2023-12-31 14:25:36 +00:00
|
|
|
{ lib, pkgs, ... }:
|
2022-08-31 04:56:04 +00:00
|
|
|
|
|
|
|
{
|
2024-01-15 01:11:13 +00:00
|
|
|
imports = [
|
|
|
|
./hostnames.nix
|
|
|
|
./vpn.nix
|
|
|
|
];
|
2022-09-28 12:25:34 +00:00
|
|
|
# the default backend is "wpa_supplicant".
|
|
|
|
# wpa_supplicant reliably picks weak APs to connect to.
|
|
|
|
# see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>
|
2022-09-29 10:33:48 +00:00
|
|
|
# iwd is an alternative that shouldn't have this problem
|
|
|
|
# docs:
|
|
|
|
# - <https://nixos.wiki/wiki/Iwd>
|
|
|
|
# - <https://iwd.wiki.kernel.org/networkmanager>
|
2022-10-24 07:25:19 +00:00
|
|
|
# - `man iwd.config` for global config
|
|
|
|
# - `man iwd.network` for per-SSID config
|
2022-09-29 10:33:48 +00:00
|
|
|
# use `iwctl` to control
|
2023-07-15 06:58:32 +00:00
|
|
|
# networking.networkmanager.wifi.backend = "iwd";
|
|
|
|
# networking.wireless.iwd.enable = true;
|
|
|
|
# networking.wireless.iwd.settings = {
|
|
|
|
# # auto-connect to a stronger network if signal drops below this value
|
|
|
|
# # bedroom -> bedroom connection is -35 to -40 dBm
|
|
|
|
# # bedroom -> living room connection is -60 dBm
|
|
|
|
# General.RoamThreshold = "-52"; # default -70
|
|
|
|
# General.RoamThreshold5G = "-52"; # default -76
|
|
|
|
# };
|
2023-05-26 22:45:41 +00:00
|
|
|
|
2023-06-29 10:58:18 +00:00
|
|
|
# plugins mostly add support for establishing different VPN connections.
|
|
|
|
# the default plugin set includes mostly proprietary VPNs:
|
|
|
|
# - fortisslvpn (Fortinet)
|
|
|
|
# - iodine (DNS tunnels)
|
|
|
|
# - l2tp
|
|
|
|
# - openconnect (Cisco Anyconnect / Juniper / ocserv)
|
|
|
|
# - openvpn
|
|
|
|
# - vpnc (Cisco VPN)
|
|
|
|
# - sstp
|
|
|
|
#
|
|
|
|
# i don't use these, and notably they drag in huge dependency sets and don't cross compile well.
|
|
|
|
# e.g. openconnect drags in webkitgtk (for SSO)!
|
|
|
|
networking.networkmanager.plugins = lib.mkForce [];
|
|
|
|
|
2023-05-26 22:45:41 +00:00
|
|
|
networking.firewall.allowedUDPPorts = [
|
2024-01-15 01:08:10 +00:00
|
|
|
# to receive UPnP advertisements. required by sane-ip-check.
|
|
|
|
# N.B. sane-ip-check isn't query/response based. it needs to receive on port 1900 -- not receive responses FROM port 1900.
|
|
|
|
1900
|
2023-05-26 22:45:41 +00:00
|
|
|
];
|
2023-07-15 06:58:32 +00:00
|
|
|
|
2023-12-31 14:25:36 +00:00
|
|
|
networking.firewall.extraCommands = with pkgs; ''
|
2023-12-30 06:16:17 +00:00
|
|
|
# after an outgoing SSDP query to the multicast address, open FW for incoming responses.
|
|
|
|
# necessary for anything DLNA, especially go2tv
|
|
|
|
# source: <https://serverfault.com/a/911286>
|
|
|
|
# context: <https://github.com/alexballas/go2tv/issues/72>
|
2023-12-31 14:25:36 +00:00
|
|
|
|
|
|
|
# ipset -! means "don't fail if set already exists"
|
|
|
|
${ipset}/bin/ipset create -! upnp hash:ip,port timeout 10
|
|
|
|
${iptables}/bin/iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
|
|
|
|
${iptables}/bin/iptables -A INPUT -p udp -m set --match-set upnp dst,dst -j ACCEPT
|
2023-12-30 06:16:17 +00:00
|
|
|
'';
|
|
|
|
|
2023-07-15 06:58:32 +00:00
|
|
|
# keyfile.path = where networkmanager should look for connection credentials
|
|
|
|
networking.networkmanager.extraConfig = ''
|
|
|
|
[keyfile]
|
|
|
|
path=/var/lib/NetworkManager/system-connections
|
|
|
|
'';
|
2022-08-31 04:56:04 +00:00
|
|
|
}
|