]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/aubergine/networking.nix
nebula: add to fail2ban.ignoreIP
[julm/julm-nix.git] / hosts / aubergine / networking.nix
1 { lib, ... }:
2 with lib;
3 with (import networking/names-and-numbers.nix);
4 {
5 imports = [
6 networking/ftth.nix
7 networking/ethernet.nix
8 networking/wifi.nix
9 networking/lte.nix
10 networking/nftables.nix
11 ./wireguard.nix
12 ../../nixos/profiles/dnscrypt-proxy2.nix
13 ../../nixos/profiles/wireguard/wg-intra.nix
14 ../../nixos/profiles/networking/ssh.nix
15 ];
16 install.substituteOnDestination = false;
17 networking.domain = "wg";
18 networking.useDHCP = false;
19
20 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
21 networking.nftables.ruleset = mkAfter ''
22 table inet filter {
23 chain forward-to-lan {
24 #jump forward-connectivity
25 counter accept
26 }
27 chain forward-to-net {
28 #jump forward-connectivity
29 counter accept
30 }
31 chain forward-from-net {
32 ct state { established, related } accept
33 log level warn prefix "forward-from-net: " counter drop
34 }
35 chain forward {
36 log level warn prefix "forward: " counter drop
37 }
38 }
39 '';
40
41 networking.networkmanager.enable = true;
42 services.avahi = {
43 enable = true;
44 openFirewall = true;
45 nssmdns = true;
46 publish = {
47 enable = true;
48 addresses = true;
49 domain = true;
50 hinfo = true;
51 userServices = true;
52 workstation = true;
53 };
54 };
55 # WARNING: settings.listen_addresses are not merged...
56 # hence there all defined here.
57 services.dnscrypt-proxy2.settings.listen_addresses = [
58 "127.0.0.1:53"
59 "[::1]:53"
60 "${eth1IPv4}.1:53"
61 "${eth2IPv4}.1:53"
62 "${eth3IPv4}.1:53"
63 "${wifiIPv4}.1:53"
64 ];
65
66 services.openssh.settings.X11Forwarding = true;
67
68 services.vnstat.enable = true;
69
70 systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
71 "host.key:${ssh/host.key.cred}"
72 ];
73 }