system/modules/network.nix

{ pkgs, ... }:
{
  networking = {
    hostName = "launchpad";
    useDHCP = false;
    enableIPv6 = false;
    extraHosts = ''
    192.168.12.20   router.local
    192.168.12.21   switch.local
    192.168.12.25   dhcpd.local

    192.168.12.30   canon.local

    192.168.12.40   launchpad.local
    192.168.12.41   xeon.local
    192.168.12.41   rover.local

    192.168.12.50   wayne-s-pixel-5
    192.168.12.55   fire-tablet

    192.168.12.60   toons.local
    192.168.12.61   tv.local

    192.168.12.80   robo.local
    192.168.12.81   nas.local
    192.168.12.83   homeassistant.local

    # containers
    192.168.12.71   nextcloud
    192.168.12.72   livebook
    192.168.12.73   grocy
    192.168.12.74   openoffice
    192.168.12.75   laravel
    192.168.12.76   nginx - PHP

    45.58.52.52     www
    172.245.111.249 est
    216.189.156.74  mail
    '';
    interfaces = {
      # enp4s0.ipv4.addresses = [ {
      #   address = "192.168.12.40";
      #   prefixLength = 24;
      # } ];
      br0 = {
        useDHCP = false;
        ipv4 = {
          addresses = [
            {
              address = "192.168.12.40";
              prefixLength = 24;
            }
          ];
        };
      };
    };
    defaultGateway = "192.168.12.20";
    nameservers = [ "192.168.12.25" ];
    firewall = {
      enable = true;
      # { from = 5000; to = 6000; }
      allowedTCPPorts = [ 80 443 ];
      allowedTCPPortRanges = [ { from = 35000; to = 36000; }  { from = 8000; to = 9000; } ];
      extraCommands = ''
      iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
      '';
      trustedInterfaces = [ "br0" ];
    };
    bridges = {
      br0 = {
        interfaces = [ "enp4s0" ];
      };
    };
    # Required to access containers
    nat = {
      enable = true;
      internalInterfaces = [ "enp4s0" "ve-+" "vb-+" ];
      externalInterface = "br0";
      enableIPv6 = false;
    };
    # Dissable to prevent from managing containers
    networkmanager = {
      enable = true;
      unmanaged = [ "enp4s0" "interface-name:ve-*" "interface-name:vb-*" ];
    };

    # wireless.enable = true;  # Enables wireless support via wpa_supplicant.

    # Configure network proxy if necessary
    # proxy.default = "http://user:password@proxy:port/";
    # proxy.noProxy = "127.0.0.1,localhost,internal.domain";
  };
}