{ lib, ... }: with lib; with (import networking/names-and-numbers.nix); { imports = [ networking/ftth.nix networking/ethernet.nix networking/wifi.nix networking/lte.nix networking/nftables.nix ./wireguard.nix ../../nixos/profiles/dnscrypt-proxy2.nix ../../nixos/profiles/wireguard/wg-intra.nix ../../nixos/profiles/networking/ssh.nix ]; install.substituteOnDestination = false; networking.domain = "wg"; networking.useDHCP = false; boot.kernel.sysctl."net.ipv4.ip_forward" = 1; networking.nftables.ruleset = mkAfter '' table inet filter { chain forward-to-lan { #jump forward-connectivity counter accept } chain forward-to-net { #jump forward-connectivity counter accept } chain forward-from-net { ct state { established, related } accept log level warn prefix "forward-from-net: " counter drop } chain forward { log level warn prefix "forward: " counter drop } } ''; services.avahi.enable = true; services.avahi.openFirewall = true; services.avahi.publish.enable = true; # WARNING: settings.listen_addresses are not merged... # hence there all defined here. services.dnscrypt-proxy2.settings.listen_addresses = [ "127.0.0.1:53" "[::1]:53" "${eth1IPv4}.1:53" "${eth2IPv4}.1:53" "${eth3IPv4}.1:53" "${wifiIPv4}.1:53" ]; services.vnstat.enable = true; systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [ "host.key:${ssh/host.key.cred}" ]; }