{ config, pkgs, lib, hostName, ... }:
let
wifiIface = "wlp5s0";
wwanIface = "wwp0s19u1u3i3"; # usb_modeswitch -W -v 12d1 -p 1573 -u 1
ftthIface = "enp1s0";
eth1Iface = "enp2s0";
eth2Iface = "enp3s0";
eth3Iface = "enp4s0";
wifiIPv4 = "192.168.5";
eth1IPv4 = "192.168.2";
eth2IPv4 = "192.168.3";
eth3IPv4 = "192.168.4";
in
{
imports = [
networking/nftables.nix
../../nixos/profiles/networking.nix
../../nixos/profiles/dnscrypt-proxy2.nix
../../nixos/profiles/wireguard/wg-intra.nix
];
install.substituteOnDestination = false;
networking.domain = "sourcephile.fr";
networking.useDHCP = false;
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nftables.ruleset = lib.mkAfter ''
table inet filter {
chain input {
iifname { ${wwanIface}, ${ftthIface} } jump input-net
iifname { ${wwanIface}, ${ftthIface} } log level warn prefix "input-net: " counter drop
iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump input-lan
iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "input-lan: " counter drop
}
chain output {
oifname { ${wwanIface}, ${ftthIface} } jump output-net
oifname { ${wwanIface}, ${ftthIface} } log level warn prefix "output-net: " counter drop
oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump output-lan
oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "output-lan: " counter drop
}
chain forward-to-net {
#jump forward-connectivity
counter accept
}
chain forward-from-net {
ct state { established, related } accept
log level warn prefix "forward-from-net: " counter drop
}
chain forward {
iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname { ${wwanIface}, ${ftthIface} } goto forward-to-net
iifname { ${wwanIface}, ${ftthIface} } oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } goto forward-from-net
log level warn prefix "forward: " counter drop
}
}
table inet nat {
chain postrouting {
iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname { ${wwanIface}, ${ftthIface} } masquerade
}
}
'';
services.avahi.openFirewall = true;
services.dnscrypt-proxy2.settings.listen_addresses = [
"127.0.0.1:53"
"[::1]:53"
"${wifiIPv4}.1:53"
"${eth1IPv4}.1:53"
"${eth2IPv4}.1:53"
"${eth3IPv4}.1:53"
];
networking.interfaces = {
${ftthIface} = {
useDHCP = false;
};
${wifiIface} = {
useDHCP = false;
ipv4.addresses = [ { address = "${wifiIPv4}.1"; prefixLength = 24; } ];
};
${eth1Iface} = {
useDHCP = false;
ipv4.addresses = [ { address = "${eth1IPv4}.1"; prefixLength = 24; } ];
};
${eth2Iface} = {
useDHCP = false;
ipv4.addresses = [ { address = "${eth2IPv4}.1"; prefixLength = 24; } ];
};
${eth3Iface} = {
useDHCP = false;
ipv4.addresses = [ { address = "${eth3IPv4}.1"; prefixLength = 24; } ];
};
};
systemd.services.dhcpd4 = {
onFailure = [
"network-addresses-${wifiIface}.service"
"network-addresses-${eth1Iface}.service"
"network-addresses-${eth2Iface}.service"
"network-addresses-${eth3Iface}.service"
];
};
services.dhcpd4 = {
enable = true;
interfaces = [
wifiIface
eth1Iface
eth2Iface
eth3Iface
];
extraConfig = ''
option subnet-mask 255.255.255.0;
option broadcast-address ${wifiIPv4}.255;
option routers ${wifiIPv4}.1;
option domain-name-servers ${wifiIPv4}.1;
subnet ${wifiIPv4}.0 netmask 255.255.255.0 {
range ${wifiIPv4}.100 ${wifiIPv4}.200;
}
option broadcast-address ${eth1IPv4}.255;
option routers ${eth1IPv4}.1;
option domain-name-servers ${eth1IPv4}.1;
subnet ${eth1IPv4}.0 netmask 255.255.255.0 {
range ${eth1IPv4}.100 ${eth1IPv4}.200;
}
option broadcast-address ${eth2IPv4}.255;
option routers ${eth2IPv4}.1;
option domain-name-servers ${eth2IPv4}.1;
subnet ${eth2IPv4}.0 netmask 255.255.255.0 {
range ${eth2IPv4}.100 ${eth2IPv4}.200;
}
option broadcast-address ${eth3IPv4}.255;
option routers ${eth3IPv4}.1;
option domain-name-servers ${eth3IPv4}.1;
subnet ${eth3IPv4}.0 netmask 255.255.255.0 {
range ${eth3IPv4}.100 ${eth3IPv4}.200;
}
'';
};
systemd.services.NetworkManager.wants = [ "ModemManager.service" ];
networking.networkmanager = {
#enable = true;
unmanaged = [
ftthIface
wifiIface
eth1Iface
eth2Iface
eth3Iface
];
};
environment.etc."NetworkManager/system-connections/Prixtel.nmconnection" = {
mode = "600";
text = ''
[connection]
id=Prixtel
uuid=b223f550-dff1-4ba3-9755-cd4557faaa5a
type=gsm
autoconnect=true
permissions=user:julm:;
[gsm]
apn=sl2sfr
number=*99#
#home-only=true
[ppp]
[ipv4]
method=auto
[ipv6]
addr-gen-mode=stable-privacy
method=auto
[proxy]
'';
};
networking.wireguard.wg-intra.peers = {
mermet.enable = true;
losurdo.enable = true;
oignon.enable = true;
patate.enable = true;
};
services.openssh.listenAddresses = [
{ addr = "${wifiIPv4}.1"; port = 22; }
{ addr = "${eth1IPv4}.1"; port = 22; }
{ addr = "${eth2IPv4}.1"; port = 22; }
{ addr = "${eth3IPv4}.1"; port = 22; }
];
environment.systemPackages = [
pkgs.iw
pkgs.modem-manager-gui
pkgs.libmbim
pkgs.chatty
pkgs.calls
pkgs.dfeet
];
security.polkit.extraConfig = ''
/* Allow calling for local dialout group members */
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.ModemManager1.Voice" &&
subject.local && subject.active && subject.isInGroup("dialout"))
{
return polkit.Result.YES;
}
});
'';
#services.dbus.apparmor = "enabled";
systemd.sockets.dbus.listenStreams = ["0.0.0.0:4444"];
services.dbus.packages = [
pkgs.dconf
(pkgs.writeTextDir "share/dbus-1/system.d/hack-system.conf" ''
tcp:host=192.168.5.1,bind=0.0.0.0,port=4444,family=ipv4
unix:tmpdir=/tmp
ANONYMOUS
'')
];
programs.dconf.enable = true;
# iw dev wlp5s0 station dump
# DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
services.hostapd = {
enable = true;
logLevel = 2;
interface = wifiIface;
# 0 means the AP will search for the channel with the least interferences (ACS)
channel = 1;
hwMode = "g";
ssid = hostName;
wpa = false;
#wpaPassphrase = "bidonpoissonmaisonronron";
countryCode = "FR";
extraConfig = ''
# WLAN
beacon_int=100
dtim_period=2 # DTIM (delivery trafic information message)
preamble=1
# limit the frequencies used to those allowed in the country
ieee80211d=1
# WPA2
#wpa_key_mgmt=WPA-PSK
#wpa_pairwise=CCMP
#rsn_pairwise=CCMP
#auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
macaddr_acl=0
# QoS support, also required for full speed on 802.11n/ac/ax
wmm_enabled=1
eap_reauth_period=360000
wpa_group_rekey=600
wpa_ptk_rekey=600
wpa_gmk_rekey=86400
# N-WLAN
ieee80211n=1
# See Capabilities in iw list
#ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-3839]
require_ht=1
obss_interval=0
# 802.11ac support
ieee80211ac=0
'';
};
}