{ config, pkgs, lib, ... }: let password = builtins.readFile /var/lib/ddclient/token; in { environment.systemPackages = with pkgs; [ mbuffer ]; # Enable zeroconf services.avahi = { enable = true; nssmdns = true; publish = { enable = true; userServices = true; domain = true; workstation = true; }; reflector = true; }; # Dynamic DNS configuration services.ddclient = { enable = true; quiet = true; protocol = "duckdns"; domains = [ "coolneng.duckdns.org" ]; inherit password; }; # Firewall configuration networking.firewall = { allowedTCPPorts = [ 631 # Cups 6566 # SANE 80 # HTTP 443 # HTTPS 53 # DNS ]; allowedUDPPorts = [ 1194 # Wireguard 53 # DNS ]; autoLoadConntrackHelpers = true; connectionTrackingModules = [ "sane" ]; extraCommands = '' iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE ''; }; # Disable IPv6 networking.enableIPv6 = false; # Enable NAT for wireguard networking.nat = { enable = true; externalInterface = "eth0"; internalInterfaces = [ "wg0" ]; }; # Wireguard setup networking.wireguard.interfaces = { wg0 = { ips = [ "10.8.0.1/24" ]; listenPort = 1194; privateKeyFile = "/home/coolneng/.wg/keys/privatekey"; peers = [ # panacea { publicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38="; allowedIPs = [ "10.8.0.2/32" ]; } # caravanserai { publicKey = "eFykHmnMALRUluApRfSM32Xw80kTNo7yUsxs47URkX4="; allowedIPs = [ "10.8.0.3/32" ]; } ]; }; }; # DNS server with ad-block services.dnsmasq = { enable = true; servers = [ "198.100.148.224" "94.16.114.254" ]; extraConfig = '' domain-needed bogus-priv no-resolv listen-address=127.0.0.1,192.168.1.2,10.8.0.1 bind-interfaces cache-size=10000 local-ttl=300 conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt address=/coolneng.duckdns.org/192.168.1.2 ''; }; }