3 with (import networking/names-and-numbers.nix);
7 networking/ethernet.nix
10 networking/nftables.nix
12 ../../nixos/profiles/dnscrypt-proxy2.nix
13 ../../nixos/profiles/wireguard/wg-intra.nix
14 ../../nixos/profiles/networking/ssh.nix
16 install.substituteOnDestination = false;
17 networking.domain = "wg";
18 networking.useDHCP = false;
20 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
21 networking.nftables.ruleset = mkAfter ''
23 chain forward-to-lan {
24 #jump forward-connectivity
27 chain forward-to-net {
28 #jump forward-connectivity
31 chain forward-from-net {
32 ct state { established, related } accept
33 log level warn prefix "forward-from-net: " counter drop
36 log level warn prefix "forward: " counter drop
41 services.avahi.enable = true;
42 services.avahi.openFirewall = true;
43 services.avahi.publish.enable = true;
44 # WARNING: settings.listen_addresses are not merged...
45 # hence there all defined here.
46 services.dnscrypt-proxy2.settings.listen_addresses = [
55 services.openssh.settings.X11Forwarding = true;
57 services.vnstat.enable = true;
59 systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
60 "host.key:${ssh/host.key.cred}"