{ pkgs, lib, config, ... }: with (import networking/names-and-numbers.nix); { imports = [ networking/ftth.nix networking/ethernet.nix networking/wifi.nix networking/lte.nix networking/nftables.nix ../../nixos/profiles/dnscrypt-proxy2.nix ../../nixos/profiles/printing.nix ../../nixos/profiles/networking/ssh.nix ]; install.substituteOnDestination = false; networking.domain = "sp"; networking.useDHCP = false; boot.kernel.sysctl."net.ipv4.ip_forward" = 1; networking.nftables.ruleset = lib.mkAfter '' table inet filter { chain input-lan { meta l4proto { udp, tcp } th dport domain counter accept comment "DNS" meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP" } chain output-lan { meta skuid ${config.users.users."systemd-network".name} \ meta l4proto { udp, tcp } th sport bootps \ meta l4proto { udp, tcp } th dport bootpc \ counter accept comment "DHCP rebinding/renewing" } chain forward-to-lan { #jump forward-connectivity counter accept } chain forward-to-net { #jump forward-connectivity counter accept } chain forward-from-net { ct state established accept ct state related accept log level warn prefix "forward-from-net: " counter drop } chain forward { log level warn prefix "forward: " counter drop } } ''; networking.networkmanager.enable = true; services.avahi = { enable = true; openFirewall = true; publish = { enable = true; addresses = true; domain = true; hinfo = true; userServices = true; workstation = true; }; reflector = true; }; # WARNING: settings.listen_addresses are not merged... # hence there all defined here. services.dnscrypt-proxy2.settings.listen_addresses = [ "127.0.0.1:53" "[::1]:53" "${eth1IPv4}.1:53" "${eth2IPv4}.1:53" "${eth3IPv4}.1:53" "${wifiIPv4}.1:53" ]; services.openssh.settings.X11Forwarding = true; services.vnstat.enable = true; systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [ "host.key:${ssh/host.key.cred}" ]; programs.wireshark = { enable = true; package = pkgs.wireshark-cli; }; }