nixos-demo/os/network.nix

{ config, lib, ... }:

{
  networking = {
    domain = "local";
    enableIPv6 = false;
    useDHCP = false;
    wireless.enable = false;
    usePredictableInterfaceNames = lib.mkIf (config.beancloud.network.interface.lan == "eth0") false;
  };
  networking.networkmanager = {
    enable = true;
    wifi.powersave = lib.mkIf config.beancloud.hardware.steamdeck true;
  };
  systemd.network = {
    enable = true;
    config.networkConfig = {
      UseDomains = true;
      SpeedMeter = true;
    };
    networks."10-lan" = {
      enable = lib.mkDefault true;
      matchConfig.Name = [ "${config.beancloud.network.interface.lan}" ];
      linkConfig.RequiredForOnline = lib.mkDefault "routable";
      networkConfig = {
        DHCP = "yes";
        IPv6AcceptRA = false;
      };
    };
  };

  networking.hosts = {
  };

  # (m)DNS
  services.resolved = {
    enable = true;
    fallbackDns = [
      "9.9.9.9" # https://www.quad9.net/service/service-addresses-and-features
      "2620:fe::fe" # https://www.quad9.net/service/service-addresses-and-features
    ];
    dnssec = "false";
    dnsovertls = "opportunistic";
  };

  networking.firewall.enable = true;
  networking.firewall.allowPing = true;
  networking.nftables.enable = false;
  networking.nftables.tables = {
    filter = {
      content = ''
        # Check out https://wiki.nftables.org/ for better documentation.
        # Table for both IPv4 and IPv6.
        chain input {
          type filter hook input priority 0;

          # accept any localhost traffic
          iifname lo accept

          # accept traffic originated from us
          ct state {established, related} accept

          # ICMP
          # routers may also want: mld-listener-query, nd-router-solicit
          ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
          ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept

          # allow "ping"
          ip6 nexthdr icmpv6 icmpv6 type echo-request accept
          ip protocol icmp icmp type echo-request accept

          # count and drop any other traffic
          counter drop
        }

        # Allow all outgoing connections.
        chain output {
          type filter hook output priority 0;
          accept
        }

        chain forward {
          type filter hook forward priority 0;
          accept
        }
      '';
      family = "inet";
    };
  };

  beancloud.network.interface.lan = lib.mkIf config.beancloud.hardware.steamdeck "eth0";
}
initial cleaned up config 2025-07-12 00:28:21 +02:00			`{ config, lib, ... }:`

			`{`
			`networking = {`
			`domain = "local";`
			`enableIPv6 = false;`
			`useDHCP = false;`
			`wireless.enable = false;`
			`usePredictableInterfaceNames = lib.mkIf (config.beancloud.network.interface.lan == "eth0") false;`
			`};`
			`networking.networkmanager = {`
			`enable = true;`
			`wifi.powersave = lib.mkIf config.beancloud.hardware.steamdeck true;`
			`};`
			`systemd.network = {`
			`enable = true;`
			`config.networkConfig = {`
			`UseDomains = true;`
			`SpeedMeter = true;`
			`};`
			`networks."10-lan" = {`
			`enable = lib.mkDefault true;`
			`matchConfig.Name = [ "${config.beancloud.network.interface.lan}" ];`
			`linkConfig.RequiredForOnline = lib.mkDefault "routable";`
			`networkConfig = {`
			`DHCP = "yes";`
			`IPv6AcceptRA = false;`
			`};`
			`};`
			`};`

			`networking.hosts = {`
			`};`

			`# (m)DNS`
			`services.resolved = {`
			`enable = true;`
			`fallbackDns = [`
			`"9.9.9.9" # https://www.quad9.net/service/service-addresses-and-features`
			`"2620:fe::fe" # https://www.quad9.net/service/service-addresses-and-features`
			`];`
			`dnssec = "false";`
			`dnsovertls = "opportunistic";`
			`};`

			`networking.firewall.enable = true;`
			`networking.firewall.allowPing = true;`
			`networking.nftables.enable = false;`
			`networking.nftables.tables = {`
			`filter = {`
			`content = ''`
			`# Check out https://wiki.nftables.org/ for better documentation.`
			`# Table for both IPv4 and IPv6.`
			`chain input {`
			`type filter hook input priority 0;`

			`# accept any localhost traffic`
			`iifname lo accept`

			`# accept traffic originated from us`
			`ct state {established, related} accept`

			`# ICMP`
			`# routers may also want: mld-listener-query, nd-router-solicit`
			`ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept`
			`ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept`

			`# allow "ping"`
			`ip6 nexthdr icmpv6 icmpv6 type echo-request accept`
			`ip protocol icmp icmp type echo-request accept`

			`# count and drop any other traffic`
			`counter drop`
			`}`

			`# Allow all outgoing connections.`
			`chain output {`
			`type filter hook output priority 0;`
			`accept`
			`}`

			`chain forward {`
			`type filter hook forward priority 0;`
			`accept`
			`}`
			`'';`
			`family = "inet";`
			`};`
			`};`

			`beancloud.network.interface.lan = lib.mkIf config.beancloud.hardware.steamdeck "eth0";`
			`}`