hosts/nan2gua1/networking.nix

   1 { pkgs, lib, ... }:
   2 {
   3   imports = [
   4     ../../nixos/profiles/dnscrypt-proxy2.nix
   5     ../../nixos/profiles/networking/ssh.nix
   6     ../../nixos/profiles/networking/wifi.nix
   7     ../../nixos/profiles/kubo.nix
   8     #../../nixos/profiles/openvpn/calyx.nix
   9     networking/nftables.nix
  10   ];
  11   install.substituteOnDestination = true;
  12   #networking.domain = "sourcephile.fr";
  13   networking.useDHCP = false;
  14
  15   services.tor = {
  16     relay = {
  17       /*
  18         role = "private-bridge";
  19         onionServices."radicle/1" = {
  20           map = [
  21             {
  22               port = 8776;
  23               target = {
  24                 port = 8777;
  25               };
  26             }
  27           ];
  28         };
  29       */
  30     };
  31     settings = {
  32       HashedControlPassword = lib.readFile tor/HashedControlPassword.clear;
  33       # https://metrics.torproject.org/rs.html#search/flag:exit%20country:be%20running:true
  34       # https://nusenu.github.io/OrNetStats/w/relay/58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.html
  35       MapAddress = [
  36         "*.gcp.cloud.es.io *.gcp.cloud.es.io.58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.exit"
  37         "*.redbee.live         *.redbee.live.58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.exit"
  38         "*.rtbf.be                 *.rtbf.be.58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.exit"
  39       ];
  40       StrictNodes = true;
  41     };
  42   };
  43
  44   networking.nftables.ruleset = lib.mkAfter ''
  45     table inet filter {
  46       chain input {
  47         ip daddr 10.0.0.0/8 counter goto input-lan
  48         ip daddr 172.16.0.0/12 counter goto input-lan
  49         ip daddr 192.168.0.0/16 counter goto input-lan
  50         ip daddr 224.0.0.0/3 counter goto input-lan
  51         goto input-net
  52       }
  53       chain output {
  54         ip daddr 10.0.0.0/8 counter goto output-lan
  55         ip daddr 172.16.0.0/12 counter goto output-lan
  56         ip daddr 192.168.0.0/16 counter goto output-lan
  57         ip daddr 224.0.0.0/3 counter goto output-lan
  58         jump output-net
  59         log level warn prefix "output-net: " counter drop
  60       }
  61     }
  62   '';
  63
  64   networking.hosts = {
  65     #"80.67.180.129" = ["salons.sourcephile.fr"];
  66   };
  67
  68   networking.interfaces = { };
  69
  70   networking.networkmanager = {
  71     enable = true;
  72     unmanaged = [
  73     ];
  74   };
  75
  76   systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
  77     "host.key:${ssh/host.key.cred}"
  78   ];
  79
  80   programs.wireshark = {
  81     enable = true;
  82     package = pkgs.wireshark-qt;
  83   };
  84 }