{ config, pkgs, lib, ... }: let password = builtins.readFile /var/keys/ddclient; in { # Assign a static IP networking = { hostName = "zion"; hostId = "33dc5014"; interfaces.eth0 = { useDHCP = false; ipv4.addresses = [{ address = "192.168.13.2"; prefixLength = 24; }]; }; defaultGateway = { address = "192.168.13.1"; interface = "eth0"; }; nameservers = [ "195.10.195.195" "165.22.224.164" ]; enableIPv6 = false; }; # Enable zeroconf services.avahi = { enable = true; nssmdns = true; publish = { enable = true; userServices = true; domain = true; workstation = true; }; reflector = true; }; # Dynamic DNS configuration services.ddclient = { enable = true; quiet = true; protocol = "duckdns"; domains = [ "coolneng.duckdns.org" ]; inherit password; }; # Firewall configuration networking.firewall = { allowedTCPPorts = [ 80 # HTTP 443 # HTTPS 53 # DNS 8448 # Matrix ]; allowedUDPPorts = [ 1194 # Wireguard 53 # DNS ]; extraCommands = '' iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE ''; }; # Enable NAT for wireguard networking.nat = { enable = true; externalInterface = "eth0"; internalInterfaces = [ "wg0" ]; }; # Wireguard setup networking.wireguard.interfaces = { wg0 = { ips = [ "10.8.0.1/24" ]; listenPort = 1194; privateKeyFile = "/home/coolneng/.wg/keys/privatekey"; peers = [ # panacea { publicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38="; allowedIPs = [ "10.8.0.2/32" ]; } # caravanserai { publicKey = "eFykHmnMALRUluApRfSM32Xw80kTNo7yUsxs47URkX4="; allowedIPs = [ "10.8.0.3/32" ]; } ]; }; }; # DNS server with ad-block services.dnsmasq = { enable = true; servers = config.networking.nameservers; extraConfig = '' domain-needed bogus-priv no-resolv listen-address=127.0.0.1,192.168.13.2,10.8.0.1 bind-interfaces cache-size=10000 local-ttl=300 conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt address=/coolneng.duckdns.org/192.168.13.2 ''; }; }