-{ lib, ... }:
-with lib;
+{ pkgs, lib, config, ... }:
with (import networking/names-and-numbers.nix);
{
imports = [
networking/wifi.nix
networking/lte.nix
networking/nftables.nix
- ./wireguard.nix
../../nixos/profiles/dnscrypt-proxy2.nix
- ../../nixos/profiles/wireguard/wg-intra.nix
+ ../../nixos/profiles/printing.nix
../../nixos/profiles/networking/ssh.nix
];
install.substituteOnDestination = false;
- networking.domain = "wg";
+ networking.domain = "sp";
networking.useDHCP = false;
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
- networking.nftables.ruleset = mkAfter ''
+ networking.nftables.ruleset = lib.mkAfter ''
table inet filter {
+ chain input-lan {
+ meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
+ meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
+ }
+ chain output-lan {
+ meta skuid ${config.users.users."systemd-network".name} \
+ meta l4proto { udp, tcp } th sport bootps \
+ meta l4proto { udp, tcp } th dport bootpc \
+ counter accept comment "DHCP rebinding/renewing"
+ }
chain forward-to-lan {
#jump forward-connectivity
counter accept
counter accept
}
chain forward-from-net {
- ct state { established, related } accept
+ ct state established accept
+ ct state related accept
log level warn prefix "forward-from-net: " counter drop
}
chain forward {
services.avahi = {
enable = true;
openFirewall = true;
- nssmdns = true;
publish = {
enable = true;
addresses = true;
userServices = true;
workstation = true;
};
+ reflector = true;
};
# WARNING: settings.listen_addresses are not merged...
# hence there all defined here.
systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
"host.key:${ssh/host.key.cred}"
];
+
+ programs.wireshark = {
+ enable = true;
+ package = pkgs.wireshark-cli;
+ };
}