aubergine: sftp: do not bind on off2

[julm/julm-nix.git] / hosts / aubergine / networking.nix

{ pkgs, lib, ... }:
with (import networking/names-and-numbers.nix);
{
  imports = [
    networking/ftth.nix
    networking/ethernet.nix
    networking/wifi.nix
    networking/lte.nix
    networking/nftables.nix
    ../../nixos/profiles/dnscrypt-proxy2.nix
    ../../nixos/profiles/printing.nix
    ../../nixos/profiles/networking/ssh.nix
  ];
  install.substituteOnDestination = false;
  networking.domain = "sp";
  networking.useDHCP = false;

  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  networking.nftables.ruleset = lib.mkAfter ''
    table inet filter {
      chain forward-to-lan {
        #jump forward-connectivity
        counter accept
      }
      chain forward-to-net {
        #jump forward-connectivity
        counter accept
      }
      chain forward-from-net {
        ct state established accept
        ct state related accept
        log level warn prefix "forward-from-net: " counter drop
      }
      chain forward {
        log level warn prefix "forward: " counter drop
      }
    }
  '';

  networking.networkmanager.enable = true;
  services.avahi = {
    enable = true;
    openFirewall = true;
    publish = {
      enable = true;
      addresses = true;
      domain = true;
      hinfo = true;
      userServices = true;
      workstation = true;
    };
    reflector = true;
  };
  # WARNING: settings.listen_addresses are not merged...
  # hence there all defined here.
  services.dnscrypt-proxy2.settings.listen_addresses = [
    "127.0.0.1:53"
    "[::1]:53"
    "${eth1IPv4}.1:53"
    "${eth2IPv4}.1:53"
    "${eth3IPv4}.1:53"
    "${wifiIPv4}.1:53"
  ];

  services.openssh.settings.X11Forwarding = true;

  services.vnstat.enable = true;

  systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
    "host.key:${ssh/host.key.cred}"
  ];

  programs.wireshark = {
    enable = true;
    package = pkgs.wireshark-cli;
  };
}