~rhaenys/infra-essos (110e13b8beac0b80eabc50e63b9a2a84478711f5): nixos/essos/hypervisor.nix

{ lib, pkgs, config, ... }: {
  systemd.network.wait-online.enable = false;

  #networking.wlanInterfaces = {
  #  wlan-ap0 = {
  #    device = "wlp0s20f3";
  #    mac = "d2:61:cf:a2:df:57";
  #  };
  #};

  virtualisation.libvirtd = {
    enable = true;
    qemu = {
      package = pkgs.qemu_kvm;
      runAsRoot = false;
    };
    extraConfig = ''
      listen_tls = 1
      listen_tcp = 1
    '';
  };

  systemd.sockets."libvirtd-tcp".enable = true;
  systemd.sockets."libvirtd-tls".enable = true;

  systemd.network.enable = true;

  systemd.network.netdevs."wlan-ap0" = {
    enable = true;
    netdevConfig = {
      Name = "wlan-ap0";
      Kind = "wlan";
    };
    wlanConfig = {
      PhysicalDevice = 0;
      Type = "ap";
    };
  };

  systemd.network.networks."10-ap" = {
    matchConfig = {
      #Name = "wlan-ap0";
      Name = "vmbr0";
    };

    networkConfig = {
      Address = "10.1.1.1/16";
      Gateway = "10.1.1.1";
    };
  };

  networking.defaultGateway = {
    address = "192.168.0.1";
    interface = "wlp0s20f3";
  };

  networking.networkmanager.unmanaged = [ "wlan-ap0" "vmbr0" ];

  networking.bridges = {
    vmbr0 = {
      interfaces = [ "wlan-ap0" ];
    };
  };

  networking.nftables = {
    enable = true;
    ruleset = ''
      table ip nat {
        chain PREROUTING {
          type nat hook prerouting priority dstnat; policy accept;
        }
      }
    '';
  };

  networking.nat = {
    enable = true;
    internalInterfaces = [ "vmbr0" ];
    externalInterface = "wlp0s20f3";
  };

  networking.hosts = {
    "10.1.1.1" = [ "essos.local" ];
    "10.1.2.1" = [ "nas.essos.local" ];
  };

  networking.nameservers = [
    "1.1.1.1"
    "8.8.8.8"
  ];

  networking.resolvconf.enable = false;

  networking.firewall.allowedTCPPorts = [ 53 16514 16509 ];
  networking.firewall.allowedUDPPorts = [ 53 ];

  services.hostapd = {
    enable = true;
    radios = {
      wlan-ap0 = {
        band = "5g";
        channel = 153;
        networks.wlan-ap0 = {
          ssid = "essos";
          authentication.saePasswords = [{ password = "valar morghulis"; }];
        };
      };
    };
  };

  services.kea.dhcp4 = {
    enable = true;
    settings = {
      interfaces-config = {
        interfaces = [ "vmbr0" ];
      };

      valid-lifetime = 4000;
      renew-timer = 1000;
      rebind-timer = 1000;

      lease-database = {
        type = "memfile";
        persist = true;
        name = "/var/lib/kea/dhcp4.leases";
      };

      option-data = [
        {
          name = "domain-name-servers";
          code = 6;
          space = "dhcp4";
          csv-format = true;
          data = "10.1.1.1";
          always-send = true;
        }

        {
          name = "routers";
          data = "10.1.1.1";
        }
      ];

      subnet4 = [
        {
          id = 1;
          pools = [{ pool = "10.1.1.2 - 10.1.1.240"; }];
          subnet = "10.1.1.0/16";
        }
      ];
    };
  };

  services.resolved.enable = lib.mkForce false;

  services.dnsmasq = let
    resolv = pkgs.writeTextFile {
      name = "vmbr0-resolv.conf";
      text = ''
        nameserver 1.1.1.1
        nameserver 1.0.0.1
      '';
    };
  in {
    enable = true;

    settings = {
      resolv-file = "${resolv}";
      #listen-address = "10.1.1.1";
    };
  };

  services.nginx = {
    enable = true;

    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts."console.essos.local" = {
      locations."/" = {
        proxyPass = "https://10.1.1.1:8006";
        extraConfig = ''
          proxy_ssl_server_name on;
        '';
      };
    };
  };
}