nixos-configuration/hosts/aluminium/configuration.nix

{ config, ... }:

{
  imports = [
    ./hardware-configuration.nix
    ../../users/jalr
    ./services
    ./ports.nix
  ];

  services.openssh.enable = true;
  security.sudo.wheelNeedsPassword = false;

  networking = {
    hostName = "aluminium";
    useDHCP = false;
    vlans = {
      lechner = {
        id = 1;
        interface = "enp1s0";
      };
      voice = {
        id = 2;
        interface = "enp1s0";
      };
      iot = {
        id = 3;
        interface = "enp1s0";
      };
      pv = {
        id = 10;
        interface = "enp1s0";
      };
      heizung = {
        id = 11;
        interface = "enp1s0";
      };
      sprechanlage = {
        id = 12;
        interface = "enp1s0";
      };
    };
    interfaces = {
      lechner.ipv4.addresses = [{
        address = "192.168.0.1";
        prefixLength = 24;
      }];
      voice.ipv4.addresses = [{
        address = "192.168.1.1";
        prefixLength = 24;
      }];
      iot.ipv4.addresses = [{
        address = "192.168.2.1";
        prefixLength = 24;
      }];
      pv.ipv4.addresses = [{
        address = "192.168.10.1";
        prefixLength = 30;
      }];
      heizung.ipv4.addresses = [{
        address = "192.168.10.5";
        prefixLength = 30;
      }];
      sprechanlage.ipv4.addresses = [{
        address = "192.168.10.9";
        prefixLength = 30;
      }];
      enp2s0.useDHCP = false;
    };
    nat = {
      enable = true;
      externalInterface = "ppp0";
      internalInterfaces = [
        "lechner"
        "voice"
      ];
    };
    firewall.extraInputRules = ''
      iifname "voice" udp dport 5059 accept
      ip saddr 217.10.68.150 udp dport 5060 accept
    '';
    nftables.tables.pppoe = {
      family = "ip";
      content = ''
        chain clamp {
          type filter hook forward priority mangle;
          oifname "ppp0" tcp flags syn tcp option maxseg size set rt mtu comment "clamp MSS to Path MTU"
        }
      '';
    };
  };


  environment.etc."ppp/pap-secrets".source = config.sops.secrets.pap-secrets.path;
  services.pppd = {
    enable = true;
    peers = {
      pyur = {
        enable = true;
        name = "pyur";
        config = ''
          #debug
          defaultroute
          hide-password
          holdoff 5
          ipcp-accept-local
          ipcp-accept-remote
          lcp-echo-failure 10
          lcp-echo-interval 60
          maxfail 0
          #mtu 1470
          name pyur
          noauth
          noccp
          noipdefault
          noipv6
          novjccomp
          persist
          plugin pppoe.so enp2s0
          user l8545506
        '';
      };
    };
  };

  zramSwap = {
    enable = true;
    algorithm = "zstd";
    memoryPercent = 60;
    priority = 1;
  };

  system.stateVersion = "25.11";
}