{ config, inputs, outputs, pkgs, ... }: { boot = { initrd.kernelModules = [ "zfs" ]; kernel.sysctl = { "net.ipv4.ip_forward" = true; }; kernelPackages = pkgs.linuxPackages_6_10; loader = { efi = { canTouchEfiVariables = true; efiSysMountPoint = "/efiboot/efi1"; }; systemd-boot = { enable = true; extraInstallCommands = '' ${pkgs.rsync}/bin/rsync -av --delete /efiboot/efi1/ /efiboot/efi2 ''; }; timeout = 3; }; supportedFilesystems = [ "zfs" ]; }; #environment.systemPackages = with pkgs; [ # wpa_supplicant # somethingelse #]; imports = [ ./hardware-configuration.nix ./services.nix ../common/core ../common/optional/services/asterisk.nix ../common/optional/services/chrony.nix ../common/optional/services/kea.nix ../common/optional/services/nsd.nix ../common/optional/services/openssh.nix ../common/optional/zfs.nix ../common/users/nipsy ../common/users/root ]; networking = { hostId = "f9ca5efe"; hostName = "darkstar"; #defaultGateway = "192.168.1.1"; domain = "bitgnome.net"; interfaces = { enp116s0 = { ipv4.addresses = [ { address = "192.168.1.1"; prefixLength = 24; } ]; }; vlan201 = { useDHCP = true; }; }; nameservers = [ "192.168.1.1" ]; nat = { enable = true; #enableIPv6 = true; externalInterface = "vlan201"; internalInterfaces = [ "enp116s0" ]; }; nftables.enable = true; useDHCP = false; vlans = { vlan201 = { id=201; interface="enp117s0"; }; }; #wireless.iwd = { # enable = true; # settings = { # IPv6 = { # Enabled = true; # }; # Settings = { # AutoConnect = true; # }; # }; #}; }; nixpkgs = { config.allowUnfree = true; hostPlatform = "x86_64-linux"; overlays = [ outputs.overlays.additions outputs.overlays.modifications outputs.overlays.master-packages outputs.overlays.stable-packages ]; }; sops = { age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; defaultSopsFile = ../secrets/darkstar.yaml; secrets = { "kea-dhcp4_conf" = {}; "nftables/forward" = {}; "nftables/ssh" = {}; "nix-access-token-github" = {}; }; }; # this is to workaround the WAN interface not always coming up after certain rebuilds: # https://github.com/NixOS/nixpkgs/issues/198267 and https://github.com/NixOS/nixpkgs/issues/195777 system.activationScripts = { restart-udev = '' ${pkgs.systemd}/bin/systemctl restart systemd-udev-trigger.service ''; }; system.stateVersion = "23.11"; systemd.services."nftables-extra" = let rules_script = '' ${pkgs.nftables}/bin/nft -a list chain inet nixos-fw input | ${pkgs.gnugrep}/bin/grep @anveo | ${pkgs.gnugrep}/bin/grep -Eo 'handle [[:digit:]]+$' | ${pkgs.gnused}/bin/sed -e 's/^handle //' | while read handle; do ${pkgs.nftables}/bin/nft delete rule inet nixos-fw input handle ''${handle}; done if ${pkgs.nftables}/bin/nft list set inet nixos-fw anveo 2>/dev/null; then ${pkgs.nftables}/bin/nft delete set inet nixos-fw anveo; fi if ${pkgs.nftables}/bin/nft list ct helpers table inet nixos-fw | ${pkgs.gnugrep}/bin/grep -qE '^[[:space:]]*ct helper sip-5060 {$'; then ${pkgs.nftables}/bin/nft delete ct helper inet nixos-fw sip-5060; fi ${pkgs.nftables}/bin/nft add ct helper inet nixos-fw sip-5060 '{type "sip" protocol udp;}' ${pkgs.nftables}/bin/nft add set inet nixos-fw anveo '{type ipv4_addr; elements={ 72.9.149.25, 169.48.232.158, 176.9.39.206, 204.216.109.55 };}' ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "vlan201" udp dport sip ip saddr @anveo ct helper set "sip-5060"' ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "vlan201" udp dport sip ip saddr @anveo accept' ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/forward".path} ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} ''; in { description = "nftables extra firewall rules"; reload = rules_script; script = rules_script; serviceConfig = { RemainAfterExit = true; Type = "oneshot"; }; unitConfig = { ConditionPathExists = [ config.sops.secrets."nftables/forward".path config.sops.secrets."nftables/ssh".path ]; ReloadPropagatedFrom = "nftables.service"; }; wantedBy = [ "multi-user.target" ]; after = [ "nftables.service" ]; partOf = [ "nftables.service" ]; }; systemd.paths."nftables-extra" = { pathConfig = { PathExists = [ config.sops.secrets."nftables/forward".path config.sops.secrets."nftables/ssh".path ]; }; wantedBy = [ "multi-user.target" ]; }; }