hm: essential: add dust

[julm/julm-nix.git] / hosts / aubergine / networking.nix

diff --git a/hosts/aubergine/networking.nix b/hosts/aubergine/networking.nix
index bedf5471b26b83dfaa92c0c6449c181d9ffaee27..e1d6955230e61b66f5d7f24b8a3191658708dd20 100644 (file)
--- a/hosts/aubergine/networking.nix
+++ b/hosts/aubergine/networking.nix
@@ -1,48 +1,71 @@
-{ config, pkgs, lib, hostName, ... }:
+{ lib, ... }:
+with lib;
 with (import networking/names-and-numbers.nix);
 {
-imports = [
-  networking/ftth.nix
-  networking/ethernet.nix
-  networking/wifi.nix
-  networking/lte.nix
-  networking/nftables.nix
-  ../../nixos/profiles/networking.nix
-  ../../nixos/profiles/dnscrypt-proxy2.nix
-  ../../nixos/profiles/wireguard/wg-intra.nix
-];
-install.substituteOnDestination = false;
-networking.domain = "wg";
-networking.useDHCP = false;
+  imports = [
+    networking/ftth.nix
+    networking/ethernet.nix
+    networking/wifi.nix
+    networking/lte.nix
+    networking/nftables.nix
+    ../../nixos/profiles/dnscrypt-proxy2.nix
+    ../../nixos/profiles/networking/ssh.nix
+  ];
+  install.substituteOnDestination = false;
+  networking.domain = "wg";
+  networking.useDHCP = false;
 
-boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-networking.nftables.ruleset = lib.mkAfter ''
-  table inet filter {
-    chain forward-to-net {
-      #jump forward-connectivity
-      counter accept
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+  networking.nftables.ruleset = mkAfter ''
+    table inet filter {
+      chain forward-to-lan {
+        #jump forward-connectivity
+        counter accept
+      }
+      chain forward-to-net {
+        #jump forward-connectivity
+        counter accept
+      }
+      chain forward-from-net {
+        ct state { established, related } accept
+        log level warn prefix "forward-from-net: " counter drop
+      }
+      chain forward {
+        log level warn prefix "forward: " counter drop
+      }
     }
-    chain forward-from-net {
-      ct state { established, related } accept
-      log level warn prefix "forward-from-net: " counter drop
-    }
-    chain forward {
-      log level warn prefix "forward: " counter drop
-    }
-  }
-'';
+  '';
+
+  networking.networkmanager.enable = true;
+  services.avahi = {
+    enable = true;
+    openFirewall = true;
+    nssmdns4 = true;
+    publish = {
+      enable = true;
+      addresses = true;
+      domain = true;
+      hinfo = true;
+      userServices = true;
+      workstation = true;
+    };
+  };
+  # WARNING: settings.listen_addresses are not merged...
+  # hence there all defined here.
+  services.dnscrypt-proxy2.settings.listen_addresses = [
+    "127.0.0.1:53"
+    "[::1]:53"
+    "${eth1IPv4}.1:53"
+    "${eth2IPv4}.1:53"
+    "${eth3IPv4}.1:53"
+    "${wifiIPv4}.1:53"
+  ];
 
-services.avahi.openFirewall = true;
-services.dnscrypt-proxy2.settings.listen_addresses = [
-  "127.0.0.1:53"
-  "[::1]:53"
-];
+  services.openssh.settings.X11Forwarding = true;
 
-networking.wireguard.wg-intra.peers = {
-  mermet.enable = true;
-  losurdo.enable = true;
-  oignon.enable = true;
-  patate.enable = true;
-};
+  services.vnstat.enable = true;
 
+  systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
+    "host.key:${ssh/host.key.cred}"
+  ];
 }