{ config, lib, pkgs, ... }: let wireguard_port = "1194"; in { # Set hostname, hostid and enable WiFi networking = { hostName = "panacea"; hostId = "8feb0bb8"; wireless.iwd.enable = true; }; # Enable systemd-networkd networking = { useDHCP = false; interfaces = { enp0s31f6.useDHCP = true; wlan0.useDHCP = true; }; useNetworkd = true; dhcpcd.enable = false; }; systemd.network.wait-online.enable = false; # Disable DNSSEC and enable mDNS services.resolved = { enable = true; dnssec = "false"; llmnr = "false"; extraConfig = '' MulticastDNS=yes ''; }; # Prioritize ethernet over WiFi systemd.network.networks."40-enp0s31f6" = { dhcpV4Config.RouteMetric = 10; networkConfig.MulticastDNS = "yes"; }; systemd.network.networks."40-wlan0" = { dhcpV4Config.RouteMetric = 20; networkConfig.MulticastDNS = "yes"; }; # Static IP for home network systemd.network.networks."24-home" = { name = "wlan0"; matchConfig = { Name = "wlan0"; SSID = "WiFi-5.0-CE42"; }; address = [ "192.168.13.131/24" ]; gateway = [ "192.168.13.1" ]; dns = [ "192.168.13.2" ]; networkConfig = { DNSSEC = "no"; MulticastDNS = "yes"; }; }; # VPN setup systemd.network.netdevs."wg0" = { netdevConfig = { Kind = "wireguard"; Name = "wg0"; }; wireguardConfig = { ListenPort = wireguard_port; PrivateKeyFile = config.age.secrets.wireguard.path; FirewallMark = 34952; }; wireguardPeers = [{ wireguardPeerConfig = { PublicKey = "GN8lqPBZYOulh6xD4GhkoEWI65HMMCpSxJSH5871YnU="; AllowedIPs = [ "0.0.0.0/0" ]; Endpoint = "coolneng.duckdns.org:1194"; }; }]; }; systemd.network.networks."wg0" = { matchConfig.Name = "wg0"; linkConfig.ActivationPolicy = "manual"; networkConfig = { Address = "10.8.0.2/32"; DNS = "10.8.0.1"; DNSDefaultRoute = true; Domains = "~."; }; routingPolicyRules = [{ routingPolicyRuleConfig = { FirewallMark = 34952; InvertRule = true; Table = 1000; Priority = 10; }; }]; routes = [{ routeConfig = { Gateway = "10.8.0.1"; GatewayOnLink = true; Table = 1000; }; }]; }; # Firewall configuration networking.firewall = { allowedTCPPorts = [ 9090 # Calibre Wireless ]; allowedUDPPorts = [ 54982 # Calibre Wireless 5353 # mDNS ]; # Allow wireguard traffic extraCommands = '' iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport ${wireguard_port} -j RETURN iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport ${wireguard_port} -j RETURN ''; extraStopCommands = '' iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport ${wireguard_port} -j RETURN || true iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport ${wireguard_port} -j RETURN || true ''; }; }