localhost/networking.nix

{ lib, config, pkgs, ... }:

let
  secrets = import ./secrets.nix;
in {
  networking.hostName = "local";
  networking.nameservers = [ "1.1.1.1" ];
  environment.etc = {
    "resolv.conf".text = "nameserver 1.1.1.1\n";
  };

  networking.usePredictableInterfaceNames = false;

  networking.wireless.enable = true;
  networking.wireless.interfaces = [ "wlan0" ];
  imports = [ ./wireless-networks.nix ];

  networking.extraHosts = secrets.hosts;

  networking.firewall = {
    enable = true;
    extraCommands = ''
      ip6tables -F OUTPUT
      ip6tables -P OUTPUT DROP
      ip6tables -A OUTPUT -o lo+ -j ACCEPT

      iptables -F OUTPUT
      iptables -P OUTPUT DROP

      iptables -A OUTPUT -o lo+ -j ACCEPT
      iptables -A OUTPUT -o vpn+ -j ACCEPT
      iptables -A OUTPUT -o tun+ -j ACCEPT
      iptables -A OUTPUT -o tap+ -j ACCEPT
      iptables -A OUTPUT -o veth+ -j ACCEPT
      iptables -A OUTPUT -o vnet+ -j ACCEPT
      iptables -A OUTPUT -o docker+ -j ACCEPT
      iptables -A OUTPUT -o virbr+ -j ACCEPT
      iptables -A OUTPUT -o virbr0-nic -j ACCEPT

      # Allow access for special user for use captive portals without
      # disabling vpn-only restrictions (to avoid leaks at the first seconds
      # after connection)
      iptables -A OUTPUT -m owner --uid-owner captive \
               -p tcp -m multiport --dports 80,443,2443 \
               -j ACCEPT

      iptables -A OUTPUT -m owner --uid-owner captive \
               -p udp -m multiport --dports 53 \
               -j ACCEPT

      # iptables -A OUTPUT -d 192.0.2.17 -j ACCEPT
      ${secrets.iptables}
    '';
    allowPing = false;
  };

  # User without vpn-only restrictions (for captive portals)
  users.users.captive = {
    isNormalUser = true;
  };

  services.nscd.enable = false;
  system.nssModules = lib.mkForce [];

  services.openvpn.servers.vpn = {
    autoStart = true;
    config = secrets.vpn-config;
    authUserPass.username = secrets.vpn-username;
    authUserPass.password = secrets.vpn-password;
    updateResolvConf = true;
  };

  systemd = {
    services = {
      ntpd.serviceConfig.TimeoutStopSec = 5;

      "macchanger-wlan0" = {
        description = "Changes MAC of wlan0 for privacy reasons";
        wants = [ "network-pre.target" ];
        wantedBy = [ "multi-user.target" ];
        before = [ "network-pre.target" ];
        bindsTo = [ "sys-subsystem-net-devices-wlan0.device" ];
        after = [ "sys-subsystem-net-devices-wlan0.device" ];
        script = "${pkgs.macchanger}/bin/macchanger -e wlan0 || true";
        serviceConfig.Type = "oneshot";
      };
      "macchanger-eth0" = {
        description = "Changes MAC of eth0 for privacy reasons";
        wants = [ "network-pre.target" ];
        wantedBy = [ "multi-user.target" ];
        before = [ "network-pre.target" ];
        bindsTo = [ "sys-subsystem-net-devices-eth0.device" ];
        after = [ "sys-subsystem-net-devices-eth0.device" ];
        script = "${pkgs.macchanger}/bin/macchanger -e eth0 || true";
        serviceConfig.Type = "oneshot";
      };
      "openvpn-restart-after-suspend" = {
        description = "Restart OpenVPN after suspend";
        after = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ];
        wantedBy = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ];
        script = "${pkgs.systemd}/bin/systemctl try-restart openvpn-vpn.service";
      };
      "openvpn-keep-alive" = {
        description = "Make sure OpenVPN connection is alive";
        after = [ "openvpn-vpn.service" ];
        wantedBy = [ "openvpn-vpn.service" ];
        script = ''
          while [ 1 ]; do
            sleep 10s
            timeout 10s ${pkgs.iputils}/bin/ping -c1 1.1.1.1 >/dev/null 2>&1 || \
              ${pkgs.systemd}/bin/systemctl try-restart openvpn-vpn.service
          done
        '';
      };
    };
  };
}