-{ config, pkgs, lib, hostName, ... }:
-let
- wifiIface = "wlp5s0";
- wwanIface = "wwp0s19u1u3i3"; # usb_modeswitch -W -v 12d1 -p 1573 -u 1
- ftthIface = "enp1s0";
- eth1Iface = "enp2s0";
- eth2Iface = "enp3s0";
- eth3Iface = "enp4s0";
- wifiIPv4 = "192.168.5";
- eth1IPv4 = "192.168.2";
- eth2IPv4 = "192.168.3";
- eth3IPv4 = "192.168.4";
-in
+{ lib, ... }:
+with lib;
+with (import networking/names-and-numbers.nix);
{
-imports = [
- networking/nftables.nix
- ../../nixos/profiles/networking.nix
- ../../nixos/profiles/dnscrypt-proxy2.nix
- ../../nixos/profiles/wireguard/wg-intra.nix
-];
-install.substituteOnDestination = false;
-networking.domain = "sourcephile.fr";
-networking.useDHCP = false;
-
-boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-networking.nftables.ruleset = lib.mkAfter ''
- table inet filter {
- chain input {
- iifname { ${wwanIface}, ${ftthIface} } jump input-net
- iifname { ${wwanIface}, ${ftthIface} } log level warn prefix "input-net: " counter drop
-
- iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump input-lan
- iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "input-lan: " counter drop
- }
- chain output {
- oifname { ${wwanIface}, ${ftthIface} } jump output-net
- oifname { ${wwanIface}, ${ftthIface} } log level warn prefix "output-net: " counter drop
-
- oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } jump output-lan
- oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } log level warn prefix "output-lan: " counter drop
- }
- chain forward-to-net {
- #jump forward-connectivity
- counter accept
- }
- chain forward-from-net {
- ct state { established, related } accept
- log level warn prefix "forward-from-net: " counter drop
- }
- chain forward {
- iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname { ${wwanIface}, ${ftthIface} } goto forward-to-net
- iifname { ${wwanIface}, ${ftthIface} } oifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } goto forward-from-net
- log level warn prefix "forward: " counter drop
- }
- }
- table inet nat {
- chain postrouting {
- iifname { ${wifiIface}, ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname { ${wwanIface}, ${ftthIface} } masquerade
- }
- }
-'';
-
-services.avahi.openFirewall = true;
-services.dnscrypt-proxy2.settings.listen_addresses = [
- "127.0.0.1:53"
- "[::1]:53"
- "${wifiIPv4}.1:53"
- "${eth1IPv4}.1:53"
- "${eth2IPv4}.1:53"
- "${eth3IPv4}.1:53"
-];
-networking.interfaces = {
- ${ftthIface} = {
- useDHCP = false;
- };
- ${wifiIface} = {
- useDHCP = false;
- ipv4.addresses = [ { address = "${wifiIPv4}.1"; prefixLength = 24; } ];
- ipv4.routes = [ { address = "${wifiIPv4}.0"; prefixLength = 24; options = { congctl="westwood";}; } ];
- };
- ${eth1Iface} = {
- useDHCP = false;
- ipv4.addresses = [ { address = "${eth1IPv4}.1"; prefixLength = 24; } ];
- };
- ${eth2Iface} = {
- useDHCP = false;
- ipv4.addresses = [ { address = "${eth2IPv4}.1"; prefixLength = 24; } ];
- };
- ${eth3Iface} = {
- useDHCP = false;
- ipv4.addresses = [ { address = "${eth3IPv4}.1"; prefixLength = 24; } ];
- };
-};
-
-
-systemd.services.dhcpd4 = {
- onFailure = [
- "network-addresses-${wifiIface}.service"
- "network-addresses-${eth1Iface}.service"
- "network-addresses-${eth2Iface}.service"
- "network-addresses-${eth3Iface}.service"
+ imports = [
+ networking/ftth.nix
+ networking/ethernet.nix
+ networking/wifi.nix
+ networking/lte.nix
+ networking/nftables.nix
+ ../../nixos/profiles/dnscrypt-proxy2.nix
+ ../../nixos/profiles/networking/ssh.nix
];
-};
-services.dhcpd4 = {
- enable = true;
- interfaces = [
- wifiIface
- eth1Iface
- eth2Iface
- eth3Iface
- ];
- extraConfig = ''
- subnet ${wifiIPv4}.0 netmask 255.255.255.0 {
- range ${wifiIPv4}.100 ${wifiIPv4}.200;
- option broadcast-address ${wifiIPv4}.255;
- option domain-name-servers ${wifiIPv4}.1;
- option routers ${wifiIPv4}.1;
- option subnet-mask 255.255.255.0;
- }
-
- subnet ${eth1IPv4}.0 netmask 255.255.255.0 {
- range ${eth1IPv4}.100 ${eth1IPv4}.200;
- option broadcast-address ${eth1IPv4}.255;
- option domain-name-servers ${eth1IPv4}.1;
- option routers ${eth1IPv4}.1;
- option subnet-mask 255.255.255.0;
- }
-
- subnet ${eth2IPv4}.0 netmask 255.255.255.0 {
- range ${eth2IPv4}.100 ${eth2IPv4}.200;
- option broadcast-address ${eth2IPv4}.255;
- option domain-name-servers ${eth2IPv4}.1;
- option routers ${eth2IPv4}.1;
- option subnet-mask 255.255.255.0;
- }
-
- subnet ${eth3IPv4}.0 netmask 255.255.255.0 {
- range ${eth3IPv4}.100 ${eth3IPv4}.200;
- option broadcast-address ${eth3IPv4}.255;
- option domain-name-servers ${eth3IPv4}.1;
- option routers ${eth3IPv4}.1;
- option subnet-mask 255.255.255.0;
+ install.substituteOnDestination = false;
+ networking.domain = "wg";
+ networking.useDHCP = false;
+
+ boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+ networking.nftables.ruleset = mkAfter ''
+ table inet filter {
+ chain forward-to-lan {
+ #jump forward-connectivity
+ counter accept
+ }
+ chain forward-to-net {
+ #jump forward-connectivity
+ counter accept
+ }
+ chain forward-from-net {
+ ct state { established, related } accept
+ log level warn prefix "forward-from-net: " counter drop
+ }
+ chain forward {
+ log level warn prefix "forward: " counter drop
+ }
}
'';
-};
-systemd.services.NetworkManager.wants = [ "ModemManager.service" ];
-networking.networkmanager = {
- #enable = true;
- unmanaged = [
- ftthIface
- wifiIface
- eth1Iface
- eth2Iface
- eth3Iface
+ networking.networkmanager.enable = true;
+ services.avahi = {
+ enable = true;
+ openFirewall = true;
+ nssmdns4 = true;
+ publish = {
+ enable = true;
+ addresses = true;
+ domain = true;
+ hinfo = true;
+ userServices = true;
+ workstation = true;
+ };
+ };
+ # WARNING: settings.listen_addresses are not merged...
+ # hence there all defined here.
+ services.dnscrypt-proxy2.settings.listen_addresses = [
+ "127.0.0.1:53"
+ "[::1]:53"
+ "${eth1IPv4}.1:53"
+ "${eth2IPv4}.1:53"
+ "${eth3IPv4}.1:53"
+ "${wifiIPv4}.1:53"
];
-};
-environment.etc."NetworkManager/system-connections/Prixtel.nmconnection" = {
- mode = "600";
- text = ''
- [connection]
- id=Prixtel
- uuid=b223f550-dff1-4ba3-9755-cd4557faaa5a
- type=gsm
- autoconnect=true
- permissions=user:julm:;
-
- [gsm]
- apn=sl2sfr
- number=*99#
- #home-only=true
-
- [ppp]
-
- [ipv4]
- method=auto
- dhcp-send-hostname=false
- [ipv6]
- method=auto
- addr-gen-mode=stable-privacy
- ip6-privacy=2
- dhcp-send-hostname=false
+ services.openssh.settings.X11Forwarding = true;
- [proxy]
- '';
-};
-
-networking.wireguard.wg-intra.peers = {
- mermet.enable = true;
- losurdo.enable = true;
- oignon.enable = true;
- patate.enable = true;
-};
-
-services.openssh.listenAddresses = [
- { addr = "${wifiIPv4}.1"; port = 22; }
- { addr = "${eth1IPv4}.1"; port = 22; }
- { addr = "${eth2IPv4}.1"; port = 22; }
- { addr = "${eth3IPv4}.1"; port = 22; }
-];
-
-environment.systemPackages = [
- pkgs.iw
- pkgs.modem-manager-gui
- pkgs.libmbim
- pkgs.chatty
- pkgs.calls
- # https://gitlab.com/mobian1/callaudiod/-/issues/26
- # https://gitlab.com/mobian1/callaudiod/-/issues/27
- pkgs.callaudiod
-];
-
-# iw dev wlp5s0 station dump
-# DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
-services.hostapd = {
- enable = true;
- logLevel = 2;
- interface = wifiIface;
- # 0 means the AP will search for the channel with the least interferences (ACS)
- channel = 1;
- hwMode = "g";
- ssid = hostName;
- wpa = false;
- #wpaPassphrase = "bidonpoissonmaisonronron";
- countryCode = "FR";
- extraConfig = ''
- # WLAN
- beacon_int=100
- dtim_period=2 # DTIM (delivery trafic information message)
- preamble=1
- # limit the frequencies used to those allowed in the country
- ieee80211d=1
+ services.vnstat.enable = true;
- # WPA2
- #wpa_key_mgmt=WPA-PSK
- #wpa_pairwise=CCMP
- #rsn_pairwise=CCMP
- #auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
- macaddr_acl=0
- # QoS support, also required for full speed on 802.11n/ac/ax
- wmm_enabled=1
- eap_reauth_period=360000
- wpa_group_rekey=600
- wpa_ptk_rekey=600
- wpa_gmk_rekey=86400
-
- # N-WLAN
- ieee80211n=1
- # See Capabilities in iw list
- #ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-3839]
- require_ht=1
- obss_interval=0
-
- # 802.11ac support
- ieee80211ac=0
- '';
-};
+ systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
+ "host.key:${ssh/host.key.cred}"
+ ];
}