system/modules/network.nix

{ pkgs, ... }:
{
  networking = {
    hostName = "launchpad";
    useDHCP = false;
    enableIPv6 = false;
    extraHosts = ''
    192.168.76.20   router.local

    192.168.1.1     gw.local
    192.168.1.25    dns1.local

    192.168.1.30    canon.local

    192.168.1.40    launchpad.local
    192.168.1.41    xeon.local
    192.168.1.41    legacy-node.local
    192.168.1.42    rover.local

    192.168.76.50   wayne-s-pixel-5
    192.168.76.55   fire-tablet

    192.168.1.60    toons.local
    192.168.1.61    tv.local

    192.168.76.80   robo.local
    192.168.1.81    nas.local
    192.168.1.83    homeassistant.local
    192.168.12.84   tests.local

    # containers .01 - .99 /27 255.255.255.128
    192.168.1.71   nextcloud.local
    192.168.1.72   livebook.local
    192.168.1.73   grocy.local
    192.168.1.74   openoffice.local
    192.168.1.75   laravel.local
    192.168.1.76   nginx.local
    192.168.1.77   glance.local
    192.168.1.78   vite.local
    192.168.1.79   node.local
    192.168.1.90   dmp.local
    192.168.1.91   docs.local

    # Networking .200 - .254 /27 255.255.255.192
    10.0.0.201      switch.local

    # WAN
    45.58.52.52     www
    172.245.111.249 est
    216.189.156.74  mail
    '';
    interfaces = {
      # enp4s0.ipv4.addresses = [ {
      #   address = "192.168.12.40";
      #   prefixLength = 24;
      # } ];
      br0 = {
        useDHCP = false;
        ipv4 = {
          addresses = [
            {
              address = "192.168.1.40";
              prefixLength = 24;
            }
          ];
        };
      };
    };
    defaultGateway = "192.168.1.1";
    nameservers = [ "192.168.1.25" ];
    firewall = {
      enable = true;
      # { from = 5000; to = 6000; }
      allowedTCPPorts = [ 80 443 11434 27017 ];
      allowedUDPPorts = [ 137 138 ]; # Samba
      allowedTCPPortRanges = [ { from = 137; to = 139; } { from = 35000; to = 36000; }  { from = 8000; to = 9000; } ];
      extraCommands = ''
        iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
      '';
      trustedInterfaces = [ "br0" "tailscale0" "docker0" ];
      checkReversePath = "loose"; # Added for Tailscale
    };
    bridges = {
      br0 = {
        interfaces = [ "enp4s0" ];
      };
    };
    # Required to access containers
    nat = {
      enable = true;
      internalInterfaces = [ "enp4s0" "ve-+" "vb-+" "veth+" ];
      externalInterface = "br0";
      enableIPv6 = false;
    };
    # Dissable to prevent from managing containers
    networkmanager = {
      enable = true;
      unmanaged = [ "enp4s0" "interface-name:ve-*" "interface-name:vb-*" ];
    };

    # wireless.enable = true;  # Enables wireless support via wpa_supplicant.

    # Configure network proxy if necessary
    # proxy.default = "http://user:password@proxy:port/";
    # proxy.noProxy = "127.0.0.1,localhost,internal.domain";
  };
}