nixos-config/modules/network.nix

{ pkgs, lib, config, ... }:
let
  localRanges = [{
    from = 1714;
    to = 1764;
  } # KDE connect
    ];
in {
  networking = {
    networkmanager.enable = true;
    firewall = {
      enable = true;
      allowedTCPPorts = [ 13748 13722 5000 22 80 443 51820 ];
      interfaces.wlan0.allowedTCPPortRanges = localRanges;
      interfaces.wlan0.allowedUDPPortRanges = localRanges;
      interfaces.eth0.allowedUDPPortRanges = localRanges;
      interfaces.eth0.allowedTCPPortRanges = localRanges;
    };
    resolvconf.extraConfig = ''
      local_nameservers=""
      name_server_blacklist="0.0.0.0 127.0.0.1"
      resolv_conf_local_only=NO
    '';
    usePredictableInterfaceNames = false;
    hostName = config.device;
  };
  networking.firewall.trustedInterfaces = [ "eth0" ];
  systemd.services.ModemManager.wantedBy =
    lib.optional (config.device == "T490s-Laptop") "network.target";

  secrets.wireguard-serokell = { };

  networking.wireguard.interfaces.serokell = {
    listenPort = 51820;
    ips = [
      "172.20.0.52/32"
      # "fd73:7272:ed50::52/128"
    ];
    privateKeyFile = config.secrets.wireguard-serokell.decrypted;
    peers = [{
      allowedIPs = [
        "0.0.0.0/0"
        # "::/0"
      ];
      # endpoint = "serokell.net:35944";
      endpoint = "147.75.100.17:35944";
      publicKey = "sgLUARawWJejANs2CwuCptwJO55c4jkmnP0L14FNCyw=";
      persistentKeepalive = 24;
    }];
  };

  # restart when the service fails to resolve DNS
  systemd.services.wireguard-serokell.serviceConfig = {
    Restart = "on-failure";
    RestartSec = "30s";
  };
}
Firewall 2020-05-12 16:06:45 +04:00			`{ pkgs, lib, config, ... }:`
			`let`
Add wireguard 2021-03-16 22:34:46 +04:00			`localRanges = [{`
			`from = 1714;`
			`to = 1764;`
			`} # KDE connect`
			`];`
Firewall 2020-05-12 16:06:45 +04:00			`in {`
Update passwords 2020-02-17 17:00:59 +04:00			`networking = {`
			`networkmanager.enable = true;`
			`firewall = {`
			`enable = true;`
Add wireguard 2021-03-16 22:34:46 +04:00			`allowedTCPPorts = [ 13748 13722 5000 22 80 443 51820 ];`
Firewall 2020-05-12 16:06:45 +04:00			`interfaces.wlan0.allowedTCPPortRanges = localRanges;`
			`interfaces.wlan0.allowedUDPPortRanges = localRanges;`
			`interfaces.eth0.allowedUDPPortRanges = localRanges;`
			`interfaces.eth0.allowedTCPPortRanges = localRanges;`
Update passwords 2020-02-17 17:00:59 +04:00			`};`
			`resolvconf.extraConfig = ''`
			`local_nameservers=""`
			`name_server_blacklist="0.0.0.0 127.0.0.1"`
			`resolv_conf_local_only=NO`
			`'';`
			`usePredictableInterfaceNames = false;`
			`hostName = config.device;`
			`};`
Mass refactor 2021-01-21 22:13:53 +04:00			`networking.firewall.trustedInterfaces = [ "eth0" ];`
Update passwords 2020-02-17 17:00:59 +04:00			`systemd.services.ModemManager.wantedBy =`
The great purge 2020-05-20 19:41:56 +04:00			`lib.optional (config.device == "T490s-Laptop") "network.target";`
Add wireguard 2021-03-16 22:34:46 +04:00
			`secrets.wireguard-serokell = { };`

			`networking.wireguard.interfaces.serokell = {`
			`listenPort = 51820;`
			`ips = [`
			`"172.20.0.52/32"`
			`# "fd73:7272:ed50::52/128"`
			`];`
			`privateKeyFile = config.secrets.wireguard-serokell.decrypted;`
			`peers = [{`
			`allowedIPs = [`
			`"0.0.0.0/0"`
			`# "::/0"`
			`];`
			`# endpoint = "serokell.net:35944";`
			`endpoint = "147.75.100.17:35944";`
			`publicKey = "sgLUARawWJejANs2CwuCptwJO55c4jkmnP0L14FNCyw=";`
			`persistentKeepalive = 24;`
			`}];`
			`};`

			`# restart when the service fails to resolve DNS`
			`systemd.services.wireguard-serokell.serviceConfig = {`
			`Restart = "on-failure";`
			`RestartSec = "30s";`
			`};`
Update passwords 2020-02-17 17:00:59 +04:00			`}`