hosts/oignon/networking.nix

   1 { config, pkgs, lib, hostName, ... }:
   2 let
   3   wlan1Iface = "wlp2s0";
   4   wlan2Iface = "wlp0s26u1u2";
   5   wwanIface = "wwp0s29u1u4";
   6   ethIface = "enp0s25";
   7   wlan2IPv4 = "192.168.55";
   8 in
   9 {
  10 imports = [
  11   ../../nixos/profiles/networking.nix
  12   ../../nixos/profiles/dnscrypt-proxy2.nix
  13   ../../nixos/profiles/wireguard/wg-intra.nix
  14   networking/nftables.nix
  15 ];
  16 install.substituteOnDestination = false;
  17 #networking.domain = "sourcephile.fr";
  18 networking.useDHCP = false;
  19
  20 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  21 networking.nftables.ruleset = ''
  22   add rule inet filter input  iifname { ${wwanIface} } goto net2fw
  23   add rule inet filter output oifname { ${wwanIface} } jump fw2net
  24   add rule inet filter output oifname { ${wwanIface} } log level warn prefix "fw2net: " counter drop
  25
  26   add rule inet filter input  iifname { ${ethIface}, ${wlan1Iface}, ${wlan2Iface} } jump lan2fw
  27   add rule inet filter input  iifname { ${ethIface}, ${wlan1Iface}, ${wlan2Iface} } log level warn prefix "lan2fw: " counter drop
  28   add rule inet filter output oifname { ${ethIface}, ${wlan1Iface}, ${wlan2Iface} } jump fw2lan
  29   add rule inet filter output oifname { ${ethIface}, ${wlan1Iface}, ${wlan2Iface} } log level warn prefix "fw2lan: " counter drop
  30
  31   # Forwarding
  32   add rule inet filter forward iifname { ${ethIface}, ${wlan1Iface}, ${wlan2Iface} } oifname ${wwanIface} counter accept
  33   add rule inet filter forward iifname ${wwanIface} oifname { ${ethIface}, ${wlan1Iface}, ${wlan2Iface} } counter accept
  34
  35   # Masquerading
  36   add rule inet nat postrouting iifname { ${ethIface}, ${wlan1Iface}, ${wlan2Iface} } oifname ${wwanIface} masquerade
  37
  38   # Wireguard wg-intra
  39   add rule inet filter fw2intra tcp dport { 80, 443 } counter accept comment "HTTP"
  40   add rule inet filter fw2intra tcp dport 9418 counter accept comment "Git"
  41   add rule inet filter fw2intra tcp dport ssh counter accept comment "SSH"
  42   add rule inet filter fw2intra udp dport 60001-60010 counter accept comment "Mosh"
  43 '';
  44
  45 networking.interfaces = {
  46 };
  47
  48 networking.networkmanager = {
  49   enable = true;
  50   unmanaged = [
  51   ];
  52 };
  53 environment.etc."NetworkManager/system-connections/Prixtel.nmconnection" = {
  54   mode = "600";
  55   text = ''
  56     [connection]
  57     id=Prixtel
  58     uuid=b223f550-dff1-4ba3-9755-cd4557faaa5a
  59     type=gsm
  60     autoconnect=false
  61     permissions=user:julm:;
  62
  63     [gsm]
  64     apn=sl2sfr
  65     number=*99#
  66     home-only=true
  67
  68     [ppp]
  69
  70     [ipv4]
  71     method=auto
  72
  73     [ipv6]
  74     addr-gen-mode=stable-privacy
  75     method=disabled
  76
  77     [proxy]
  78   '';
  79 };
  80
  81 networking.wireguard.wg-intra.peers = {
  82   mermet.enable = true;
  83   losurdo.enable = true;
  84   patate.enable = true;
  85   aubergine.enable = true;
  86 };
  87
  88 services.openssh.listenAddresses = [
  89 ];
  90
  91 environment.systemPackages = [
  92   pkgs.iw
  93   pkgs.modem-manager-gui
  94 ];
  95 }