{ config, pkgs, lib, ... }:
{
# Assign a static IP
networking = {
hostName = "zion";
hostId = "4e74ea68";
interfaces.eth0 = {
useDHCP = false;
ipv4.addresses = [{
address = "192.168.1.2";
prefixLength = 24;
}];
};
defaultGateway = {
address = "192.168.1.1";
interface = "eth0";
};
nameservers = [ "195.10.195.195" "165.22.224.164" ];
enableIPv6 = false;
};
# Enable zeroconf
services.avahi = {
enable = true;
nssmdns = true;
publish = {
enable = true;
userServices = true;
domain = true;
workstation = true;
};
reflector = true;
};
# Dynamic DNS configuration
services.ddclient = {
enable = true;
quiet = true;
protocol = "duckdns";
domains = [ "coolneng.duckdns.org" ];
passwordFile = "/var/keys/ddclient";
};
# Firewall configuration
networking.firewall = {
allowedTCPPorts = [
80 # HTTP
443 # HTTPS
53 # DNS
8448 # Matrix
];
allowedUDPPorts = [
1194 # Wireguard
53 # DNS
];
extraCommands = ''
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
'';
};
# Enable NAT for wireguard
networking.nat = {
enable = true;
externalInterface = "eth0";
internalInterfaces = [ "wg0" ];
};
# Wireguard setup
networking.wireguard.interfaces = {
wg0 = {
ips = [ "10.8.0.1/24" ];
listenPort = 1194;
privateKeyFile = "/home/coolneng/.wg/keys/privatekey";
peers = [
# panacea
{
publicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
allowedIPs = [ "10.8.0.2/32" ];
}
# caravanserai
{
publicKey = "eFykHmnMALRUluApRfSM32Xw80kTNo7yUsxs47URkX4=";
allowedIPs = [ "10.8.0.3/32" ];
}
];
};
};
# DNS server with ad-block
services.dnsmasq = {
enable = true;
servers = config.networking.nameservers;
extraConfig = ''
domain-needed
bogus-priv
no-resolv
listen-address=127.0.0.1,192.168.1.2,10.8.0.1
bind-interfaces
cache-size=10000
local-ttl=300
conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt
address=/coolneng.duckdns.org/192.168.1.2
'';
};
}