1 { config, pkgs, lib, hostName, ... }:
4 wwanIface = "wwp0s19u1u3i3"; # usb_modeswitch -W -v 12d1 -p 1573 -u 1
9 wifiIPv4 = "192.168.5";
10 eth1IPv4 = "192.168.2";
11 eth2IPv4 = "192.168.3";
12 eth3IPv4 = "192.168.4";
16 networking/nftables.nix
17 ../../nixos/profiles/networking.nix
18 ../../nixos/profiles/dnscrypt-proxy2.nix
19 ../../nixos/profiles/wireguard/wg-intra.nix
21 install.substituteOnDestination = false;
22 networking.domain = "sourcephile.fr";
23 networking.useDHCP = false;
25 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
26 networking.nftables.ruleset = lib.mkAfter ''
29 iifname { ${wwanIface}, ${ftthIface} } jump input-net
30 iifname { ${wwanIface}, ${ftthIface} } log level warn prefix "input-net: " counter drop
32 iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump input-lan
33 iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "input-lan: " counter drop
36 oifname { ${wwanIface}, ${ftthIface} } jump output-net
37 oifname { ${wwanIface}, ${ftthIface} } log level warn prefix "output-net: " counter drop
39 oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump output-lan
40 oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "output-lan: " counter drop
42 chain forward-to-net {
43 #jump forward-connectivity
46 chain forward-from-net {
47 ct state { established, related } accept
48 log level warn prefix "forward-from-net: " counter drop
51 iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname { ${wwanIface}, ${ftthIface} } goto forward-to-net
52 iifname { ${wwanIface}, ${ftthIface} } oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } goto forward-from-net
53 log level warn prefix "forward: " counter drop
58 iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname { ${wwanIface}, ${ftthIface} } masquerade
63 services.avahi.openFirewall = true;
64 services.dnscrypt-proxy2.settings.listen_addresses = [
72 networking.interfaces = {
78 ipv4.addresses = [ { address = "${wifiIPv4}.1"; prefixLength = 24; } ];
79 ipv4.routes = [ { address = "${wifiIPv4}.0"; prefixLength = 24; options = { congctl="westwood";}; } ];
83 ipv4.addresses = [ { address = "${eth1IPv4}.1"; prefixLength = 24; } ];
87 ipv4.addresses = [ { address = "${eth2IPv4}.1"; prefixLength = 24; } ];
91 ipv4.addresses = [ { address = "${eth3IPv4}.1"; prefixLength = 24; } ];
96 systemd.services.dhcpd4 = {
98 "network-addresses-${wifiIface}.service"
99 "network-addresses-${eth1Iface}.service"
100 "network-addresses-${eth2Iface}.service"
101 "network-addresses-${eth3Iface}.service"
113 option subnet-mask 255.255.255.0;
115 option broadcast-address ${wifiIPv4}.255;
116 option routers ${wifiIPv4}.1;
117 option domain-name-servers ${wifiIPv4}.1;
118 subnet ${wifiIPv4}.0 netmask 255.255.255.0 {
119 range ${wifiIPv4}.100 ${wifiIPv4}.200;
122 option broadcast-address ${eth1IPv4}.255;
123 option routers ${eth1IPv4}.1;
124 option domain-name-servers ${eth1IPv4}.1;
125 subnet ${eth1IPv4}.0 netmask 255.255.255.0 {
126 range ${eth1IPv4}.100 ${eth1IPv4}.200;
129 option broadcast-address ${eth2IPv4}.255;
130 option routers ${eth2IPv4}.1;
131 option domain-name-servers ${eth2IPv4}.1;
132 subnet ${eth2IPv4}.0 netmask 255.255.255.0 {
133 range ${eth2IPv4}.100 ${eth2IPv4}.200;
136 option broadcast-address ${eth3IPv4}.255;
137 option routers ${eth3IPv4}.1;
138 option domain-name-servers ${eth3IPv4}.1;
139 subnet ${eth3IPv4}.0 netmask 255.255.255.0 {
140 range ${eth3IPv4}.100 ${eth3IPv4}.200;
145 systemd.services.NetworkManager.wants = [ "ModemManager.service" ];
146 networking.networkmanager = {
156 environment.etc."NetworkManager/system-connections/Prixtel.nmconnection" = {
161 uuid=b223f550-dff1-4ba3-9755-cd4557faaa5a
164 permissions=user:julm:;
177 addr-gen-mode=stable-privacy
184 networking.wireguard.wg-intra.peers = {
185 mermet.enable = true;
186 losurdo.enable = true;
187 oignon.enable = true;
188 patate.enable = true;
191 services.openssh.listenAddresses = [
192 { addr = "${wifiIPv4}.1"; port = 22; }
193 { addr = "${eth1IPv4}.1"; port = 22; }
194 { addr = "${eth2IPv4}.1"; port = 22; }
195 { addr = "${eth3IPv4}.1"; port = 22; }
198 environment.systemPackages = [
200 pkgs.modem-manager-gui
207 # iw dev wlp5s0 station dump
208 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
212 interface = wifiIface;
213 # 0 means the AP will search for the channel with the least interferences (ACS)
218 #wpaPassphrase = "bidonpoissonmaisonronron";
223 dtim_period=2 # DTIM (delivery trafic information message)
225 # limit the frequencies used to those allowed in the country
229 #wpa_key_mgmt=WPA-PSK
232 #auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
234 # QoS support, also required for full speed on 802.11n/ac/ax
236 eap_reauth_period=360000
243 # See Capabilities in iw list
244 #ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-3839]