]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/aubergine/networking.nix
oignon: nftables: allow SMTPS output
[julm/julm-nix.git] / hosts / aubergine / networking.nix
1 { config, pkgs, lib, hostName, ... }:
2 let
3 wifiIface = "wlp5s0";
4 wwanIface = "wwp0s19u1u3i3"; # usb_modeswitch -W -v 12d1 -p 1573 -u 1
5 ftthIface = "enp1s0";
6 eth1Iface = "enp2s0";
7 eth2Iface = "enp3s0";
8 eth3Iface = "enp4s0";
9 wifiIPv4 = "192.168.5";
10 eth1IPv4 = "192.168.2";
11 eth2IPv4 = "192.168.3";
12 eth3IPv4 = "192.168.4";
13 in
14 {
15 imports = [
16 networking/nftables.nix
17 ../../nixos/profiles/networking.nix
18 ../../nixos/profiles/dnscrypt-proxy2.nix
19 ../../nixos/profiles/wireguard/wg-intra.nix
20 ];
21 install.substituteOnDestination = false;
22 networking.domain = "sourcephile.fr";
23 networking.useDHCP = false;
24
25 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
26 networking.nftables.ruleset = lib.mkAfter ''
27 table inet filter {
28 chain input {
29 iifname { ${wwanIface}, ${ftthIface} } jump input-net
30 iifname { ${wwanIface}, ${ftthIface} } log level warn prefix "input-net: " counter drop
31
32 iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump input-lan
33 iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "input-lan: " counter drop
34 }
35 chain output {
36 oifname { ${wwanIface}, ${ftthIface} } jump output-net
37 oifname { ${wwanIface}, ${ftthIface} } log level warn prefix "output-net: " counter drop
38
39 oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump output-lan
40 oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "output-lan: " counter drop
41 }
42 chain forward-to-net {
43 #jump forward-connectivity
44 counter accept
45 }
46 chain forward-from-net {
47 ct state { established, related } accept
48 log level warn prefix "forward-from-net: " counter drop
49 }
50 chain forward {
51 iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname { ${wwanIface}, ${ftthIface} } goto forward-to-net
52 iifname { ${wwanIface}, ${ftthIface} } oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } goto forward-from-net
53 log level warn prefix "forward: " counter drop
54 }
55 }
56 table inet nat {
57 chain postrouting {
58 iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname { ${wwanIface}, ${ftthIface} } masquerade
59 }
60 }
61 '';
62
63 services.avahi.openFirewall = true;
64 services.dnscrypt-proxy2.settings.listen_addresses = [
65 "127.0.0.1:53"
66 "[::1]:53"
67 "${wifiIPv4}.1:53"
68 "${eth1IPv4}.1:53"
69 "${eth2IPv4}.1:53"
70 "${eth3IPv4}.1:53"
71 ];
72 networking.interfaces = {
73 ${ftthIface} = {
74 useDHCP = false;
75 };
76 ${wifiIface} = {
77 useDHCP = false;
78 ipv4.addresses = [ { address = "${wifiIPv4}.1"; prefixLength = 24; } ];
79 ipv4.routes = [ { address = "${wifiIPv4}.0"; prefixLength = 24; options = { congctl="westwood";}; } ];
80 };
81 ${eth1Iface} = {
82 useDHCP = false;
83 ipv4.addresses = [ { address = "${eth1IPv4}.1"; prefixLength = 24; } ];
84 };
85 ${eth2Iface} = {
86 useDHCP = false;
87 ipv4.addresses = [ { address = "${eth2IPv4}.1"; prefixLength = 24; } ];
88 };
89 ${eth3Iface} = {
90 useDHCP = false;
91 ipv4.addresses = [ { address = "${eth3IPv4}.1"; prefixLength = 24; } ];
92 };
93 };
94
95
96 systemd.services.dhcpd4 = {
97 onFailure = [
98 "network-addresses-${wifiIface}.service"
99 "network-addresses-${eth1Iface}.service"
100 "network-addresses-${eth2Iface}.service"
101 "network-addresses-${eth3Iface}.service"
102 ];
103 };
104 services.dhcpd4 = {
105 enable = true;
106 interfaces = [
107 wifiIface
108 eth1Iface
109 eth2Iface
110 eth3Iface
111 ];
112 extraConfig = ''
113 subnet ${wifiIPv4}.0 netmask 255.255.255.0 {
114 range ${wifiIPv4}.100 ${wifiIPv4}.200;
115 option broadcast-address ${wifiIPv4}.255;
116 option domain-name-servers ${wifiIPv4}.1;
117 option routers ${wifiIPv4}.1;
118 option subnet-mask 255.255.255.0;
119 }
120
121 subnet ${eth1IPv4}.0 netmask 255.255.255.0 {
122 range ${eth1IPv4}.100 ${eth1IPv4}.200;
123 option broadcast-address ${eth1IPv4}.255;
124 option domain-name-servers ${eth1IPv4}.1;
125 option routers ${eth1IPv4}.1;
126 option subnet-mask 255.255.255.0;
127 }
128
129 subnet ${eth2IPv4}.0 netmask 255.255.255.0 {
130 range ${eth2IPv4}.100 ${eth2IPv4}.200;
131 option broadcast-address ${eth2IPv4}.255;
132 option domain-name-servers ${eth2IPv4}.1;
133 option routers ${eth2IPv4}.1;
134 option subnet-mask 255.255.255.0;
135 }
136
137 subnet ${eth3IPv4}.0 netmask 255.255.255.0 {
138 range ${eth3IPv4}.100 ${eth3IPv4}.200;
139 option broadcast-address ${eth3IPv4}.255;
140 option domain-name-servers ${eth3IPv4}.1;
141 option routers ${eth3IPv4}.1;
142 option subnet-mask 255.255.255.0;
143 }
144 '';
145 };
146
147 systemd.services.NetworkManager.wants = [ "ModemManager.service" ];
148 networking.networkmanager = {
149 #enable = true;
150 unmanaged = [
151 ftthIface
152 wifiIface
153 eth1Iface
154 eth2Iface
155 eth3Iface
156 ];
157 };
158 environment.etc."NetworkManager/system-connections/Prixtel.nmconnection" = {
159 mode = "600";
160 text = ''
161 [connection]
162 id=Prixtel
163 uuid=b223f550-dff1-4ba3-9755-cd4557faaa5a
164 type=gsm
165 autoconnect=true
166 permissions=user:julm:;
167
168 [gsm]
169 apn=sl2sfr
170 number=*99#
171 #home-only=true
172
173 [ppp]
174
175 [ipv4]
176 method=auto
177
178 [ipv6]
179 addr-gen-mode=stable-privacy
180 method=auto
181
182 [proxy]
183 '';
184 };
185
186 networking.wireguard.wg-intra.peers = {
187 mermet.enable = true;
188 losurdo.enable = true;
189 oignon.enable = true;
190 patate.enable = true;
191 };
192
193 services.openssh.listenAddresses = [
194 { addr = "${wifiIPv4}.1"; port = 22; }
195 { addr = "${eth1IPv4}.1"; port = 22; }
196 { addr = "${eth2IPv4}.1"; port = 22; }
197 { addr = "${eth3IPv4}.1"; port = 22; }
198 ];
199
200 environment.systemPackages = [
201 pkgs.iw
202 pkgs.modem-manager-gui
203 pkgs.libmbim
204 pkgs.chatty
205 pkgs.calls
206 ];
207
208 # iw dev wlp5s0 station dump
209 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
210 services.hostapd = {
211 enable = true;
212 logLevel = 2;
213 interface = wifiIface;
214 # 0 means the AP will search for the channel with the least interferences (ACS)
215 channel = 1;
216 hwMode = "g";
217 ssid = hostName;
218 wpa = false;
219 #wpaPassphrase = "bidonpoissonmaisonronron";
220 countryCode = "FR";
221 extraConfig = ''
222 # WLAN
223 beacon_int=100
224 dtim_period=2 # DTIM (delivery trafic information message)
225 preamble=1
226 # limit the frequencies used to those allowed in the country
227 ieee80211d=1
228
229 # WPA2
230 #wpa_key_mgmt=WPA-PSK
231 #wpa_pairwise=CCMP
232 #rsn_pairwise=CCMP
233 #auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
234 macaddr_acl=0
235 # QoS support, also required for full speed on 802.11n/ac/ax
236 wmm_enabled=1
237 eap_reauth_period=360000
238 wpa_group_rekey=600
239 wpa_ptk_rekey=600
240 wpa_gmk_rekey=86400
241
242 # N-WLAN
243 ieee80211n=1
244 # See Capabilities in iw list
245 #ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-3839]
246 require_ht=1
247 obss_interval=0
248
249 # 802.11ac support
250 ieee80211ac=0
251 '';
252 };
253 }