henkery/gist:b27b1094f73f3570610e8f59e7047c62

## gistfile1.nix
# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  # Bootloader.
  boot.loader.efi.canTouchEfiVariables = true;

  boot.kernel = {
    sysctl = {
      "net.ipv4.conf.all.forwarding" = true;
      "net.ipv6.conf.all.forwarding" = true;
    };
  };

  services = {
    mosquitto = {
      enable = true;
      listeners = [
        {
          acl = [ "pattern readwrite #" ];
          omitPasswordAuth = true;
          settings.allow_anonymous = true;
        }
      ];
    };

    zigbee2mqtt = {
      enable = true;
      settings = {
        homeassistant = true;
        serial.port = "/dev/ttyACM0";
        frontend = {
          port = 8080;
          host = "0.0.0.0";
        };
      };
    };

    transmission = {
      enable = true;
      user = "henk";
      settings = {
        download-dir = "/home/henk/olddisk/Downloads/";
        incomplete-dir = "/home/henk/olddisk/incomplete-download/";
        incomplete-dir-enabled = true;
        rpc-bind-address = "192.168.1.1";
        rpc-whitelist = "192.168.1.*";
      };
    };

    jellyfin = {
      enable = true;
      user="henk";
    };

    adguardhome = {
      enable = true;
      mutableSettings = true;
    };

    pppd = {
      enable = true;
      peers = {
        kpn = {
          autostart = true;
          enable = true;
          config = ''
            plugin pppoe.so wan
            name "kpn"
            password "password"

            persist
            holdoff 5

            noipdefault
            defaultroute
          '';
        };
      };
    };

    openssh = {
      enable = true;
    };

    resolved.enable = false;

  };

  virtualisation.oci-containers = {
    backend = "podman";
    containers = {
      homeassistant = {
        volumes = [ "/home/henk/hass:/config" ];
        environment.TZ = "Europe/Amsterdam";
        image = "ghcr.io/home-assistant/home-assistant:2024.7.3";
        extraOptions = [ "--network=host" ];
      };
      #esphome = {
      #  volumes = [ "/home/henk/esphome:/config" ];
      #  image = "ghcr.io/esphome/esphome:2024.7.0";
      #  extraOptions = [ "--network=host" ];
      #  autoStart = false; # esphome causes shutdown to get stuck
      #};
    };
  };

  systemd.network = {
    enable = true;
    netdevs = {
      "20-wan" = {
        netdevConfig = {
          Kind = "vlan";
          Name = "wan";
          MTUBytes = "1510";
        };
        vlanConfig.Id = 6;
      };
      "20-br-lan" = {
        netdevConfig = {
          Kind = "bridge";
          Name = "br-lan";
        };
      };
    };

    networks = {
      "30-enp90s0" = {
        name = "enp90s0";
        vlan = [ "wan" ];
        linkConfig = {
          ActivationPolicy = "always-up";
        };
      };

      "40-wan" = {
        name = "wan";
        linkConfig = {
          ActivationPolicy = "always-up";
        };
      };
      "30-enp87s0" = {
        name = "enp87s0";
        networkConfig.Bridge = "br-lan";
      };
      "40-br-lan" = {
        name = "br-lan";
        linkConfig = {
          ActivationPolicy = "always-up";
        };
        networkConfig = {
          Address = "192.168.1.1/24";
          DHCPServer = true;
        };
        dhcpServerConfig = {
          EmitDNS = true;
          DNS = [ "192.168.1.1" ];
          PoolOffset = 10;
        };
      };
    };
  };

  networking = {
    nameservers = [ "127.0.0.1" ];
    networkmanager.enable = false;
    useDHCP = false;


    wireguard.interfaces = {
      wg0 = {
        ips = [ "10.0.0.1/24" ];
        listenPort = 51820;
        privateKeyFile = "/var/lib/wireguard/pk"; #pubkey KWGYvfnq3rB4NxVnI7Iwev07Dcc79tSynyW90YJ/7SU=

        peers = [
          {
            # fairphone
            name = "fairphone";
            publicKey = "lAPZ2Kg65bvUMPh4JP4tFWuT4lLjsQGdKAB/lSU55kk=";
            allowedIPs = [ "10.0.0.2/32" ];
          }
          {
            # skandiphone
            name = "skandiphone";
            publicKey = "5pMebrf/iMEsXL6QvU+3O9yLEmeg4lu2daj/uzG/wRw=";
            allowedIPs = [ "10.0.0.3/32" ];
          }
        ];
      };
    };


    nftables = {
      enable = true;
      ruleset = ''

      flush ruleset

      table inet filter {

        #enable offloading
        #flowtable flow_table {
        #  hook ingress priority filter;
        #  devices = { ppp0, enp90s0 };
        #}

        chain input {
          type filter hook input priority filter; policy drop;

          iifname lo accept
          iifname "br-lan" counter accept
          iifname "wg0" counter accept
          iifname "ppp0" ct state { established,related } counter accept
          iifname "ppp0" icmp type { echo-request, destination-unreachable, time-exceeded} counter accept
          iifname "ppp0" tcp dport 51820 counter accept comment "wireguard"
          iifname "ppp0" udp dport 51820 counter accept comment "wireguard"
          iifname "ppp0" drop
        }

        chain output {
          type filter hook output priority 100; policy accept;
        }

        chain forward {
          type filter hook forward priority filter; policy drop;

          iifname { "br-lan", "wg0" } counter accept comment "allow trusted lan and wireguard to all"

          iifname { "ppp0" } oifname { "br-lan","wg0" } ct state { established,related } counter accept comment "Allow established back to lan and wireguard"
        }
      }

      table ip nat {
        chain prerouting {
          type nat hook prerouting priority filter; policy accept;
        }
        chain postrouting {
          type nat hook postrouting priority filter; policy accept;
          oifname "ppp0" masquerade
        }
      }
    '';
    };
  };

  networking.hostName = "nixos-router"; # Define your hostname.

  # Set your time zone.
  time.timeZone = "Europe/Amsterdam";

  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";

  i18n.extraLocaleSettings = {
    LC_ADDRESS = "nl_NL.UTF-8";
    LC_IDENTIFICATION = "nl_NL.UTF-8";
    LC_MEASUREMENT = "nl_NL.UTF-8";
    LC_MONETARY = "nl_NL.UTF-8";
    LC_NAME = "nl_NL.UTF-8";
    LC_NUMERIC = "nl_NL.UTF-8";
    LC_PAPER = "nl_NL.UTF-8";
    LC_TELEPHONE = "nl_NL.UTF-8";
    LC_TIME = "nl_NL.UTF-8";
  };

  # Configure keymap in X11
  services.xserver = {
    xkb.variant = "";
    xkb.layout = "us";
  };

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.henk = {
    isNormalUser = true;
    description = "henk";
    extraGroups = [ "networkmanager" "wheel" ];
    packages = with pkgs; [];
  };

  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;

  nixpkgs.config.packageOverrides = pkgs: {
    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
  };

  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
      intel-media-driver
      vaapiIntel
      vaapiVdpau
      libvdpau-va-gl
      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
    ];
  };

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
  #  vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
  #  wget
     vim
     htop
     ppp
     rpPPPoE
     ethtool
     tcpdump
     conntrack-tools

    jellyfin
    jellyfin-web
    jellyfin-ffmpeg
  ];

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };

  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.11"; # Did you read the comment?

}
	# Edit this configuration file to define what should be installed on
	# your system. Help is available in the configuration.nix(5) man page
	# and in the NixOS manual (accessible by running ‘nixos-help’).

	{ config, pkgs, ... }:

	{
	imports =
	[ # Include the results of the hardware scan.
	./hardware-configuration.nix
	];

	# Bootloader.
	boot.loader.efi.canTouchEfiVariables = true;

	boot.kernel = {
	sysctl = {
	"net.ipv4.conf.all.forwarding" = true;
	"net.ipv6.conf.all.forwarding" = true;
	};
	};

	services = {
	mosquitto = {
	enable = true;
	listeners = [
	{
	acl = [ "pattern readwrite #" ];
	omitPasswordAuth = true;
	settings.allow_anonymous = true;
	}
	];
	};

	zigbee2mqtt = {
	enable = true;
	settings = {
	homeassistant = true;
	serial.port = "/dev/ttyACM0";
	frontend = {
	port = 8080;
	host = "0.0.0.0";
	};
	};
	};

	transmission = {
	enable = true;
	user = "henk";
	settings = {
	download-dir = "/home/henk/olddisk/Downloads/";
	incomplete-dir = "/home/henk/olddisk/incomplete-download/";
	incomplete-dir-enabled = true;
	rpc-bind-address = "192.168.1.1";
	rpc-whitelist = "192.168.1.*";
	};
	};

	jellyfin = {
	enable = true;
	user="henk";
	};

	adguardhome = {
	enable = true;
	mutableSettings = true;
	};

	pppd = {
	enable = true;
	peers = {
	kpn = {
	autostart = true;
	enable = true;
	config = ''
	plugin pppoe.so wan
	name "kpn"
	password "password"

	persist
	holdoff 5

	noipdefault
	defaultroute
	'';
	};
	};
	};

	openssh = {
	enable = true;
	};

	resolved.enable = false;

	};

	virtualisation.oci-containers = {
	backend = "podman";
	containers = {
	homeassistant = {
	volumes = [ "/home/henk/hass:/config" ];
	environment.TZ = "Europe/Amsterdam";
	image = "ghcr.io/home-assistant/home-assistant:2024.7.3";
	extraOptions = [ "--network=host" ];
	};
	#esphome = {
	# volumes = [ "/home/henk/esphome:/config" ];
	# image = "ghcr.io/esphome/esphome:2024.7.0";
	# extraOptions = [ "--network=host" ];
	# autoStart = false; # esphome causes shutdown to get stuck
	#};
	};
	};

	systemd.network = {
	enable = true;
	netdevs = {
	"20-wan" = {
	netdevConfig = {
	Kind = "vlan";
	Name = "wan";
	MTUBytes = "1510";
	};
	vlanConfig.Id = 6;
	};
	"20-br-lan" = {
	netdevConfig = {
	Kind = "bridge";
	Name = "br-lan";
	};
	};
	};

	networks = {
	"30-enp90s0" = {
	name = "enp90s0";
	vlan = [ "wan" ];
	linkConfig = {
	ActivationPolicy = "always-up";
	};
	};

	"40-wan" = {
	name = "wan";
	linkConfig = {
	ActivationPolicy = "always-up";
	};
	};
	"30-enp87s0" = {
	name = "enp87s0";
	networkConfig.Bridge = "br-lan";
	};
	"40-br-lan" = {
	name = "br-lan";
	linkConfig = {
	ActivationPolicy = "always-up";
	};
	networkConfig = {
	Address = "192.168.1.1/24";
	DHCPServer = true;
	};
	dhcpServerConfig = {
	EmitDNS = true;
	DNS = [ "192.168.1.1" ];
	PoolOffset = 10;
	};
	};
	};
	};

	networking = {
	nameservers = [ "127.0.0.1" ];
	networkmanager.enable = false;
	useDHCP = false;


	wireguard.interfaces = {
	wg0 = {
	ips = [ "10.0.0.1/24" ];
	listenPort = 51820;
	privateKeyFile = "/var/lib/wireguard/pk"; #pubkey KWGYvfnq3rB4NxVnI7Iwev07Dcc79tSynyW90YJ/7SU=

	peers = [
	{
	# fairphone
	name = "fairphone";
	publicKey = "lAPZ2Kg65bvUMPh4JP4tFWuT4lLjsQGdKAB/lSU55kk=";
	allowedIPs = [ "10.0.0.2/32" ];
	}
	{
	# skandiphone
	name = "skandiphone";
	publicKey = "5pMebrf/iMEsXL6QvU+3O9yLEmeg4lu2daj/uzG/wRw=";
	allowedIPs = [ "10.0.0.3/32" ];
	}
	];
	};
	};


	nftables = {
	enable = true;
	ruleset = ''

	flush ruleset

	table inet filter {

	#enable offloading
	#flowtable flow_table {
	# hook ingress priority filter;
	# devices = { ppp0, enp90s0 };
	#}

	chain input {
	type filter hook input priority filter; policy drop;

	iifname lo accept
	iifname "br-lan" counter accept
	iifname "wg0" counter accept
	iifname "ppp0" ct state { established,related } counter accept
	iifname "ppp0" icmp type { echo-request, destination-unreachable, time-exceeded} counter accept
	iifname "ppp0" tcp dport 51820 counter accept comment "wireguard"
	iifname "ppp0" udp dport 51820 counter accept comment "wireguard"
	iifname "ppp0" drop
	}

	chain output {
	type filter hook output priority 100; policy accept;
	}

	chain forward {
	type filter hook forward priority filter; policy drop;

	iifname { "br-lan", "wg0" } counter accept comment "allow trusted lan and wireguard to all"

	iifname { "ppp0" } oifname { "br-lan","wg0" } ct state { established,related } counter accept comment "Allow established back to lan and wireguard"
	}
	}

	table ip nat {
	chain prerouting {
	type nat hook prerouting priority filter; policy accept;
	}
	chain postrouting {
	type nat hook postrouting priority filter; policy accept;
	oifname "ppp0" masquerade
	}
	}
	'';
	};
	};

	networking.hostName = "nixos-router"; # Define your hostname.

	# Set your time zone.
	time.timeZone = "Europe/Amsterdam";

	# Select internationalisation properties.
	i18n.defaultLocale = "en_US.UTF-8";

	i18n.extraLocaleSettings = {
	LC_ADDRESS = "nl_NL.UTF-8";
	LC_IDENTIFICATION = "nl_NL.UTF-8";
	LC_MEASUREMENT = "nl_NL.UTF-8";
	LC_MONETARY = "nl_NL.UTF-8";
	LC_NAME = "nl_NL.UTF-8";
	LC_NUMERIC = "nl_NL.UTF-8";
	LC_PAPER = "nl_NL.UTF-8";
	LC_TELEPHONE = "nl_NL.UTF-8";
	LC_TIME = "nl_NL.UTF-8";
	};

	# Configure keymap in X11
	services.xserver = {
	xkb.variant = "";
	xkb.layout = "us";
	};

	# Define a user account. Don't forget to set a password with ‘passwd’.
	users.users.henk = {
	isNormalUser = true;
	description = "henk";
	extraGroups = [ "networkmanager" "wheel" ];
	packages = with pkgs; [];
	};

	# Allow unfree packages
	nixpkgs.config.allowUnfree = true;

	nixpkgs.config.packageOverrides = pkgs: {
	vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
	};

	hardware.graphics = {
	enable = true;
	extraPackages = with pkgs; [
	intel-media-driver
	vaapiIntel
	vaapiVdpau
	libvdpau-va-gl
	intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
	];
	};

	# List packages installed in system profile. To search, run:
	# $ nix search wget
	environment.systemPackages = with pkgs; [
	# vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
	# wget
	vim
	htop
	ppp
	rpPPPoE
	ethtool
	tcpdump
	conntrack-tools

	jellyfin
	jellyfin-web
	jellyfin-ffmpeg
	];

	# Some programs need SUID wrappers, can be configured further or are
	# started in user sessions.
	# programs.mtr.enable = true;
	# programs.gnupg.agent = {
	# enable = true;
	# enableSSHSupport = true;
	# };

	# networking.firewall.allowedTCPPorts = [ ... ];
	# networking.firewall.allowedUDPPorts = [ ... ];
	# Or disable the firewall altogether.
	# networking.firewall.enable = false;

	# This value determines the NixOS release from which the default
	# settings for stateful data, like file locations and database versions
	# on your system were taken. It‘s perfectly fine and recommended to leave
	# this value at the release version of the first install of this system.
	# Before changing this value read the documentation for this option
	# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
	system.stateVersion = "23.11"; # Did you read the comment?

	}
No results found