{ config, pkgs, inputs, ... }: { boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true; networking = { nftables.enable = true; firewall = { filterForward = true; allowedTCPPorts = [ 53 ]; allowedUDPPorts = [ 53 67 51829 ]; extraForwardRules = '' iifname "ethlan" oifname "wlan-staff" accept iifname "ethlan" oifname "wlan-guest" accept iifname "ethlan" oifname "wglan" accept iifname "wlan-staff" oifname "ethlan" accept iifname "wlan-staff" oifname "wlan-guest" accept iifname "wlan-staff" oifname "wglan" accept iifname "wlan-guest" oifname "ethlan" accept iifname "wlan-guest" oifname "wlan-staff" accept iifname "wlan-guest" oifname "wglan" accept iifname "wglan" oifname "ethlan" accept iifname "wglan" oifname "wlan-staff" accept iifname "wglan" oifname "wlan-guest" accept ''; }; nat = { enable = true; externalInterface = "wan"; internalInterfaces = [ "ethlan" "wlan" "docker0" "wglan" ]; forwardPorts = [ { sourcePort = 80; destination = "10.69.0.3:80"; } { sourcePort = 443; destination = "10.69.0.3:443"; } ]; }; nameservers = [ "127.0.0.1" ]; useDHCP = false; }; systemd.network = { enable = true; links."10-wan" = { matchConfig.Path = "pci-0000:08:00.0"; linkConfig.Name = "wan"; }; networks."10-wan" = { matchConfig.Name = "wan"; networkConfig = { DHCP = "ipv4"; IPv6AcceptRA = true; # I don't get ipv6 from telenor but who knows, maybe in the future? }; linkConfig.RequiredForOnline = "routable"; }; links."10-ethlan" = { matchConfig.Path = "pci-0000:05:00.0-usb-0:2:1.0"; linkConfig.Name = "ethlan"; }; networks."10-ethlan" = { matchConfig.Name = "ethlan"; networkConfig.Address = "10.69.0.1/24"; linkConfig.RequiredForOnline = "routable"; }; links."10-wlan" = { matchConfig.Path = "pci-0000:09:00.0"; linkConfig.Name = "wlan"; }; networks."20-wlan" = { matchConfig.Name = "wlan"; # vlan = [ "wlan-staff" "wlan-guest" ]; networkConfig.Address = "10.69.1.1/24"; networkConfig.LinkLocalAddressing = "no"; linkConfig.RequiredForOnline = "routable"; }; netdevs."20-wglan" = { netdevConfig = { Kind = "wireguard"; Name = "wglan"; }; wireguardConfig = { ListenPort = 51829; PrivateKeyFile = config.age.secrets."wg-key.txt".path; RouteTable = "main"; }; wireguardPeers = [ { # sleipner PublicKey = "FqwkR+gKe/0JfFn3oXyyNDK8qh3LGMQw/t1pvGEHTBk="; AllowedIPs = [ "10.69.3.2" ]; } ]; }; networks."20-wglan" = { matchConfig.Name = "wglan"; networkConfig = { Address = "10.69.3.1/24"; IPv4Forwarding = true; }; }; # netdevs."10-vlan-staff" = { # netdevConfig = { # Kind = "vlan"; # Name = "wlan-staff"; # }; # vlanConfig.Id = 10; # }; # networks."30-vlan-staff" = { # matchConfig.Name = "wlan-staff"; # networkConfig.Address = "10.69.1.1/24"; # linkConfig.RequiredForOnline = "routable"; # }; # netdevs."10-vlan-guest" = { # netdevConfig = { # Kind = "vlan"; # Name = "wlan-guest"; # }; # vlanConfig.Id = 20; # }; # networks."30-vlan-guest" = { # matchConfig.Name = "wlan-guest"; # networkConfig.Address = "10.69.2.1/24"; # linkConfig.RequiredForOnline = "routable"; # }; }; services.resolved.enable = false; services.networkd-dispatcher = let logPath = "/home/mathias/networkd-dispatcher-run"; in { enable = true; rules."ddns" = { onState = [ "routable" ]; script = '' #!/bin/sh if [[ "$IFACE" != "wan" || "$STATE" != "routable" ]]; then exit 0 fi { echo printf "%s: %s\n" "$(date)" "$ADDR" HCLOUD_TOKEN="$(cat "${config.age.secrets."hcloud-token.txt".path}")" \ ${inputs.unstable.legacyPackages.${pkgs.system}.hcloud}/bin/hcloud \ zone rrset set-records 0m.nu @ A --record "''${ADDR%% *}" 2>&1 } >> "${logPath}" exit 0 ''; }; }; services.hostapd = { enable = true; radios.wlan = { countryCode = "SE"; band = "2g"; channel = 11; networks.wlan = { ssid = "Heidrun"; authentication = { mode = "wpa3-sae"; saePasswords = [ { passwordFile = config.age.secrets."wifi-password-staff.txt".path; } # ; vlanid = 10; } # { passwordFile = config.age.secrets."wifi-password-guest.txt".path; vlanid = 20; } ]; }; }; }; }; services.dnsmasq = { enable = true; settings = { domain-needed = true; bogus-priv = true; no-resolv = true; domain = "m"; local = "/m/"; server = [ "1.1.1.1" "1.0.0.1" ]; except-interface = "wan"; dhcp-range = [ "ethlan,10.69.0.50,10.69.0.254,255.255.255.0,1h" "wlan-staff,10.69.1.2,10.69.1.254,255.255.255.0,1h" "wlan-guest,10.69.2.2,10.69.2.254,255.255.255.0,1h" ]; dhcp-option = [ "ethlan,option:router,10.69.0.1" "ethlan,option:dns-server,10.69.0.1" "wlan-staff,option:router,10.69.1.1" "wlan-staff,option:dns-server,10.69.1.1" "wlan-guest,option:router,10.69.2.1" "wlan-guest,option:dns-server,10.69.2.1" ]; dhcp-authoritative = true; no-hosts = true; dhcp-host = "mimer,10.69.0.3"; address = [ "/oden.m/10.69.0.1" "/mimer.m/10.69.0.3" ]; }; }; oden.persist.directories = [ "/var/lib/dnsmasq" ]; age.secrets."wifi-password-staff.txt".file = ./secrets/wifi-password-staff.txt.age; age.secrets."wifi-password-guest.txt".file = ./secrets/wifi-password-guest.txt.age; age.secrets."hcloud-token.txt".file = ./secrets/hcloud-token.txt.age; age.secrets."wg-key.txt" = { file = ./secrets/wg-key.txt; mode = "640"; owner = "systemd-network"; group = "systemd-network"; }; }