{ config, pkgs, lib, ... }: let wireguard_port = 443; in { # Assign a static IP networking = { hostName = "zion"; hostId = "4e74ea68"; interfaces.eth0 = { useDHCP = false; ipv4.addresses = [{ address = "192.168.13.2"; prefixLength = 24; }]; }; defaultGateway = { address = "192.168.13.1"; interface = "eth0"; }; nameservers = [ "51.158.108.203" "195.10.195.195" ]; enableIPv6 = false; }; # Enable zeroconf services.avahi = { enable = true; nssmdns = true; publish = { enable = true; userServices = true; domain = true; workstation = true; }; reflector = true; }; # Dynamic DNS configuration services.ddclient = { enable = true; quiet = true; protocol = "duckdns"; domains = [ "coolneng.duckdns.org" ]; passwordFile = config.age.secrets.ddclient.path; }; # Firewall configuration networking.firewall = { allowedTCPPorts = [ 80 # HTTP 443 # HTTPS 53 # DNS 8448 # Matrix ]; allowedUDPPorts = [ wireguard_port # Wireguard 53 # DNS ]; extraCommands = '' iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE ''; }; # Enable NAT for wireguard networking.nat = { enable = true; externalInterface = "eth0"; internalInterfaces = [ "wg0" ]; }; # Wireguard setup networking.wireguard.interfaces = { wg0 = { ips = [ "10.8.0.1/24" ]; listenPort = wireguard_port; privateKeyFile = config.age.secrets.wireguard.path; peers = [ # panacea { publicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38="; allowedIPs = [ "10.8.0.2/32" ]; } # caravanserai { publicKey = "eFykHmnMALRUluApRfSM32Xw80kTNo7yUsxs47URkX4="; allowedIPs = [ "10.8.0.3/32" ]; } ]; }; }; # DNS server with ad-block services.dnsmasq = { enable = true; servers = config.networking.nameservers; extraConfig = '' domain-needed bogus-priv no-resolv listen-address=127.0.0.1,192.168.13.2,10.8.0.1 bind-interfaces cache-size=10000 local-ttl=300 conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt address=/coolneng.duckdns.org/192.168.13.2 ''; }; }