vim: use as defaultEditor

[julm/julm-nix.git] / hosts / aubergine / networking.nix

diff --git a/hosts/aubergine/networking.nix b/hosts/aubergine/networking.nix
index 3728b9b6ab146edba040903928b7bee8ff44d616..8184ce6b01ac9a362e3233b143f6a0e113f2b6c2 100644 (file)
--- a/hosts/aubergine/networking.nix
+++ b/hosts/aubergine/networking.nix
@@ -8,6 +8,7 @@ with (import networking/names-and-numbers.nix);
     networking/wifi.nix
     networking/lte.nix
     networking/nftables.nix
+    ./wireguard.nix
     ../../nixos/profiles/dnscrypt-proxy2.nix
     ../../nixos/profiles/wireguard/wg-intra.nix
     ../../nixos/profiles/networking/ssh.nix
@@ -19,6 +20,10 @@ with (import networking/names-and-numbers.nix);
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
   networking.nftables.ruleset = mkAfter ''
     table inet filter {
+      chain forward-to-lan {
+        #jump forward-connectivity
+        counter accept
+      }
       chain forward-to-net {
         #jump forward-connectivity
         counter accept
@@ -36,16 +41,22 @@ with (import networking/names-and-numbers.nix);
   services.avahi.enable = true;
   services.avahi.openFirewall = true;
   services.avahi.publish.enable = true;
+  # WARNING: settings.listen_addresses are not merged...
+  # hence there all defined here.
   services.dnscrypt-proxy2.settings.listen_addresses = [
     "127.0.0.1:53"
     "[::1]:53"
+    "${eth1IPv4}.1:53"
+    "${eth2IPv4}.1:53"
+    "${eth3IPv4}.1:53"
+    "${wifiIPv4}.1:53"
   ];
 
-  networking.wireguard.wg-intra.peers = {
-    mermet.enable = true;
-    losurdo.enable = true;
-    oignon.enable = true;
-    patate.enable = true;
-  };
+  services.openssh.settings.X11Forwarding = true;
 
+  services.vnstat.enable = true;
+
+  systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
+    "host.key:${ssh/host.key.cred}"
+  ];
 }