{ config, pkgs, lib, hostName, ... }: let wifiIface = "wlp5s0"; wwanIface = "wwp0s19u1u3i3"; # usb_modeswitch -W -v 12d1 -p 1573 -u 1 ftthIface = "enp1s0"; eth1Iface = "enp2s0"; eth2Iface = "enp3s0"; eth3Iface = "enp4s0"; wifiIPv4 = "192.168.5"; eth1IPv4 = "192.168.2"; eth2IPv4 = "192.168.3"; eth3IPv4 = "192.168.4"; in { imports = [ networking/nftables.nix ../../nixos/profiles/networking.nix ../../nixos/profiles/dnscrypt-proxy2.nix ../../nixos/profiles/wireguard/wg-intra.nix ]; install.substituteOnDestination = false; networking.domain = "sourcephile.fr"; networking.useDHCP = false; boot.kernel.sysctl."net.ipv4.ip_forward" = 1; networking.nftables.ruleset = lib.mkAfter '' table inet filter { chain input { iifname { ${wwanIface}, ${ftthIface} } jump input-net iifname { ${wwanIface}, ${ftthIface} } log level warn prefix "input-net: " counter drop iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump input-lan iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "input-lan: " counter drop } chain output { oifname { ${wwanIface}, ${ftthIface} } jump output-net oifname { ${wwanIface}, ${ftthIface} } log level warn prefix "output-net: " counter drop oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump output-lan oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "output-lan: " counter drop } chain forward-to-net { #jump forward-connectivity counter accept } chain forward-from-net { ct state { established, related } accept log level warn prefix "forward-from-net: " counter drop } chain forward { iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname { ${wwanIface}, ${ftthIface} } goto forward-to-net iifname { ${wwanIface}, ${ftthIface} } oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } goto forward-from-net log level warn prefix "forward: " counter drop } } table inet nat { chain postrouting { iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname { ${wwanIface}, ${ftthIface} } masquerade } } ''; services.avahi.openFirewall = true; services.dnscrypt-proxy2.settings.listen_addresses = [ "127.0.0.1:53" "[::1]:53" "${wifiIPv4}.1:53" "${eth1IPv4}.1:53" "${eth2IPv4}.1:53" "${eth3IPv4}.1:53" ]; networking.interfaces = { ${ftthIface} = { useDHCP = false; }; ${wifiIface} = { useDHCP = false; ipv4.addresses = [ { address = "${wifiIPv4}.1"; prefixLength = 24; } ]; }; ${eth1Iface} = { useDHCP = false; ipv4.addresses = [ { address = "${eth1IPv4}.1"; prefixLength = 24; } ]; }; ${eth2Iface} = { useDHCP = false; ipv4.addresses = [ { address = "${eth2IPv4}.1"; prefixLength = 24; } ]; }; ${eth3Iface} = { useDHCP = false; ipv4.addresses = [ { address = "${eth3IPv4}.1"; prefixLength = 24; } ]; }; }; systemd.services.dhcpd4 = { onFailure = [ "network-addresses-${wifiIface}.service" "network-addresses-${eth1Iface}.service" "network-addresses-${eth2Iface}.service" "network-addresses-${eth3Iface}.service" ]; }; services.dhcpd4 = { enable = true; interfaces = [ wifiIface eth1Iface eth2Iface eth3Iface ]; extraConfig = '' option subnet-mask 255.255.255.0; option broadcast-address ${wifiIPv4}.255; option routers ${wifiIPv4}.1; option domain-name-servers ${wifiIPv4}.1; subnet ${wifiIPv4}.0 netmask 255.255.255.0 { range ${wifiIPv4}.100 ${wifiIPv4}.200; } option broadcast-address ${eth1IPv4}.255; option routers ${eth1IPv4}.1; option domain-name-servers ${eth1IPv4}.1; subnet ${eth1IPv4}.0 netmask 255.255.255.0 { range ${eth1IPv4}.100 ${eth1IPv4}.200; } option broadcast-address ${eth2IPv4}.255; option routers ${eth2IPv4}.1; option domain-name-servers ${eth2IPv4}.1; subnet ${eth2IPv4}.0 netmask 255.255.255.0 { range ${eth2IPv4}.100 ${eth2IPv4}.200; } option broadcast-address ${eth3IPv4}.255; option routers ${eth3IPv4}.1; option domain-name-servers ${eth3IPv4}.1; subnet ${eth3IPv4}.0 netmask 255.255.255.0 { range ${eth3IPv4}.100 ${eth3IPv4}.200; } ''; }; systemd.services.NetworkManager.wants = [ "ModemManager.service" ]; networking.networkmanager = { #enable = true; unmanaged = [ ftthIface wifiIface eth1Iface eth2Iface eth3Iface ]; }; environment.etc."NetworkManager/system-connections/Prixtel.nmconnection" = { mode = "600"; text = '' [connection] id=Prixtel uuid=b223f550-dff1-4ba3-9755-cd4557faaa5a type=gsm autoconnect=true permissions=user:julm:; [gsm] apn=sl2sfr number=*99# #home-only=true [ppp] [ipv4] method=auto [ipv6] addr-gen-mode=stable-privacy method=auto [proxy] ''; }; networking.wireguard.wg-intra.peers = { mermet.enable = true; losurdo.enable = true; oignon.enable = true; patate.enable = true; }; services.openssh.listenAddresses = [ { addr = "${wifiIPv4}.1"; port = 22; } { addr = "${eth1IPv4}.1"; port = 22; } { addr = "${eth2IPv4}.1"; port = 22; } { addr = "${eth3IPv4}.1"; port = 22; } ]; environment.systemPackages = [ pkgs.iw pkgs.modem-manager-gui ]; # iw dev wlp5s0 station dump # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf services.hostapd = { enable = true; logLevel = 2; interface = wifiIface; # 0 means the AP will search for the channel with the least interferences (ACS) channel = 1; hwMode = "g"; ssid = hostName; wpa = false; #wpaPassphrase = "bidonpoissonmaisonronron"; countryCode = "FR"; extraConfig = '' # WLAN beacon_int=100 dtim_period=2 # DTIM (delivery trafic information message) preamble=1 # limit the frequencies used to those allowed in the country ieee80211d=1 # WPA2 #wpa_key_mgmt=WPA-PSK #wpa_pairwise=CCMP #rsn_pairwise=CCMP #auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both macaddr_acl=0 # QoS support, also required for full speed on 802.11n/ac/ax wmm_enabled=1 eap_reauth_period=360000 wpa_group_rekey=600 wpa_ptk_rekey=600 wpa_gmk_rekey=86400 # N-WLAN ieee80211n=1 # See Capabilities in iw list #ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-3839] require_ht=1 obss_interval=0 # 802.11ac support ieee80211ac=0 ''; }; }