From 421ac616554e64160c5f54b244457474d479c1ba Mon Sep 17 00:00:00 2001
From: jasmine <its.jassy@pm.me>
Date: Thu, 30 Oct 2025 14:57:38 +0800
Subject: [PATCH] feat(fuchsia): add internet sharing service for 3D printer

Enables internet connection sharing from WiFi (wlo1) to Ethernet (enp34s0)
to provide network access for the 3D printer. Includes DHCP server with
static IP reservation, DNS forwarding through Pi-hole, and NAT configuration.
---
 CLAUDE.md                                     | 28 ++++++-
 nixos/fuchsia/services/default.nix            |  1 +
 .../services/internet-sharing/default.nix     | 76 +++++++++++++++++++
 3 files changed, 101 insertions(+), 4 deletions(-)
 create mode 100644 nixos/fuchsia/services/internet-sharing/default.nix

diff --git a/CLAUDE.md b/CLAUDE.md
index 6e75766..f2c0fb4 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -171,10 +171,13 @@ Services are organized by host in `nixos/<hostname>/services/`:
 - **Unfree packages**: Add to allowlist in `nixos/common/global/default.nix`
 
 ### Testing Changes
-1. Build configuration: `just build <hostname>`
-2. Check for evaluation errors: `nix flake check`
-3. Review changes before switching
-4. Switch: `just switch <hostname>` (local) or `just deploy <hostname>` (remote)
+1. **IMPORTANT**: Stage new files with git before building or checking
+   - Nix flakes only evaluate files tracked in git
+   - Run `git add <file>` for any new files before `nix flake check` or build
+2. Build configuration: `just build <hostname>`
+3. Check for evaluation errors: `nix flake check`
+4. Review changes before switching
+5. Switch: `just switch <hostname>` (local) or `just deploy <hostname>` (remote)
 
 ### Managing Secrets
 - Secrets are encrypted per-host and stored in
@@ -186,6 +189,23 @@ Services are organized by host in `nixos/<hostname>/services/`:
 
 ## Important Conventions
 
+### Network IP Allocation
+This infrastructure uses the following IP range scheme to avoid conflicts:
+
+**Allocated Ranges:**
+- `192.168.50.0/24` - Home router/main LAN
+- `10.1.0.0/24` - Internet sharing from fuchsia (Ethernet to printer)
+- `10.2.0.0/24` - Reserved for future internet sharing from another host
+- `10.3.0.0/24` - Reserved for future internet sharing from another host
+- `10.39.179.0/24` - WireGuard VPN on Raspberry Pi
+- `172.17.0.0/16` - Docker default bridge network (viridian)
+
+**Conventions:**
+- Internet connection sharing uses `10.N.0.0/24` where N is 1, 2, 3, etc.
+- Gateway host is always `10.N.0.1`
+- DHCP pools typically use `10.N.0.2` through `10.N.0.10`
+- Keep VPN/tunnel ranges in the `10.30.0.0/16` and higher space
+
 ### Line Length
 Keep all Nix code to a maximum of 100 characters per line for consistency.
 
diff --git a/nixos/fuchsia/services/default.nix b/nixos/fuchsia/services/default.nix
index b689b8e..28685fc 100644
--- a/nixos/fuchsia/services/default.nix
+++ b/nixos/fuchsia/services/default.nix
@@ -3,6 +3,7 @@
     ./amdgpu-clocks
     ./borgbackup
     ./flatpak
+    ./internet-sharing
     ./libinput
     ./pipewire
     ./printing
diff --git a/nixos/fuchsia/services/internet-sharing/default.nix b/nixos/fuchsia/services/internet-sharing/default.nix
new file mode 100644
index 0000000..b6459a3
--- /dev/null
+++ b/nixos/fuchsia/services/internet-sharing/default.nix
@@ -0,0 +1,76 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  # Internet connection sharing for 3D printer over Ethernet
+  # Shares WiFi connection (wlo1) to Ethernet (enp34s0) using 10.1.0.0/24
+
+  # Enable IP forwarding to route traffic between interfaces
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+    "net.ipv6.conf.all.forwarding" = 1;
+  };
+
+  networking = {
+    # Tell NetworkManager not to manage the Ethernet interface
+    networkmanager.unmanaged = ["enp34s0"];
+
+    # Configure static IP on Ethernet interface
+    interfaces.enp34s0 = {
+      useDHCP = false;
+      ipv4.addresses = [
+        {
+          address = "10.1.0.1";
+          prefixLength = 24;
+        }
+      ];
+    };
+
+    # Firewall configuration for connection sharing
+    firewall = {
+      # Allow DHCP and DNS traffic on the Ethernet interface
+      interfaces.enp34s0 = {
+        allowedUDPPorts = [
+          53  # DNS queries
+          67  # DHCP server
+        ];
+      };
+
+      # Allow traffic forwarding
+      extraCommands = ''
+        # NAT: masquerade traffic from Ethernet going to WiFi
+        iptables -t nat -A POSTROUTING -o wlo1 -j MASQUERADE
+        # Allow forwarding from Ethernet to WiFi
+        iptables -A FORWARD -i enp34s0 -o wlo1 -j ACCEPT
+        # Allow established connections back from WiFi to Ethernet
+        iptables -A FORWARD -i wlo1 -o enp34s0 -m state \
+          --state RELATED,ESTABLISHED -j ACCEPT
+      '';
+    };
+  };
+
+  # DHCP server for automatic IP assignment to printer
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      # Only listen on the Ethernet interface
+      interface = "enp34s0";
+      # Bind only to specified interface
+      bind-interfaces = true;
+      # Don't read /etc/resolv.conf
+      no-resolv = true;
+      # DHCP range: 10.1.0.2 through 10.1.0.10, 24h lease
+      dhcp-range = ["10.1.0.2,10.1.0.10,24h"];
+      # Upstream DNS: Pi-hole for ad-blocking and network-wide filtering
+      server = ["192.168.50.249"];
+      # Gateway for DHCP clients
+      dhcp-option = ["option:router,10.1.0.1"];
+      # Static DHCP reservation for 3D printer (BigTreeTech CB1)
+      dhcp-host = [
+        "5a:0a:da:dc:b8:2f,10.1.0.2,bigtreetech-cb1,infinite"
+      ];
+    };
+  };
+}