{ pkgs, lib, config, credentials, host, ... }: let domain = "i.sourcephile.fr"; iface = "iode"; gateway = config.networking.defaultGateway.interface; in { systemd.services.iodined.serviceConfig.LoadCredentialEncrypted = "password:${credentials}/iodine/password.secret"; systemd.sockets.iodined = { enable = true; listenDatagrams = [ "127.0.0.1:1053" ]; socketConfig.BindToDevice = "lo"; socketConfig.ReusePort = true; wantedBy = [ "sockets.target" ]; }; services.iodine.server = { enable = true; ip = "10.53.53.1/24"; passwordFile = "$CREDENTIALS_DIRECTORY/password"; inherit domain; extraConfig = "-4 -c -d ${iface} -n ${host.ipv4}"; }; boot.kernel.sysctl."net.ipv4.ip_forward" = 1; networking.nftables.ruleset = '' # Forwarding add rule inet filter forward iifname "${iface}" oifname "${gateway}" counter accept add rule inet filter forward iifname "${gateway}" oifname "${iface}" counter accept # Masquerading add rule inet nat postrouting iifname "${iface}" oifname "${gateway}" masquerade ''; }