{ lib, ... }: with (import ./names-and-numbers.nix); with (import ./names-and-numbers.nix.clear); { systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug"; systemd.network.enable = true; systemd.network.wait-online = { enable = false; }; systemd.network.networks = { "10-${eth1Iface}" = { name = eth1Iface; networkConfig = { Address = "${eth1IPv4}.1/24"; DHCPServer = true; }; dhcpServerConfig = { DNS = "${eth1IPv4}.1"; EmitDNS = true; PoolOffset = 100; PoolSize = 20; }; linkConfig = { RequiredForOnline = "no"; }; }; "10-${eth2Iface}" = { name = eth2Iface; networkConfig = { Address = "${eth2IPv4}.1/24"; DHCPServer = true; }; dhcpServerConfig = { DNS = "${eth2IPv4}.1"; EmitDNS = true; PoolOffset = 100; PoolSize = 20; }; linkConfig = { RequiredForOnline = "no"; }; }; "10-${eth3Iface}" = { name = eth3Iface; networkConfig = { Address = "${eth3IPv4}.1/24"; DHCPServer = true; }; dhcpServerConfig = { DNS = "${eth3IPv4}.1"; EmitDNS = true; PoolOffset = 100; PoolSize = 20; }; linkConfig = { RequiredForOnline = "no"; }; }; }; networking.networkmanager = { unmanaged = [ eth1Iface eth2Iface eth3Iface ]; }; networking.nftables.ruleset = lib.mkAfter '' table inet filter { chain input { iifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump input-lan iifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "input-lan: " counter drop } chain output { oifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump output-lan oifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "output-lan: " counter drop } chain forward-to-lan { } chain forward { iifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } goto forward-to-lan } } ''; }