]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/aubergine/networking.nix
zfs: tweak boot settings
[julm/julm-nix.git] / hosts / aubergine / networking.nix
1 { lib, ... }:
2 with lib;
3 with (import networking/names-and-numbers.nix);
4 {
5 imports = [
6 networking/ftth.nix
7 networking/ethernet.nix
8 networking/wifi.nix
9 networking/lte.nix
10 networking/nftables.nix
11 ./wireguard.nix
12 ../../nixos/profiles/dnscrypt-proxy2.nix
13 ../../nixos/profiles/wireguard/wg-intra.nix
14 ../../nixos/profiles/networking/ssh.nix
15 ];
16 install.substituteOnDestination = false;
17 networking.domain = "wg";
18 networking.useDHCP = false;
19
20 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
21 networking.nftables.ruleset = mkAfter ''
22 table inet filter {
23 chain forward-to-lan {
24 #jump forward-connectivity
25 counter accept
26 }
27 chain forward-to-net {
28 #jump forward-connectivity
29 counter accept
30 }
31 chain forward-from-net {
32 ct state { established, related } accept
33 log level warn prefix "forward-from-net: " counter drop
34 }
35 chain forward {
36 log level warn prefix "forward: " counter drop
37 }
38 }
39 '';
40
41 services.avahi.enable = true;
42 services.avahi.openFirewall = true;
43 services.avahi.publish.enable = true;
44 # WARNING: settings.listen_addresses are not merged...
45 # hence there all defined here.
46 services.dnscrypt-proxy2.settings.listen_addresses = [
47 "127.0.0.1:53"
48 "[::1]:53"
49 "${eth1IPv4}.1:53"
50 "${eth2IPv4}.1:53"
51 "${eth3IPv4}.1:53"
52 "${wifiIPv4}.1:53"
53 ];
54
55 services.openssh.settings.X11Forwarding = true;
56
57 services.vnstat.enable = true;
58
59 systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
60 "host.key:${ssh/host.key.cred}"
61 ];
62 }