htop: always overwrite config
[julm/julm-nix.git] / hosts / aubergine / networking.nix
index ad92bfba6567cf2385051f784f0596aae93015b1..e1d6955230e61b66f5d7f24b8a3191658708dd20 100644 (file)
-{ config, pkgs, lib, hostName, ... }:
-let
-  wifiIface = "wlp5s0";
-  wwanIface = "wwp0s19u1u3i3"; # usb_modeswitch -W -v 12d1 -p 1573 -u 1
-  ftthIface = "enp1s0";
-  eth1Iface = "enp2s0";
-  eth2Iface = "enp3s0";
-  eth3Iface = "enp4s0";
-  wifiIPv4 = "192.168.5";
-  eth1IPv4 = "192.168.2";
-  eth2IPv4 = "192.168.3";
-  eth3IPv4 = "192.168.4";
-in
+{ lib, ... }:
+with lib;
+with (import networking/names-and-numbers.nix);
 {
-imports = [
-  networking/nftables.nix
-  ../../nixos/profiles/networking.nix
-  ../../nixos/profiles/dnscrypt-proxy2.nix
-  ../../nixos/profiles/wireguard/wg-intra.nix
-];
-install.substituteOnDestination = false;
-networking.domain = "sourcephile.fr";
-networking.useDHCP = false;
-
-boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-networking.nftables.ruleset = lib.mkAfter ''
-  table inet filter {
-    chain input {
-      iifname { ${wwanIface}, ${ftthIface} } jump input-net
-      iifname { ${wwanIface}, ${ftthIface} } log level warn prefix "input-net: " counter drop
-
-      iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump input-lan
-      iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "input-lan: " counter drop
-    }
-    chain output {
-      oifname { ${wwanIface}, ${ftthIface} } jump output-net
-      oifname { ${wwanIface}, ${ftthIface} } log level warn prefix "output-net: " counter drop
-
-      oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump output-lan
-      oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "output-lan: " counter drop
-    }
-    chain forward-to-net {
-      #jump forward-connectivity
-      counter accept
-    }
-    chain forward-from-net {
-      ct state { established, related } accept
-      log level warn prefix "forward-from-net: " counter drop
-    }
-    chain forward {
-      iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname { ${wwanIface}, ${ftthIface} } goto forward-to-net
-      iifname { ${wwanIface}, ${ftthIface} } oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } goto forward-from-net
-      log level warn prefix "forward: " counter drop
-    }
-  }
-  table inet nat {
-    chain postrouting {
-      iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname { ${wwanIface}, ${ftthIface} } masquerade
-    }
-  }
-'';
-
-services.avahi.openFirewall = true;
-services.dnscrypt-proxy2.settings.listen_addresses = [
-  "127.0.0.1:53"
-  "[::1]:53"
-  "${wifiIPv4}.1:53"
-  "${eth1IPv4}.1:53"
-  "${eth2IPv4}.1:53"
-  "${eth3IPv4}.1:53"
-];
-networking.interfaces = {
-  ${ftthIface} = {
-    useDHCP = false;
-  };
-  ${wifiIface} = {
-    useDHCP = false;
-    ipv4.addresses = [ { address = "${wifiIPv4}.1"; prefixLength = 24; } ];
-    ipv4.routes = [ { address = "${wifiIPv4}.0"; prefixLength = 24; options = { congctl="westwood";}; } ];
-  };
-  ${eth1Iface} = {
-    useDHCP = false;
-    ipv4.addresses = [ { address = "${eth1IPv4}.1"; prefixLength = 24; } ];
-  };
-  ${eth2Iface} = {
-    useDHCP = false;
-    ipv4.addresses = [ { address = "${eth2IPv4}.1"; prefixLength = 24; } ];
-  };
-  ${eth3Iface} = {
-    useDHCP = false;
-    ipv4.addresses = [ { address = "${eth3IPv4}.1"; prefixLength = 24; } ];
-  };
-};
-
-
-systemd.services.dhcpd4 = {
-  onFailure = [
-    "network-addresses-${wifiIface}.service"
-    "network-addresses-${eth1Iface}.service"
-    "network-addresses-${eth2Iface}.service"
-    "network-addresses-${eth3Iface}.service"
+  imports = [
+    networking/ftth.nix
+    networking/ethernet.nix
+    networking/wifi.nix
+    networking/lte.nix
+    networking/nftables.nix
+    ../../nixos/profiles/dnscrypt-proxy2.nix
+    ../../nixos/profiles/networking/ssh.nix
   ];
-};
-services.dhcpd4 = {
-  enable = true;
-  interfaces = [
-    wifiIface
-    eth1Iface
-    eth2Iface
-    eth3Iface
-  ];
-  extraConfig = ''
-    subnet ${wifiIPv4}.0 netmask 255.255.255.0 {
-      range ${wifiIPv4}.100 ${wifiIPv4}.200;
-      option broadcast-address ${wifiIPv4}.255;
-      option domain-name-servers ${wifiIPv4}.1;
-      option routers ${wifiIPv4}.1;
-      option subnet-mask 255.255.255.0;
-    }
-
-    subnet ${eth1IPv4}.0 netmask 255.255.255.0 {
-      range ${eth1IPv4}.100 ${eth1IPv4}.200;
-      option broadcast-address ${eth1IPv4}.255;
-      option domain-name-servers ${eth1IPv4}.1;
-      option routers ${eth1IPv4}.1;
-      option subnet-mask 255.255.255.0;
-    }
-
-    subnet ${eth2IPv4}.0 netmask 255.255.255.0 {
-      range ${eth2IPv4}.100 ${eth2IPv4}.200;
-      option broadcast-address ${eth2IPv4}.255;
-      option domain-name-servers ${eth2IPv4}.1;
-      option routers ${eth2IPv4}.1;
-      option subnet-mask 255.255.255.0;
-    }
-
-    subnet ${eth3IPv4}.0 netmask 255.255.255.0 {
-      range ${eth3IPv4}.100 ${eth3IPv4}.200;
-      option broadcast-address ${eth3IPv4}.255;
-      option domain-name-servers ${eth3IPv4}.1;
-      option routers ${eth3IPv4}.1;
-      option subnet-mask 255.255.255.0;
+  install.substituteOnDestination = false;
+  networking.domain = "wg";
+  networking.useDHCP = false;
+
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+  networking.nftables.ruleset = mkAfter ''
+    table inet filter {
+      chain forward-to-lan {
+        #jump forward-connectivity
+        counter accept
+      }
+      chain forward-to-net {
+        #jump forward-connectivity
+        counter accept
+      }
+      chain forward-from-net {
+        ct state { established, related } accept
+        log level warn prefix "forward-from-net: " counter drop
+      }
+      chain forward {
+        log level warn prefix "forward: " counter drop
+      }
     }
   '';
-};
 
-systemd.services.NetworkManager.wants = [ "ModemManager.service" ];
-networking.networkmanager = {
-  #enable = true;
-  unmanaged = [
-    ftthIface
-    wifiIface
-    eth1Iface
-    eth2Iface
-    eth3Iface
+  networking.networkmanager.enable = true;
+  services.avahi = {
+    enable = true;
+    openFirewall = true;
+    nssmdns4 = true;
+    publish = {
+      enable = true;
+      addresses = true;
+      domain = true;
+      hinfo = true;
+      userServices = true;
+      workstation = true;
+    };
+  };
+  # WARNING: settings.listen_addresses are not merged...
+  # hence there all defined here.
+  services.dnscrypt-proxy2.settings.listen_addresses = [
+    "127.0.0.1:53"
+    "[::1]:53"
+    "${eth1IPv4}.1:53"
+    "${eth2IPv4}.1:53"
+    "${eth3IPv4}.1:53"
+    "${wifiIPv4}.1:53"
   ];
-};
-environment.etc."NetworkManager/system-connections/Prixtel.nmconnection" = {
-  mode = "600";
-  text = ''
-    [connection]
-    id=Prixtel
-    uuid=b223f550-dff1-4ba3-9755-cd4557faaa5a
-    type=gsm
-    autoconnect=true
-    permissions=user:julm:;
-
-    [gsm]
-    apn=sl2sfr
-    number=*99#
-    #home-only=true
-
-    [ppp]
-
-    [ipv4]
-    method=auto
-    dhcp-send-hostname=false
 
-    [ipv6]
-    method=auto
-    addr-gen-mode=stable-privacy
-    ip6-privacy=2
-    dhcp-send-hostname=false
+  services.openssh.settings.X11Forwarding = true;
 
-    [proxy]
-  '';
-};
-
-networking.wireguard.wg-intra.peers = {
-  mermet.enable = true;
-  losurdo.enable = true;
-  oignon.enable = true;
-  patate.enable = true;
-};
-
-services.openssh.listenAddresses = [
-  { addr = "${wifiIPv4}.1"; port = 22; }
-  { addr = "${eth1IPv4}.1"; port = 22; }
-  { addr = "${eth2IPv4}.1"; port = 22; }
-  { addr = "${eth3IPv4}.1"; port = 22; }
-];
-
-environment.systemPackages = [
-  pkgs.iw
-  pkgs.modem-manager-gui
-  pkgs.libmbim
-  pkgs.chatty
-  pkgs.calls
-  # https://gitlab.com/mobian1/callaudiod/-/issues/26
-  # https://gitlab.com/mobian1/callaudiod/-/issues/27
-  pkgs.callaudiod
-];
-
-# iw dev wlp5s0 station dump
-# DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
-services.hostapd = {
-  enable = true;
-  logLevel = 2;
-  interface = wifiIface;
-  # 0 means the AP will search for the channel with the least interferences (ACS)
-  channel = 1;
-  hwMode = "g";
-  ssid = hostName;
-  wpa = false;
-  #wpaPassphrase = "bidonpoissonmaisonronron";
-  countryCode = "FR";
-  extraConfig = ''
-    # WLAN
-    beacon_int=100
-    dtim_period=2 # DTIM (delivery trafic information message)
-    preamble=1
-    # limit the frequencies used to those allowed in the country
-    ieee80211d=1
+  services.vnstat.enable = true;
 
-    # WPA2
-    #wpa_key_mgmt=WPA-PSK
-    #wpa_pairwise=CCMP
-    #rsn_pairwise=CCMP
-    #auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
-    macaddr_acl=0
-    # QoS support, also required for full speed on 802.11n/ac/ax
-    wmm_enabled=1
-    eap_reauth_period=360000
-    wpa_group_rekey=600
-    wpa_ptk_rekey=600
-    wpa_gmk_rekey=86400
-
-    # N-WLAN
-    ieee80211n=1
-    # See Capabilities in iw list
-    #ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-3839]
-    require_ht=1
-    obss_interval=0
-
-    # 802.11ac support
-    ieee80211ac=0
-  '';
-};
+  systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
+    "host.key:${ssh/host.key.cred}"
+  ];
 }