-{ pkgs, lib, config, hostName, ... }:
+{ lib, hostName, ... }:
+let netIface = "end0"; in
{
-networking = {
- hostName = hostName;
- domain = "sourcephile.fr";
- firewall.enable = true;
- firewall.allowedTCPPorts = [ 22 ];
- #wireless.enable = true;
- useDHCP = true;
- #networkmanager.enable = true;
-};
+ imports = [
+ #networking/wireguard/intranet.nix
+ ];
+ networking = {
+ hostName = hostName;
+ domain = "sp";
+ #wireless.enable = true;
+ useDHCP = false;
+ #networkmanager.enable = true;
+ };
+ systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
+ "host.key:${ssh/host.key.cred}"
+ ];
+ services.openssh = {
+ openFirewall = true;
+ settings.X11Forwarding = true;
+ };
+
+ #systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
+ systemd.network = {
+ enable = true;
+ wait-online = {
+ enable = false;
+ };
+ networks = {
+ "10-${netIface}" = {
+ name = netIface;
+ # Start a DHCP Client for IPv4 Addressing/Routing
+ DHCP = "ipv4";
+ networkConfig = {
+ # Accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
+ IPv6AcceptRA = true;
+ IPv6PrivacyExtensions = true;
+ KeepConfiguration = "dhcp-on-stop";
+ };
+ linkConfig = {
+ RequiredForOnline = "no";
+ };
+ };
+ };
+ };
+ networking.nftables.ruleset = lib.mkAfter ''
+ table inet filter {
+ chain input {
+ iifname ${netIface} goto input-net
+ }
+ chain output {
+ ip daddr 10.0.0.0/8 counter goto output-lan
+ ip daddr 172.16.0.0/12 counter goto output-lan
+ ip daddr 192.168.0.0/16 counter goto output-lan
+ ip daddr 224.0.0.0/3 counter goto output-lan
+ oifname ${netIface} jump output-net
+ oifname ${netIface} log level warn prefix "output-net: " counter drop
+ }
+ chain output-lan {
+ meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
+ #meta l4proto { udp, tcp } th dport dhcpv6-server counter accept comment "DHCPv6"
+ }
+ }
+ table inet nat {
+ chain postrouting {
+ oifname ${netIface} masquerade
+ }
+ }
+ '';
}
sourcephile / git / sourcephile-nix.git / blobdiff