]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/aubergine/networking/ethernet.nix
aubergine: wireguard: move to port 43646
[julm/julm-nix.git] / hosts / aubergine / networking / ethernet.nix
1 { config, pkgs, lib, hostName, ... }:
2 with (import ./names-and-numbers.nix);
3 {
4 services.dnscrypt-proxy2.settings.listen_addresses = [
5 "${eth1IPv4}.1:53"
6 "${eth2IPv4}.1:53"
7 "${eth3IPv4}.1:53"
8 ];
9 networking.interfaces = {
10 ${eth1Iface} = {
11 useDHCP = false;
12 ipv4.addresses = [ { address = "${eth1IPv4}.1"; prefixLength = 24; } ];
13 };
14 ${eth2Iface} = {
15 useDHCP = false;
16 ipv4.addresses = [ { address = "${eth2IPv4}.1"; prefixLength = 24; } ];
17 };
18 ${eth3Iface} = {
19 useDHCP = false;
20 ipv4.addresses = [ { address = "${eth3IPv4}.1"; prefixLength = 24; } ];
21 };
22 };
23 networking.networkmanager = {
24 #enable = true;
25 unmanaged = [
26 eth1Iface
27 eth2Iface
28 eth3Iface
29 ];
30 };
31 networking.nftables.ruleset = lib.mkAfter ''
32 table inet filter {
33 chain input {
34 iifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump input-lan
35 iifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "input-lan: " counter drop
36 }
37 chain output {
38 oifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump output-lan
39 oifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "output-lan: " counter drop
40 }
41 }
42 '';
43
44 systemd.services.dhcpd4.onFailure = [
45 "network-addresses-${eth1Iface}.service"
46 "network-addresses-${eth2Iface}.service"
47 "network-addresses-${eth3Iface}.service"
48 ];
49 services.dhcpd4 = {
50 enable = true;
51 interfaces = [
52 eth1Iface
53 eth2Iface
54 eth3Iface
55 ];
56 extraConfig = ''
57 subnet ${eth1IPv4}.0 netmask 255.255.255.0 {
58 range ${eth1IPv4}.100 ${eth1IPv4}.200;
59 option broadcast-address ${eth1IPv4}.255;
60 option domain-name-servers ${eth1IPv4}.1;
61 option routers ${eth1IPv4}.1;
62 option subnet-mask 255.255.255.0;
63 }
64
65 subnet ${eth2IPv4}.0 netmask 255.255.255.0 {
66 range ${eth2IPv4}.100 ${eth2IPv4}.200;
67 option broadcast-address ${eth2IPv4}.255;
68 option domain-name-servers ${eth2IPv4}.1;
69 option routers ${eth2IPv4}.1;
70 option subnet-mask 255.255.255.0;
71 }
72
73 subnet ${eth3IPv4}.0 netmask 255.255.255.0 {
74 range ${eth3IPv4}.100 ${eth3IPv4}.200;
75 option broadcast-address ${eth3IPv4}.255;
76 option domain-name-servers ${eth3IPv4}.1;
77 option routers ${eth3IPv4}.1;
78 option subnet-mask 255.255.255.0;
79 }
80 '';
81 };
82
83 services.openssh.listenAddresses = [
84 { addr = "${eth1IPv4}.1"; port = 22; }
85 { addr = "${eth2IPv4}.1"; port = 22; }
86 { addr = "${eth3IPv4}.1"; port = 22; }
87 ];
88 }