default.nix (3672B)
1 extra: 2 { config, lib, pkgs, ... }: 3 let 4 chromecastIPs = [ "192.168.87.190" ]; 5 iptables = "iptables -A nixos-fw"; 6 openChromecast = ip: '' 7 ${iptables} -p udp -s ${ip} -j nixos-fw-accept 8 ${iptables} -p tcp -s ${ip} -j nixos-fw-accept 9 ''; 10 ipr = "${pkgs.iproute}/bin/ip"; 11 writeBash = extra.util.writeBash; 12 openTCP = dev: port: '' 13 ip46tables -A nixos-fw -i ${dev} -p tcp --dport ${toString port} -j nixos-fw-accept 14 ''; 15 16 ports = { 17 synergy = 24800; 18 wireguard = 51820; 19 nncp = 5442; 20 webdev = 8080; 21 }; 22 23 firewallRules = [ 24 "nixos-fw -s 192.168.87.1/24 -p tcp --dport ${toString ports.webdev} -j nixos-fw-accept" 25 "nixos-fw -s 10.100.0.1/24 -p tcp --dport ${toString ports.synergy} -j nixos-fw-accept" 26 "nixos-fw -s 172.24.0.1/24 -p tcp --dport 9050 -j nixos-fw-accept" 27 ]; 28 29 addRule = rule: "iptables -A ${rule}"; 30 rmRule = rule: "iptables -D ${rule} || true"; 31 extraCommands = lib.concatStringsSep "\n" (map addRule firewallRules); 32 extraStopCommands = lib.concatStringsSep "\n" (map rmRule firewallRules); 33 in 34 { 35 networking.extraHosts = '' 36 10.0.9.1 secure.datavalet.io. 37 172.24.242.111 securitycam.home. 38 24.244.54.234 wifisignon.shaw.ca. 39 ''; 40 41 networking.wireguard.interfaces = { 42 # "wg0" is the network interface name. You can name the interface arbitrarily. 43 rcx0 = { 44 ips = [ "10.200.0.5/32" ]; 45 46 privateKeyFile = "/home/jb55/.wg/private"; 47 48 peers = [ 49 { publicKey = "wC+mEE9/PJDuIfr7DFZWnM8HbQz5fSOFHmmzQRxULzM="; 50 allowedIPs = [ "10.200.0.1/32" ]; 51 endpoint = "159.89.143.225:53"; 52 } 53 ]; 54 }; 55 56 wg0 = { 57 # Determines the IP address and subnet of the client's end of the tunnel interface. 58 ips = [ "10.100.0.2/28" ]; 59 60 listenPort = 51820; 61 62 # Path to the private key file. 63 # 64 # Note: The private key can also be included inline via the privateKey option, 65 # but this makes the private key world-readable; thus, using privateKeyFile is 66 # recommended. 67 privateKeyFile = "/home/jb55/.wg/private"; 68 69 peers = [ 70 # For a client configuration, one peer entry for the server will suffice. 71 { 72 publicKey = "TbGgpOqD6teLon0ksZKS8zvvjHtkOGKNWPpHZxhVFWA="; 73 #allowedIPs = [ "0.0.0.0/0" "::/0" ]; 74 allowedIPs = [ "10.100.0.1/32" ]; 75 #endpoint = "127.0.0.1:3333"; 76 #endpoint = "24.84.152.187:51820"; 77 endpoint = "24.84.152.187:53"; 78 79 persistentKeepalive = 25; 80 } 81 { # charon 82 publicKey = "BklL4dTL8WK3xnmM899Hr50/UlXaLYhJQWllj2p4ZEg="; 83 allowedIPs = [ "10.100.0.7/32" ]; 84 endpoint = "45.79.91.128:51820"; 85 persistentKeepalive = 25; 86 } 87 { 88 publicKey = "vIh3IQgP92OhHaC9XBiJVDLlrs3GVcR6hlXaapjTiA0="; 89 90 allowedIPs = [ "10.100.0.3/32" ]; 91 92 # Send keepalives every 25 seconds. Important to keep NAT tables alive. 93 persistentKeepalive = 25; 94 } 95 { 96 publicKey = "Dp8Df75X8Kh9gd33e+CWyyhOvT4mT0X9ToPwBUEBU1k="; # macos 97 allowedIPs = [ "10.100.0.4/32" ]; 98 endpoint = "192.168.86.24:51820"; 99 100 # Send keepalives every 25 seconds. Important to keep NAT tables alive. 101 persistentKeepalive = 25; 102 } 103 ]; 104 }; 105 }; 106 107 networking.wireless.userControlled.enable = false; 108 109 networking.firewall.enable = true; 110 111 networking.firewall.extraCommands = extraCommands; 112 networking.firewall.extraStopCommands = extraStopCommands; 113 networking.firewall.allowedTCPPorts = with ports; [ nncp ]; 114 networking.firewall.allowedUDPPorts = with ports; [ wireguard ]; 115 }