hosts/aubergine/networking.nix

   1 { config, pkgs, lib, hostName, ... }:
   2 let
   3   wifiIface = "wlp5s0";
   4   wwanIface = "wwp0s19u1u3i3"; # usb_modeswitch -W -v 12d1 -p 1573 -u 1
   5   ftthIface = "enp1s0";
   6   eth1Iface = "enp2s0";
   7   eth2Iface = "enp3s0";
   8   eth3Iface = "enp4s0";
   9   wifiIPv4 = "192.168.5";
  10   eth1IPv4 = "192.168.2";
  11   eth2IPv4 = "192.168.3";
  12   eth3IPv4 = "192.168.4";
  13 in
  14 {
  15 imports = [
  16   networking/nftables.nix
  17   ../../nixos/profiles/networking.nix
  18   ../../nixos/profiles/dnscrypt-proxy2.nix
  19   ../../nixos/profiles/wireguard/wg-intra.nix
  20 ];
  21 install.substituteOnDestination = false;
  22 networking.domain = "sourcephile.fr";
  23 networking.useDHCP = false;
  24
  25 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  26 networking.nftables.ruleset = lib.mkAfter ''
  27   table inet filter {
  28     chain input {
  29       iifname { ${wwanIface}, ${ftthIface} } jump input-net
  30       iifname { ${wwanIface}, ${ftthIface} } log level warn prefix "input-net: " counter drop
  31
  32       iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump input-lan
  33       iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "input-lan: " counter drop
  34     }
  35     chain output {
  36       oifname { ${wwanIface}, ${ftthIface} } jump output-net
  37       oifname { ${wwanIface}, ${ftthIface} } log level warn prefix "output-net: " counter drop
  38
  39       oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump output-lan
  40       oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "output-lan: " counter drop
  41     }
  42     chain forward-to-net {
  43       #jump forward-connectivity
  44       counter accept
  45     }
  46     chain forward-from-net {
  47       ct state { established, related } accept
  48       log level warn prefix "forward-from-net: " counter drop
  49     }
  50     chain forward {
  51       iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname { ${wwanIface}, ${ftthIface} } goto forward-to-net
  52       iifname { ${wwanIface}, ${ftthIface} } oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } goto forward-from-net
  53       log level warn prefix "forward: " counter drop
  54     }
  55   }
  56   table inet nat {
  57     chain postrouting {
  58       iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname { ${wwanIface}, ${ftthIface} } masquerade
  59     }
  60   }
  61 '';
  62
  63 services.avahi.openFirewall = true;
  64 services.dnscrypt-proxy2.settings.listen_addresses = [
  65   "127.0.0.1:53"
  66   "[::1]:53"
  67   "${wifiIPv4}.1:53"
  68   "${eth1IPv4}.1:53"
  69   "${eth2IPv4}.1:53"
  70   "${eth3IPv4}.1:53"
  71 ];
  72 networking.interfaces = {
  73   ${ftthIface} = {
  74     useDHCP = false;
  75   };
  76   ${wifiIface} = {
  77     useDHCP = false;
  78     ipv4.addresses = [ { address = "${wifiIPv4}.1"; prefixLength = 24; } ];
  79     ipv4.routes = [ { address = "${wifiIPv4}.0"; prefixLength = 24; options = { congctl="westwood";}; } ];
  80   };
  81   ${eth1Iface} = {
  82     useDHCP = false;
  83     ipv4.addresses = [ { address = "${eth1IPv4}.1"; prefixLength = 24; } ];
  84   };
  85   ${eth2Iface} = {
  86     useDHCP = false;
  87     ipv4.addresses = [ { address = "${eth2IPv4}.1"; prefixLength = 24; } ];
  88   };
  89   ${eth3Iface} = {
  90     useDHCP = false;
  91     ipv4.addresses = [ { address = "${eth3IPv4}.1"; prefixLength = 24; } ];
  92   };
  93 };
  94
  95
  96 systemd.services.dhcpd4 = {
  97   onFailure = [
  98     "network-addresses-${wifiIface}.service"
  99     "network-addresses-${eth1Iface}.service"
 100     "network-addresses-${eth2Iface}.service"
 101     "network-addresses-${eth3Iface}.service"
 102   ];
 103 };
 104 services.dhcpd4 = {
 105   enable = true;
 106   interfaces = [
 107     wifiIface
 108     eth1Iface
 109     eth2Iface
 110     eth3Iface
 111   ];
 112   extraConfig = ''
 113     option subnet-mask 255.255.255.0;
 114
 115     option broadcast-address ${wifiIPv4}.255;
 116     option routers ${wifiIPv4}.1;
 117     option domain-name-servers ${wifiIPv4}.1;
 118     subnet ${wifiIPv4}.0 netmask 255.255.255.0 {
 119       range ${wifiIPv4}.100 ${wifiIPv4}.200;
 120     }
 121
 122     option broadcast-address ${eth1IPv4}.255;
 123     option routers ${eth1IPv4}.1;
 124     option domain-name-servers ${eth1IPv4}.1;
 125     subnet ${eth1IPv4}.0 netmask 255.255.255.0 {
 126       range ${eth1IPv4}.100 ${eth1IPv4}.200;
 127     }
 128
 129     option broadcast-address ${eth2IPv4}.255;
 130     option routers ${eth2IPv4}.1;
 131     option domain-name-servers ${eth2IPv4}.1;
 132     subnet ${eth2IPv4}.0 netmask 255.255.255.0 {
 133       range ${eth2IPv4}.100 ${eth2IPv4}.200;
 134     }
 135
 136     option broadcast-address ${eth3IPv4}.255;
 137     option routers ${eth3IPv4}.1;
 138     option domain-name-servers ${eth3IPv4}.1;
 139     subnet ${eth3IPv4}.0 netmask 255.255.255.0 {
 140       range ${eth3IPv4}.100 ${eth3IPv4}.200;
 141     }
 142   '';
 143 };
 144
 145 systemd.services.NetworkManager.wants = [ "ModemManager.service" ];
 146 networking.networkmanager = {
 147   #enable = true;
 148   unmanaged = [
 149     ftthIface
 150     wifiIface
 151     eth1Iface
 152     eth2Iface
 153     eth3Iface
 154   ];
 155 };
 156 environment.etc."NetworkManager/system-connections/Prixtel.nmconnection" = {
 157   mode = "600";
 158   text = ''
 159     [connection]
 160     id=Prixtel
 161     uuid=b223f550-dff1-4ba3-9755-cd4557faaa5a
 162     type=gsm
 163     autoconnect=true
 164     permissions=user:julm:;
 165
 166     [gsm]
 167     apn=sl2sfr
 168     number=*99#
 169     #home-only=true
 170
 171     [ppp]
 172
 173     [ipv4]
 174     method=auto
 175
 176     [ipv6]
 177     addr-gen-mode=stable-privacy
 178     method=auto
 179
 180     [proxy]
 181   '';
 182 };
 183
 184 networking.wireguard.wg-intra.peers = {
 185   mermet.enable = true;
 186   losurdo.enable = true;
 187   oignon.enable = true;
 188   patate.enable = true;
 189 };
 190
 191 services.openssh.listenAddresses = [
 192   { addr = "${wifiIPv4}.1"; port = 22; }
 193   { addr = "${eth1IPv4}.1"; port = 22; }
 194   { addr = "${eth2IPv4}.1"; port = 22; }
 195   { addr = "${eth3IPv4}.1"; port = 22; }
 196 ];
 197
 198 environment.systemPackages = [
 199   pkgs.iw
 200   pkgs.modem-manager-gui
 201   pkgs.libmbim
 202   pkgs.chatty
 203   pkgs.calls
 204   pkgs.dfeet
 205 ];
 206
 207 # iw dev wlp5s0 station dump
 208 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
 209 services.hostapd = {
 210   enable = true;
 211   logLevel = 2;
 212   interface = wifiIface;
 213   # 0 means the AP will search for the channel with the least interferences (ACS)
 214   channel = 1;
 215   hwMode = "g";
 216   ssid = hostName;
 217   wpa = false;
 218   #wpaPassphrase = "bidonpoissonmaisonronron";
 219   countryCode = "FR";
 220   extraConfig = ''
 221     # WLAN
 222     beacon_int=100
 223     dtim_period=2 # DTIM (delivery trafic information message)
 224     preamble=1
 225     # limit the frequencies used to those allowed in the country
 226     ieee80211d=1
 227
 228     # WPA2
 229     #wpa_key_mgmt=WPA-PSK
 230     #wpa_pairwise=CCMP
 231     #rsn_pairwise=CCMP
 232     #auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
 233     macaddr_acl=0
 234     # QoS support, also required for full speed on 802.11n/ac/ax
 235     wmm_enabled=1
 236     eap_reauth_period=360000
 237     wpa_group_rekey=600
 238     wpa_ptk_rekey=600
 239     wpa_gmk_rekey=86400
 240
 241     # N-WLAN
 242     ieee80211n=1
 243     # See Capabilities in iw list
 244     #ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-3839]
 245     require_ht=1
 246     obss_interval=0
 247
 248     # 802.11ac support
 249     ieee80211ac=0
 250   '';
 251 };
 252 }