]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/carotte/networking.nix
mermet: nginx: remove old sites
[sourcephile-nix.git] / hosts / carotte / networking.nix
1 { lib, hostName, ... }:
2 let netIface = "end0"; in
3 {
4 imports = [
5 #networking/wireguard/intranet.nix
6 ];
7 networking = {
8 hostName = hostName;
9 domain = "sp";
10 #wireless.enable = true;
11 useDHCP = false;
12 #networkmanager.enable = true;
13 };
14 systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
15 "host.key:${ssh/host.key.cred}"
16 ];
17 services.openssh = {
18 openFirewall = true;
19 settings.X11Forwarding = true;
20 };
21
22 #systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
23 systemd.network = {
24 enable = true;
25 wait-online = {
26 enable = false;
27 };
28 networks = {
29 "10-${netIface}" = {
30 name = netIface;
31 # Start a DHCP Client for IPv4 Addressing/Routing
32 DHCP = "ipv4";
33 networkConfig = {
34 # Accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
35 IPv6AcceptRA = true;
36 IPv6PrivacyExtensions = true;
37 KeepConfiguration = "dhcp-on-stop";
38 };
39 linkConfig = {
40 RequiredForOnline = "no";
41 };
42 };
43 };
44 };
45 networking.nftables.ruleset = lib.mkAfter ''
46 table inet filter {
47 chain input {
48 iifname ${netIface} goto input-net
49 }
50 chain output {
51 ip daddr 10.0.0.0/8 counter goto output-lan
52 ip daddr 172.16.0.0/12 counter goto output-lan
53 ip daddr 192.168.0.0/16 counter goto output-lan
54 ip daddr 224.0.0.0/3 counter goto output-lan
55 oifname ${netIface} jump output-net
56 oifname ${netIface} log level warn prefix "output-net: " counter drop
57 }
58 chain output-lan {
59 meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
60 #meta l4proto { udp, tcp } th dport dhcpv6-server counter accept comment "DHCPv6"
61 }
62 }
63 table inet nat {
64 chain postrouting {
65 oifname ${netIface} masquerade
66 }
67 }
68 '';
69 }