panacea/modules/networking.nix

141 lines
3.3 KiB
Nix
Raw Normal View History

{ config, lib, pkgs, ... }:
let wireguard_port = "1194";
2022-09-10 09:11:26 +02:00
in {
# Set hostname, hostid and enable WiFi
networking = {
hostName = "panacea";
2020-05-08 21:53:52 +02:00
hostId = "8feb0bb8";
wireless.iwd.enable = true;
};
2022-03-28 18:08:23 +02:00
# Enable systemd-networkd
networking = {
useDHCP = false;
interfaces = {
enp0s31f6.useDHCP = true;
wlan0.useDHCP = true;
};
useNetworkd = true;
dhcpcd.enable = false;
};
systemd.network.wait-online.enable = false;
2022-03-28 18:08:23 +02:00
2023-01-30 02:01:30 +01:00
# Disable DNSSEC and enable mDNS
services.resolved = {
enable = true;
dnssec = "false";
llmnr = "false";
extraConfig = ''
MulticastDNS=yes
'';
};
2022-08-16 13:12:34 +02:00
2022-04-29 18:12:46 +02:00
# Prioritize ethernet over WiFi
2023-01-30 02:01:30 +01:00
systemd.network.networks."40-enp0s31f6" = {
dhcpV4Config.RouteMetric = 10;
networkConfig.MulticastDNS = "yes";
};
systemd.network.networks."40-wlan0" = {
dhcpV4Config.RouteMetric = 20;
networkConfig.MulticastDNS = "yes";
};
2022-04-29 18:12:46 +02:00
2022-03-28 18:08:23 +02:00
# Static IP for home network
systemd.network.networks."24-home" = {
name = "wlan0";
matchConfig = {
Name = "wlan0";
SSID = "WiFi-5.0-CE42";
};
2022-07-12 20:49:08 +02:00
address = [ "192.168.13.131/24" ];
gateway = [ "192.168.13.1" ];
dns = [ "192.168.13.2" ];
2023-01-30 02:01:30 +01:00
networkConfig = {
DNSSEC = "no";
MulticastDNS = "yes";
};
};
2022-08-03 13:52:02 +02:00
2023-07-07 12:17:34 +02:00
systemd.network.networks."25-home" = {
name = "wlan0";
matchConfig = {
Name = "wlan0";
SSID = "Aminkas-5Ghz";
};
address = [ "192.168.13.3/24" ];
gateway = [ "192.168.13.1" ];
dns = [ "192.168.13.2" ];
networkConfig = {
DNSSEC = "no";
MulticastDNS = "yes";
};
};
2022-08-03 13:52:02 +02:00
# VPN setup
systemd.network.netdevs."wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
};
2022-09-10 09:11:26 +02:00
wireguardConfig = {
ListenPort = wireguard_port;
PrivateKeyFile = config.age.secrets.wireguard.path;
FirewallMark = 34952;
};
2022-08-03 13:52:02 +02:00
wireguardPeers = [{
wireguardPeerConfig = {
PublicKey = "GN8lqPBZYOulh6xD4GhkoEWI65HMMCpSxJSH5871YnU=";
AllowedIPs = [ "0.0.0.0/0" ];
2022-09-08 10:53:41 +02:00
Endpoint = "coolneng.duckdns.org:1194";
2022-08-03 13:52:02 +02:00
};
}];
};
systemd.network.networks."wg0" = {
matchConfig.Name = "wg0";
2022-09-10 09:11:26 +02:00
linkConfig.ActivationPolicy = "manual";
2022-08-03 13:52:02 +02:00
networkConfig = {
Address = "10.8.0.2/32";
DNS = "10.8.0.1";
2022-09-10 09:11:26 +02:00
DNSDefaultRoute = true;
Domains = "~.";
2022-08-03 13:52:02 +02:00
};
2022-09-10 09:11:26 +02:00
routingPolicyRules = [{
routingPolicyRuleConfig = {
FirewallMark = 34952;
InvertRule = true;
Table = 1000;
Priority = 10;
};
}];
routes = [{
routeConfig = {
Gateway = "10.8.0.1";
GatewayOnLink = true;
Table = 1000;
};
}];
2022-08-03 13:52:02 +02:00
};
2022-09-04 18:35:36 +02:00
# Firewall configuration
networking.firewall = {
allowedTCPPorts = [
9090 # Calibre Wireless
];
allowedUDPPorts = [
54982 # Calibre Wireless
2023-01-30 02:01:30 +01:00
5353 # mDNS
2022-09-04 18:35:36 +02:00
];
2022-09-10 09:11:26 +02:00
# Allow wireguard traffic
extraCommands = ''
iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport ${wireguard_port} -j RETURN
iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport ${wireguard_port} -j RETURN
2022-09-10 09:11:26 +02:00
'';
extraStopCommands = ''
iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport ${wireguard_port} -j RETURN || true
iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport ${wireguard_port} -j RETURN || true
2022-09-10 09:11:26 +02:00
'';
2022-09-04 18:35:36 +02:00
};
}