{ config, lib, pkgs, ... }: let wireguard_port = "1194"; in { # Set hostname, hostid and enable WiFi networking = { hostName = "panacea"; hostId = "8feb0bb8"; wireless.iwd.enable = true; }; # Enable systemd-networkd networking = { useDHCP = false; interfaces = { enp0s31f6.useDHCP = true; wlan0.useDHCP = true; }; useNetworkd = true; dhcpcd.enable = false; }; systemd.network.wait-online.enable = false; # Disable DNSSEC services.resolved.dnssec = "false"; # Prioritize ethernet over WiFi systemd.network.networks."40-enp0s31f6".dhcpV4Config.RouteMetric = 10; systemd.network.networks."40-wlan0".dhcpV4Config.RouteMetric = 20; # Static IP for home network systemd.network.networks."24-home" = { name = "wlan0"; matchConfig = { Name = "wlan0"; SSID = "WiFi-5.0-CE42"; }; address = [ "192.168.13.131/24" ]; gateway = [ "192.168.13.1" ]; dns = [ "192.168.13.2" ]; networkConfig.DNSSEC = "no"; }; # Enable zeroconf services.avahi = { enable = true; nssmdns = true; }; # VPN setup systemd.network.netdevs."wg0" = { netdevConfig = { Kind = "wireguard"; Name = "wg0"; }; wireguardConfig = { ListenPort = wireguard_port; PrivateKeyFile = config.age.secrets.wireguard.path; FirewallMark = 34952; }; wireguardPeers = [{ wireguardPeerConfig = { PublicKey = "GN8lqPBZYOulh6xD4GhkoEWI65HMMCpSxJSH5871YnU="; AllowedIPs = [ "0.0.0.0/0" ]; Endpoint = "coolneng.duckdns.org:1194"; }; }]; }; systemd.network.networks."wg0" = { matchConfig.Name = "wg0"; linkConfig.ActivationPolicy = "manual"; networkConfig = { Address = "10.8.0.2/32"; DNS = "10.8.0.1"; DNSDefaultRoute = true; Domains = "~."; }; routingPolicyRules = [{ routingPolicyRuleConfig = { FirewallMark = 34952; InvertRule = true; Table = 1000; Priority = 10; }; }]; routes = [{ routeConfig = { Gateway = "10.8.0.1"; GatewayOnLink = true; Table = 1000; }; }]; }; # Firewall configuration networking.firewall = { allowedTCPPorts = [ 9090 # Calibre Wireless ]; allowedUDPPorts = [ 54982 # Calibre Wireless ]; # Allow wireguard traffic extraCommands = '' iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport ${wireguard_port} -j RETURN iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport ${wireguard_port} -j RETURN ''; extraStopCommands = '' iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport ${wireguard_port} -j RETURN || true iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport ${wireguard_port} -j RETURN || true ''; }; }