{ config, inputs, pkgs, system, ... }: let selfPkgs = inputs.self.packages.${system}; inherit (config.virtualisation.quadlet) volumes; inboundInterface = "wlo1"; inboundGateway = "192.168.1.1"; inboundRangeStart = "192.168.1.2"; inboundRangeStop = "192.168.1.254"; inboundRangeMask = "255.255.255.0"; inboundRangePrefix = 24; outboundInterface = "enp2s0"; in { boot.kernel.sysctl."net.ipv4.ip_forward" = 1; networking = { firewall = { interfaces.${inboundInterface} = { allowedUDPPorts = [ 53 67 ]; allowedTCPPorts = [ 53 8080 ]; }; extraCommands = '' iptables -t nat -A POSTROUTING -o ${outboundInterface} -j MASQUERADE iptables -A FORWARD -i ${outboundInterface} -o ${inboundInterface} -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i ${inboundInterface} -o ${outboundInterface} -j ACCEPT iptables -t nat -A PREROUTING -i ${inboundInterface} -p udp --dport 53 -j DNAT --to-destination ${inboundGateway}:53 ''; extraStopCommands = '' iptables -t nat -D POSTROUTING -o ${outboundInterface} -j MASQUERADE || true iptables -D FORWARD -i ${outboundInterface} -o ${inboundInterface} -m state --state RELATED,ESTABLISHED -j ACCEPT || true iptables -D FORWARD -i ${inboundInterface} -o ${outboundInterface} -j ACCEPT || true iptables -t nat -D PREROUTING -i ${inboundInterface} -p udp --dport 53 -j DNAT --to-destination ${inboundGateway}:53 || true ''; }; networkmanager.unmanaged = [ "interface-name:${inboundInterface}" ]; interfaces.${inboundInterface}.ipv4 = { addresses = [ { address = inboundGateway; prefixLength = inboundRangePrefix; } ]; }; }; sops = { secrets = { "tv/network/password".sopsFile = ../../secrets/secrets.yaml; "tv/adguard/admin".sopsFile = ../../secrets/secrets.yaml; }; templates.adguard-env.content = '' ADGUARD_ADMIN_PASSWORD=${config.sops.placeholder."tv/adguard/admin"} ''; }; services.hostapd = { enable = true; radios.${inboundInterface} = { band = "2g"; channel = 2; countryCode = "GB"; networks.${inboundInterface} = { ssid = "jupiter-tv"; authentication.saePasswords = [ { passwordFile = config.sops.secrets."tv/network/password".path; } ]; }; }; }; virtualisation.quadlet = { volumes.tv-adguard = { }; containers.tv-adguard = { containerConfig = { image = "docker-archive:${selfPkgs.docker-adguardhome}"; volumes = let config = (pkgs.formats.yaml { }).generate "config.yaml.default" { http.address = "${inboundGateway}:8080"; dns = { bind_hosts = [ inboundGateway ]; port = 53; ratelimit = 0; }; dhcp = { enabled = true; interface_name = inboundInterface; local_domain_name = "local"; dhcpv4 = { gateway_ip = inboundGateway; subnet_mask = inboundRangeMask; range_start = inboundRangeStart; range_end = inboundRangeStop; }; }; filters = [ ]; whitelist_filters = [ ]; user_rules = [ "||*^" "@@||clients3.google.com^" "@@||clients.l.google.com^" "@@||connectivitycheck.gstatic.com^" "@@||connectivitycheck.android.com^" ]; schema_version = 29; }; in [ "${config}:/etc/adguard/config.yaml.default" "${volumes.tv-adguard.ref}:/var/lib/adguard" ]; networks = [ "host" ]; addCapabilities = [ "NET_RAW" "NET_ADMIN" ]; environmentFiles = [ config.sops.templates.adguard-env.path ]; }; unitConfig.After = [ "sops-nix.service" ]; }; }; }