From 93f30ed6af3fd6507cc8956e1142d49e313e1a7f Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Tue, 4 Oct 2022 22:34:44 +0200
Subject: [PATCH 01/16] install: delete 7 days old systems

---
 install | 1 +
 1 file changed, 1 insertion(+)

diff --git a/install b/install
index 2cc2731..6ae60de 100755
--- a/install
+++ b/install
@@ -6,3 +6,4 @@ git rm -rf --cached --ignore-unmatch private/root private/hosts/*/root # prevent
 sudo ln -sfn "$PWD/private/root" /root/private
 # To build offline, use: --offline
 sudo time nixos-rebuild switch --flake . "$@"
+sudo nix-env --delete-generations 7d --profile /nix/var/nix/profiles/system
-- 
2.44.1


From 2da317df13f2ec09888549f69995e4f07bc35619 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Fri, 7 Oct 2022 13:10:02 +0200
Subject: [PATCH 02/16] nftables: polish

---
 hosts/aubergine/networking.nix         |  2 +-
 hosts/oignon/networking/nftables.nix   |  8 ++++--
 nixos/profiles/networking.nix          |  4 +--
 nixos/profiles/networking/nftables.txt |  2 +-
 nixos/profiles/wireguard/wg-intra.nix  | 39 +++++++++++++-------------
 5 files changed, 29 insertions(+), 26 deletions(-)

diff --git a/hosts/aubergine/networking.nix b/hosts/aubergine/networking.nix
index ed1f7ce..8433725 100644
--- a/hosts/aubergine/networking.nix
+++ b/hosts/aubergine/networking.nix
@@ -199,7 +199,7 @@ environment.systemPackages = [
   pkgs.modem-manager-gui
 ];
 
-# iw dev wlp4s0 station dump
+# iw dev wlp5s0 station dump
 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
 services.hostapd = {
   enable = true;
diff --git a/hosts/oignon/networking/nftables.nix b/hosts/oignon/networking/nftables.nix
index 18957b5..98c3c7a 100644
--- a/hosts/oignon/networking/nftables.nix
+++ b/hosts/oignon/networking/nftables.nix
@@ -14,24 +14,26 @@ networking.nftables = {
     table inet filter {
       chain input-intra {
         tcp dport { ssh, 2222 } counter accept comment "SSH"
-        udp dport 60000-61000 counter accept comment "Mosh"
+        udp dport 60001-60010 counter accept comment "Mosh"
       }
       chain input-net {
       }
 
       chain output-lan {
         tcp dport { ssh, 2222 } counter accept comment "SSH"
+        udp dport 60001-60100 counter accept comment "Mosh"
         tcp dport bootps counter accept comment "DHCP"
+        tcp dport { 4444, 5555 } counter accept
       }
       chain output-intra {
         tcp dport { ssh, 2222 } counter accept comment "SSH"
-        udp dport 60001-60010 counter accept comment "Mosh"
+        udp dport 60001-60100 counter accept comment "Mosh"
         tcp dport { http, https } counter accept comment "HTTP"
         tcp dport git counter accept comment "Git"
       }
       chain output-net {
         tcp dport { ssh, 2222 } counter accept comment "SSH"
-        udp dport 60001-60010 counter accept comment "Mosh"
+        udp dport 60001-60100 counter accept comment "Mosh"
         udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
         meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
         tcp dport { http, https } counter accept comment "HTTP"
diff --git a/nixos/profiles/networking.nix b/nixos/profiles/networking.nix
index cbff6a1..2dee8af 100644
--- a/nixos/profiles/networking.nix
+++ b/nixos/profiles/networking.nix
@@ -39,13 +39,13 @@ services.avahi = {
 networking.nftables.ruleset = lib.mkIf config.services.avahi.enable (''
   table inet filter {
     chain output-lan {
-      skuid root udp sport 5353 udp dport 5353 comment "Avahi"
+      skuid root udp sport mdns udp dport mdns comment "avahi: multicast DNS"
     }
   }
 '' + lib.optionalString config.services.avahi.openFirewall ''
   table inet filter {
     chain input-lan {
-      udp dport 5353 comment "Avahi"
+      udp dport mdns comment "avahi: multicast DNS"
     }
   }
 '');
diff --git a/nixos/profiles/networking/nftables.txt b/nixos/profiles/networking/nftables.txt
index 4ab0738..8d2be5a 100644
--- a/nixos/profiles/networking/nftables.txt
+++ b/nixos/profiles/networking/nftables.txt
@@ -177,7 +177,7 @@ table inet filter {
 
   chain output-connectivity {
     ip protocol icmp counter accept
-    meta skuid 0 udp dport 33434-33523 counter accept comment "traceroute"
+    skuid root udp dport 33434-33523 counter accept comment "traceroute"
 
     meta nfproto ipv6 meta l4proto ipv6-icmp jump accept-icmpv6
 
diff --git a/nixos/profiles/wireguard/wg-intra.nix b/nixos/profiles/wireguard/wg-intra.nix
index 6686dea..bbb9ee6 100644
--- a/nixos/profiles/wireguard/wg-intra.nix
+++ b/nixos/profiles/wireguard/wg-intra.nix
@@ -1,18 +1,18 @@
 { pkgs, lib, config, hostName, credentials, ... }:
 let
-  iface = "wg-intra";
+  wgIface = "wg-intra";
   peers = import wg-intra/peers.nix;
-  wg = config.networking.wireguard.interfaces.${iface};
+  wg = config.networking.wireguard.interfaces.${wgIface};
 in
 {
 # Each peer select the other peers allowed to connect to it
-options.networking.wireguard.${iface}.peers =
+options.networking.wireguard.${wgIface}.peers =
   lib.genAttrs (lib.attrNames peers) (peerName: {
     enable = lib.mkEnableOption "this peer";
   });
 config = {
-systemd.services."wireguard-${iface}".serviceConfig.LoadCredentialEncrypted = "privateKey:${credentials}/wireguard/${iface}/privateKey.secret";
-networking.wireguard.interfaces.${iface} = lib.recursiveUpdate
+systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted = "privateKey:${credentials}/wireguard/${wgIface}/privateKey.secret";
+networking.wireguard.interfaces.${wgIface} = lib.recursiveUpdate
   (removeAttrs peers.${hostName} ["ipv4" "persistentKeepalive" "peer"])
   {
     peers =
@@ -26,7 +26,7 @@ networking.wireguard.interfaces.${iface} = lib.recursiveUpdate
           }
           peer.peer)
         (removeAttrs
-          (lib.filterAttrs (peerName: _: config.networking.wireguard.${iface}.peers.${peerName}.enable) peers)
+          (lib.filterAttrs (peerName: _: config.networking.wireguard.${wgIface}.peers.${peerName}.enable) peers)
           [hostName]);
     privateKeyFile = "$CREDENTIALS_DIRECTORY/privateKey";
 
@@ -35,7 +35,7 @@ networking.wireguard.interfaces.${iface} = lib.recursiveUpdate
     # This prevents connections to stall on huge packets,
     # or delaying their initializing due to TCP PMTU probing.
     postSetup = ''
-      ip link set dev ${iface} mtu 1280
+      ip link set dev ${wgIface} mtu 1280
     '';
   };
 networking.hosts = lib.mkMerge [
@@ -56,42 +56,42 @@ networking.firewall.extraCommands = lib.optionalString (wg.listenPort != null) '
 networking.nftables.ruleset = lib.optionalString (wg.listenPort != null) ''
   table inet filter {
     chain input-lan {
-      udp dport ${toString wg.listenPort} counter accept comment "Wireguard ${iface} input from peers"
+      udp dport ${toString wg.listenPort} counter accept comment "Wireguard ${wgIface} input from peers"
     }
     chain input-net {
-      udp dport ${toString wg.listenPort} counter accept comment "Wireguard ${iface} input from peers"
+      udp dport ${toString wg.listenPort} counter accept comment "Wireguard ${wgIface} input from peers"
     }
     chain input-intra {
       ${lib.optionalString (peers.${hostName}.peer.endpointsUpdater.enable or false) ''
-        tcp dport ${toString peers.${hostName}.listenPort} ip daddr ${peers.${hostName}.ipv4} counter accept comment "Wireguard ${iface} from peers to endpointUpdater"
+        tcp dport ${toString peers.${hostName}.listenPort} ip daddr ${peers.${hostName}.ipv4} counter accept comment "Wireguard ${wgIface} from peers to endpointUpdater"
         ''
       }
     }
     chain input {
-      iifname ${iface} jump input-intra
-      iifname ${iface} log level warn prefix "input-intra: " counter drop
+      iifname ${wgIface} jump input-intra
+      iifname ${wgIface} log level warn prefix "input-intra: " counter drop
     }
 
     chain output-lan {
-      udp sport ${toString wg.listenPort} counter accept comment "Wireguard ${iface} output to peers"
+      udp sport ${toString wg.listenPort} counter accept comment "Wireguard ${wgIface} output to peers"
     }
     chain output-net {
-      udp sport ${toString wg.listenPort} counter accept comment "Wireguard ${iface} output to peers"
+      udp sport ${toString wg.listenPort} counter accept comment "Wireguard ${wgIface} output to peers"
     }
     chain output-intra {
       ${lib.concatStringsSep "\n"
           (lib.mapAttrsToList (peerName: peer: ''
-            tcp dport ${toString peer.listenPort} ip daddr ${peer.ipv4} counter accept comment "Wireguard ${iface} to endpointUpdater ${peerName}"
+            tcp dport ${toString peer.listenPort} ip daddr ${peer.ipv4} counter accept comment "Wireguard ${wgIface} to endpointUpdater ${peerName}"
             '')
             (lib.filterAttrs (peerName: peer:
-              config.networking.wireguard.${iface}.peers.${peerName}.enable &&
+              config.networking.wireguard.${wgIface}.peers.${peerName}.enable &&
               (peers.${peerName}.peer.endpointsUpdater.enable or false))
               peers))
       }
     }
     chain output {
-      oifname ${iface} jump output-intra
-      oifname ${iface} log level warn prefix "output-intra: " counter drop
+      oifname ${wgIface} jump output-intra
+      oifname ${wgIface} log level warn prefix "output-intra: " counter drop
     }
   }
 '';
@@ -99,6 +99,7 @@ networking.nftables.ruleset = lib.optionalString (wg.listenPort != null) ''
 services.fail2ban.ignoreIP = lib.concatMap
   (host: host.peer.allowedIPs)
   (lib.attrValues peers);
-networking.networkmanager.unmanaged = ["wg-intra"];
+networking.networkmanager.unmanaged = [ wgIface ];
+systemd.services.sshd.after = ["wireguard-${wgIface}.service"];
 };
 }
-- 
2.44.1


From 56523a72a075d2968cb40f4f2e8d4a704529da46 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Fri, 7 Oct 2022 13:11:05 +0200
Subject: [PATCH 03/16] aubergine: add julm to networkmanager

---
 hosts/aubergine.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hosts/aubergine.nix b/hosts/aubergine.nix
index 243f5b7..8551a84 100644
--- a/hosts/aubergine.nix
+++ b/hosts/aubergine.nix
@@ -32,6 +32,7 @@ users.users.julm = {
   extraGroups = [
     "adbusers"
     "dialout"
+    "networkmanager"
     "tor"
     "wheel"
   ];
-- 
2.44.1


From 2a898ae106ed66d99dc76061625ef6ab82fe2026 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Fri, 7 Oct 2022 13:11:48 +0200
Subject: [PATCH 04/16] oignon: enable NixOS switch through ssh

---
 hosts/oignon.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hosts/oignon.nix b/hosts/oignon.nix
index be9132d..e55df74 100644
--- a/hosts/oignon.nix
+++ b/hosts/oignon.nix
@@ -25,6 +25,11 @@ home-manager.users.julm = {
 systemd.services.home-manager-julm.postStart = ''
   ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
 '';
+users.users.root = {
+  openssh.authorizedKeys.keys = map lib.readFile [
+    ../private/shared/ssh/julm/oignon.pub
+  ];
+};
 users.users.julm = {
   isNormalUser = true;
   uid = 1000;
-- 
2.44.1


From a886e07e2c4d7757707946ee4dda4a47832d3539 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Fri, 7 Oct 2022 13:12:51 +0200
Subject: [PATCH 05/16] aubergine: add wwan tools

---
 hosts/aubergine/networking.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hosts/aubergine/networking.nix b/hosts/aubergine/networking.nix
index 8433725..69c7cf1 100644
--- a/hosts/aubergine/networking.nix
+++ b/hosts/aubergine/networking.nix
@@ -197,6 +197,10 @@ services.openssh.listenAddresses = [
 environment.systemPackages = [
   pkgs.iw
   pkgs.modem-manager-gui
+  pkgs.libmbim
+  pkgs.chatty
+  pkgs.calls
+  pkgs.dfeet
 ];
 
 # iw dev wlp5s0 station dump
-- 
2.44.1


From 78afd11c1a3afd505caaaf1ed39fdc035f742eb6 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Fri, 7 Oct 2022 13:13:54 +0200
Subject: [PATCH 06/16] aubergine: pulseaudio: enable

---
 hosts/aubergine/hardware.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hosts/aubergine/hardware.nix b/hosts/aubergine/hardware.nix
index e5ae9a7..97e3c07 100644
--- a/hosts/aubergine/hardware.nix
+++ b/hosts/aubergine/hardware.nix
@@ -75,4 +75,7 @@ fileSystems."/var" =
   };
 */
 
+hardware.pulseaudio.enable = lib.mkDefault true;
+#hardware.pulseaudio.tcp.enable = lib.mkDefault true;
+
 }
-- 
2.44.1


From ccaf284a2abda635e9f0a10dc9af72d9fe7f6c52 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Fri, 7 Oct 2022 13:14:42 +0200
Subject: [PATCH 07/16] aubergine: hack dbus

---
 hosts/aubergine/networking.nix | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/hosts/aubergine/networking.nix b/hosts/aubergine/networking.nix
index 69c7cf1..39e0c70 100644
--- a/hosts/aubergine/networking.nix
+++ b/hosts/aubergine/networking.nix
@@ -203,6 +203,31 @@ environment.systemPackages = [
   pkgs.dfeet
 ];
 
+security.polkit.extraConfig = ''
+  /* Allow calling for local dialout group members */
+  polkit.addRule(function(action, subject) {
+      if (action.id == "org.freedesktop.ModemManager1.Voice" &&
+          subject.local && subject.active && subject.isInGroup("dialout"))
+      {
+          return polkit.Result.YES;
+      }
+  });
+'';
+#services.dbus.apparmor = "enabled";
+systemd.sockets.dbus.listenStreams = ["0.0.0.0:4444"];
+services.dbus.packages = [
+  pkgs.dconf
+  (pkgs.writeTextDir "share/dbus-1/system.d/hack-system.conf" ''
+       <listen>tcp:host=192.168.5.1,bind=0.0.0.0,port=4444,family=ipv4</listen>
+       <listen>unix:tmpdir=/tmp</listen>
+
+       <auth>ANONYMOUS</auth>
+       <allow_anonymous/>
+  '')
+];
+programs.dconf.enable = true;
+
+
 # iw dev wlp5s0 station dump
 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
 services.hostapd = {
-- 
2.44.1


From c9d98696781c4f317ad5933ece6a69d26190a6ee Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Fri, 7 Oct 2022 13:14:46 +0200
Subject: [PATCH 08/16] Revert "aubergine: hack dbus"

This reverts commit 2a84151ab464a691a30f9cbdb8f8fc36a146b5c6.
---
 hosts/aubergine/networking.nix | 25 -------------------------
 1 file changed, 25 deletions(-)

diff --git a/hosts/aubergine/networking.nix b/hosts/aubergine/networking.nix
index 39e0c70..69c7cf1 100644
--- a/hosts/aubergine/networking.nix
+++ b/hosts/aubergine/networking.nix
@@ -203,31 +203,6 @@ environment.systemPackages = [
   pkgs.dfeet
 ];
 
-security.polkit.extraConfig = ''
-  /* Allow calling for local dialout group members */
-  polkit.addRule(function(action, subject) {
-      if (action.id == "org.freedesktop.ModemManager1.Voice" &&
-          subject.local && subject.active && subject.isInGroup("dialout"))
-      {
-          return polkit.Result.YES;
-      }
-  });
-'';
-#services.dbus.apparmor = "enabled";
-systemd.sockets.dbus.listenStreams = ["0.0.0.0:4444"];
-services.dbus.packages = [
-  pkgs.dconf
-  (pkgs.writeTextDir "share/dbus-1/system.d/hack-system.conf" ''
-       <listen>tcp:host=192.168.5.1,bind=0.0.0.0,port=4444,family=ipv4</listen>
-       <listen>unix:tmpdir=/tmp</listen>
-
-       <auth>ANONYMOUS</auth>
-       <allow_anonymous/>
-  '')
-];
-programs.dconf.enable = true;
-
-
 # iw dev wlp5s0 station dump
 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
 services.hostapd = {
-- 
2.44.1


From 115ffa4f02c96c3bc46ff16f445ecb23277e9040 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Fri, 7 Oct 2022 13:19:19 +0200
Subject: [PATCH 09/16] aubergine: enable tmpOnTmpfs

---
 hosts/aubergine/hardware.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hosts/aubergine/hardware.nix b/hosts/aubergine/hardware.nix
index 97e3c07..67c9faf 100644
--- a/hosts/aubergine/hardware.nix
+++ b/hosts/aubergine/hardware.nix
@@ -26,6 +26,7 @@ boot.loader.grub = {
   #efiSupport = true;
   #enableCryptodisk = true;
 };
+boot.tmpOnTmpfs = true;
 
 fileSystems."/" =
   { device = "/dev/disk/by-partlabel/${hostName}_sd_root";
-- 
2.44.1


From ec1bcff216bf43d1b7513e9648f8cd3f8141af68 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Fri, 7 Oct 2022 13:20:52 +0200
Subject: [PATCH 10/16] networking: enable congctl westwood on WLAN or WWAN

---
 hosts/aubergine/networking.nix |  1 +
 nixos/profiles/networking.nix  | 25 +++++++++++++++++++++----
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/hosts/aubergine/networking.nix b/hosts/aubergine/networking.nix
index 69c7cf1..998e6ab 100644
--- a/hosts/aubergine/networking.nix
+++ b/hosts/aubergine/networking.nix
@@ -76,6 +76,7 @@ networking.interfaces = {
   ${wifiIface} = {
     useDHCP = false;
     ipv4.addresses = [ { address = "${wifiIPv4}.1"; prefixLength = 24; } ];
+    ipv4.routes = [ { address = "${wifiIPv4}.0"; prefixLength = 24; options = { congctl="westwood";}; } ];
   };
   ${eth1Iface} = {
     useDHCP = false;
diff --git a/nixos/profiles/networking.nix b/nixos/profiles/networking.nix
index 2dee8af..9e47696 100644
--- a/nixos/profiles/networking.nix
+++ b/nixos/profiles/networking.nix
@@ -58,8 +58,25 @@ services.openssh = {
     { addr = wg-intra-peers.${hostName}.ipv4; port = 22; }
   ];
 };
-networking.firewall.extraCommands = lib.mkIf config.services.openssh.enable ''
-  ip46tables -A nixos-fw -i wg-intra -p tcp -m tcp --dport 22 -j ACCEPT
-'';
-systemd.services.sshd.after = ["wireguard-wg-intra.service"];
+
+environment.etc."NetworkManager/dispatcher.d/congctl" = {
+  mode = "700";
+  source = pkgs.writeShellScript "congctl" ''
+    case $NM_DISPATCHER_ACTION in
+      up)
+        case $DEVICE_IP_IFACE in
+          # WLAN or WWAN
+          # https://en.wikipedia.org/wiki/TCP_congestion_control#TCP_Westwood+
+          wl*|ww*)
+            ip route show dev $DEVICE_IP_IFACE |
+            while read -r route; do
+              ip route change $route dev $DEVICE_IP_IFACE congctl westwood
+            done
+            ip r >>/tmp/log
+          ;;
+        esac
+      ;;
+    esac
+  '';
+};
 }
-- 
2.44.1


From 402248752ffd7c655775287add733864258b72e8 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Fri, 7 Oct 2022 13:21:26 +0200
Subject: [PATCH 11/16] aubergine: dhcpd4: fix subnet config

---
 hosts/aubergine/networking.nix | 30 ++++++++++++++++--------------
 1 file changed, 16 insertions(+), 14 deletions(-)

diff --git a/hosts/aubergine/networking.nix b/hosts/aubergine/networking.nix
index 998e6ab..b3266f8 100644
--- a/hosts/aubergine/networking.nix
+++ b/hosts/aubergine/networking.nix
@@ -110,34 +110,36 @@ services.dhcpd4 = {
     eth3Iface
   ];
   extraConfig = ''
-    option subnet-mask 255.255.255.0;
-
-    option broadcast-address ${wifiIPv4}.255;
-    option routers ${wifiIPv4}.1;
-    option domain-name-servers ${wifiIPv4}.1;
     subnet ${wifiIPv4}.0 netmask 255.255.255.0 {
       range ${wifiIPv4}.100 ${wifiIPv4}.200;
+      option broadcast-address ${wifiIPv4}.255;
+      option domain-name-servers ${wifiIPv4}.1;
+      option routers ${wifiIPv4}.1;
+      option subnet-mask 255.255.255.0;
     }
 
-    option broadcast-address ${eth1IPv4}.255;
-    option routers ${eth1IPv4}.1;
-    option domain-name-servers ${eth1IPv4}.1;
     subnet ${eth1IPv4}.0 netmask 255.255.255.0 {
       range ${eth1IPv4}.100 ${eth1IPv4}.200;
+      option broadcast-address ${eth1IPv4}.255;
+      option domain-name-servers ${eth1IPv4}.1;
+      option routers ${eth1IPv4}.1;
+      option subnet-mask 255.255.255.0;
     }
 
-    option broadcast-address ${eth2IPv4}.255;
-    option routers ${eth2IPv4}.1;
-    option domain-name-servers ${eth2IPv4}.1;
     subnet ${eth2IPv4}.0 netmask 255.255.255.0 {
       range ${eth2IPv4}.100 ${eth2IPv4}.200;
+      option broadcast-address ${eth2IPv4}.255;
+      option domain-name-servers ${eth2IPv4}.1;
+      option routers ${eth2IPv4}.1;
+      option subnet-mask 255.255.255.0;
     }
 
-    option broadcast-address ${eth3IPv4}.255;
-    option routers ${eth3IPv4}.1;
-    option domain-name-servers ${eth3IPv4}.1;
     subnet ${eth3IPv4}.0 netmask 255.255.255.0 {
       range ${eth3IPv4}.100 ${eth3IPv4}.200;
+      option broadcast-address ${eth3IPv4}.255;
+      option domain-name-servers ${eth3IPv4}.1;
+      option routers ${eth3IPv4}.1;
+      option subnet-mask 255.255.255.0;
     }
   '';
 };
-- 
2.44.1


From e6c39cc4ce6e6f9710d19149c5a736e2794d3af9 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Fri, 7 Oct 2022 13:22:05 +0200
Subject: [PATCH 12/16] graphical: install paprefs

---
 nixos/profiles/graphical.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/nixos/profiles/graphical.nix b/nixos/profiles/graphical.nix
index 1c9aeea..c92f079 100644
--- a/nixos/profiles/graphical.nix
+++ b/nixos/profiles/graphical.nix
@@ -13,6 +13,9 @@ programs.adb.enable = true;
 
 sound.enable = lib.mkDefault true;
 hardware.pulseaudio.enable = lib.mkDefault true;
+environment.systemPackages = [
+  pkgs.paprefs
+];
 
 services.xserver = {
   enable = lib.mkDefault true;
-- 
2.44.1


From b713b3d577ff58e97ae8a5180b655b66660b5354 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Fri, 7 Oct 2022 13:22:29 +0200
Subject: [PATCH 13/16] debug: install dfeet

---
 hosts/aubergine/networking.nix | 1 -
 nixos/profiles/debug.nix       | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/aubergine/networking.nix b/hosts/aubergine/networking.nix
index b3266f8..dd02eb2 100644
--- a/hosts/aubergine/networking.nix
+++ b/hosts/aubergine/networking.nix
@@ -203,7 +203,6 @@ environment.systemPackages = [
   pkgs.libmbim
   pkgs.chatty
   pkgs.calls
-  pkgs.dfeet
 ];
 
 # iw dev wlp5s0 station dump
diff --git a/nixos/profiles/debug.nix b/nixos/profiles/debug.nix
index 58d0776..d31ba37 100644
--- a/nixos/profiles/debug.nix
+++ b/nixos/profiles/debug.nix
@@ -6,5 +6,6 @@ boot.kernelParams = lib.mkAfter [
 ];
 environment.systemPackages = [
   config.boot.kernelPackages.bpftrace
+  pkgs.dfeet
 ];
 }
-- 
2.44.1


From 4d1e3b6360fb92e13d68f93de0794d44aa193bdc Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Fri, 7 Oct 2022 13:22:56 +0200
Subject: [PATCH 14/16] networking: install iperf

---
 hosts/aubergine/networking/nftables.nix | 8 +++++++-
 hosts/oignon/networking/nftables.nix    | 5 +++++
 nixos/profiles/networking.nix           | 3 +++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/hosts/aubergine/networking/nftables.nix b/hosts/aubergine/networking/nftables.nix
index 84f5baf..da52a4b 100644
--- a/hosts/aubergine/networking/nftables.nix
+++ b/hosts/aubergine/networking/nftables.nix
@@ -17,6 +17,7 @@ networking.nftables = {
         meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
         tcp dport ssh counter accept comment "SSH"
         udp dport 60000-61000 counter accept comment "Mosh"
+        tcp dport 5201 counter accept comment "iperf"
       }
       chain input-net {
         jump check-public
@@ -24,11 +25,13 @@ networking.nftables = {
       chain input-intra {
         tcp dport ssh counter accept comment "SSH"
         udp dport 60000-61000 counter accept comment "Mosh"
+        tcp dport 5201 counter accept comment "iperf"
       }
 
       chain output-lan {
         tcp dport { ssh, 2222 } counter accept comment "SSH"
         counter accept
+        tcp dport 5201 counter accept comment "iperf"
       }
       chain output-net {
         tcp dport { ssh, 2222 } counter accept comment "SSH"
@@ -37,12 +40,15 @@ networking.nftables = {
         udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
         meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
         tcp dport git counter accept comment "Git"
+        tcp dport 5201 counter accept comment "iperf"
       }
       chain output-intra {
         tcp dport { ssh, 2222 } counter accept comment "SSH"
         udp dport 60001-60010 counter accept comment "Mosh"
         tcp dport { http, https } counter accept comment "HTTP"
-        tcp dport git counter accept comment "Git"
+        tcp dport git counter accept comment "git"
+        #tcp dport 4713 counter accept comment "pulseaudio"
+        tcp dport 5201 counter accept comment "iperf"
       }
     }
   '';
diff --git a/hosts/oignon/networking/nftables.nix b/hosts/oignon/networking/nftables.nix
index 98c3c7a..548e536 100644
--- a/hosts/oignon/networking/nftables.nix
+++ b/hosts/oignon/networking/nftables.nix
@@ -15,6 +15,8 @@ networking.nftables = {
       chain input-intra {
         tcp dport { ssh, 2222 } counter accept comment "SSH"
         udp dport 60001-60010 counter accept comment "Mosh"
+        #tcp dport 4713 counter accept comment "pulseaudio"
+        tcp dport 5201 counter accept comment "iperf"
       }
       chain input-net {
       }
@@ -24,12 +26,14 @@ networking.nftables = {
         udp dport 60001-60100 counter accept comment "Mosh"
         tcp dport bootps counter accept comment "DHCP"
         tcp dport { 4444, 5555 } counter accept
+        tcp dport 5201 counter accept comment "iperf"
       }
       chain output-intra {
         tcp dport { ssh, 2222 } counter accept comment "SSH"
         udp dport 60001-60100 counter accept comment "Mosh"
         tcp dport { http, https } counter accept comment "HTTP"
         tcp dport git counter accept comment "Git"
+        tcp dport 5201 counter accept comment "iperf"
       }
       chain output-net {
         tcp dport { ssh, 2222 } counter accept comment "SSH"
@@ -41,6 +45,7 @@ networking.nftables = {
         tcp dport imaps counter accept comment "IMAPS"
         tcp dport xmpp-client counter accept comment "XMPP"
         tcp dport nntps counter accept comment "NNTPS"
+        tcp dport 5201 counter accept comment "iperf"
       }
     }
   '';
diff --git a/nixos/profiles/networking.nix b/nixos/profiles/networking.nix
index 9e47696..e7df546 100644
--- a/nixos/profiles/networking.nix
+++ b/nixos/profiles/networking.nix
@@ -29,6 +29,9 @@ networking = {
 
 programs.mtr.enable = true;
 programs.usbtop.enable = true;
+environment.systemPackages = [
+  pkgs.iperf
+];
 
 services.avahi = {
   enable = lib.mkDefault true;
-- 
2.44.1


From ace6f52ac653feff0fd0b8bbd36bd54cf2c54439 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Fri, 7 Oct 2022 13:23:31 +0200
Subject: [PATCH 15/16] oignon: nftables: allow SMTPS output

---
 hosts/oignon/networking/nftables.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hosts/oignon/networking/nftables.nix b/hosts/oignon/networking/nftables.nix
index 548e536..49f9b0c 100644
--- a/hosts/oignon/networking/nftables.nix
+++ b/hosts/oignon/networking/nftables.nix
@@ -43,6 +43,7 @@ networking.nftables = {
         tcp dport { http, https } counter accept comment "HTTP"
         tcp dport git counter accept comment "Git"
         tcp dport imaps counter accept comment "IMAPS"
+        tcp dport submissions counter accept comment "SMTPS"
         tcp dport xmpp-client counter accept comment "XMPP"
         tcp dport nntps counter accept comment "NNTPS"
         tcp dport 5201 counter accept comment "iperf"
-- 
2.44.1


From 80f62b7e90e6c3484007327fd6e570a21307ecae Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Fri, 7 Oct 2022 13:43:27 +0200
Subject: [PATCH 16/16] aubergine: nix: secret-key-files not operational yet

---
 hosts/aubergine.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/aubergine.nix b/hosts/aubergine.nix
index 8551a84..07d9433 100644
--- a/hosts/aubergine.nix
+++ b/hosts/aubergine.nix
@@ -57,7 +57,7 @@ users.users.root = {
 nix = {
   extraOptions = ''
     #secret-key-files = /run/credentials/nix-daemon.service/secret-key-files.pem
-    secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
+    #secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
   '';
   settings = {
     trusted-users = [ config.users.users."julm".name ];
-- 
2.44.1