = [ "ModemManager.service" ];
137 networking.networkmanager = {
147 environment.etc."NetworkManager/system-connections/Prixtel.nmconnection" = {
152 uuid=b223f550-dff1-4ba3-9755-cd4557faaa5a
155 permissions=user:julm:;
168 addr-gen-mode=stable-privacy
175 networking.wireguard.wg-intra.peers = {
176 mermet.enable = true;
177 losurdo.enable = true;
178 oignon.enable = true;
179 patate.enable = true;
182 services.openssh.listenAddresses = [
183 { addr = "${wifiIPv4}.1"; port = 22; }
184 { addr = "${eth1IPv4}.1"; port = 22; }
185 { addr = "${eth2IPv4}.1"; port = 22; }
186 { addr = "${eth3IPv4}.1"; port = 22; }
189 environment.systemPackages = [
191 pkgs.modem-manager-gui
194 # iw dev wlp4s0 station dump
195 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
199 interface = wifiIface;
200 # 0 means the AP will search for the channel with the least interferences (ACS)
205 #wpaPassphrase = "bidonpoissonmaisonronron";
210 dtim_period=2 # DTIM (delivery trafic information message)
212 # limit the frequencies used to those allowed in the country
216 #wpa_key_mgmt=WPA-PSK
219 #auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
221 # QoS support, also required for full speed on 802.11n/ac/ax
223 eap_reauth_period=360000
230 # See Capabilities in iw list
231 #ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-3839]