localhost/networking.nix

{ config, pkgs, ... }:

let
  secrets = import ./secrets.nix;
in {
  networking.hostName = "local";
  networking.nameservers = [ "1.1.1.1" ];

  networking.wireless.enable = true;
  imports = [ ./wireless-networks.nix ];

  networking.firewall = {
    enable = true;
    extraCommands = ''
      iptables -F OUTPUT
      iptables -P OUTPUT DROP

      iptables -A OUTPUT -o lo+ -j ACCEPT
      iptables -A OUTPUT -o vpn+ -j ACCEPT
      iptables -A OUTPUT -o tun+ -j ACCEPT
      iptables -A OUTPUT -o tap+ -j ACCEPT
      iptables -A OUTPUT -o veth+ -j ACCEPT
      iptables -A OUTPUT -o vnet+ -j ACCEPT
      iptables -A OUTPUT -o docker+ -j ACCEPT
      iptables -A OUTPUT -o virbr+ -j ACCEPT
      iptables -A OUTPUT -o virbr0-nic -j ACCEPT

      # Allow access for special user for use captive portals without
      # disabling vpn-only restrictions (to avoid leaks at the first seconds
      # after connection)
      iptables -A OUTPUT -m owner --uid-owner captive \
               -p tcp -m multiport --dports 80,443,2443 \
               -j ACCEPT

      iptables -A OUTPUT -m owner --uid-owner captive \
               -p udp -m multiport --dports 53 \
               -j ACCEPT

      # iptables -A OUTPUT -d 192.0.2.17 -j ACCEPT
      ${secrets.iptables}
    '';
    checkReversePath = false;
  };

  # User without vpn-only restrictions (for captive portals)
  users.users.captive = {
    isNormalUser = true;
  };

  services.nscd.enable = false;

  services.openvpn.servers.vpn = {
    autoStart = true;
    config = secrets.vpn-config;
    authUserPass.username = secrets.vpn-username;
    authUserPass.password = secrets.vpn-password;
    updateResolvConf = true;
  };

  systemd = {
    services = {
      "macchanger" = {
        description = "Changes MAC of all interfaces for privacy reasons";
        wants = [ "network-pre.target" ];
        wantedBy = [ "multi-user.target" ];
        before = [ "network-pre.target" ];
        bindsTo = [ "sys-subsystem-net-devices-wlp0s20f3.device" ];
        after = [ "sys-subsystem-net-devices-wlp0s20f3.device" ];
        # we always return true to avoid errors while 'nixos-rebuild switch'
        # because it does not stop interfaces
        # TODO it must be changed to work only when system starts
        script = ''
          ${pkgs.macchanger}/bin/macchanger -e wlp0s20f3 || true
          ${pkgs.macchanger}/bin/macchanger -e enp0s31f6 || true
        '';
        serviceConfig.Type = "oneshot";
      };
      "openvpn-restart-after-suspend" = {
        description = "Restart OpenVPN after suspend";
        after = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ];
        wantedBy = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ];
        script = ''
          ${pkgs.systemd}/bin/systemctl try-restart openvpn-vpn.service
        '';
      };
    };
  };
}