feat(fuchsia): add internet sharing service for 3D printer

Enables internet connection sharing from WiFi (wlo1) to Ethernet (enp34s0)
to provide network access for the 3D printer. Includes DHCP server with
static IP reservation, DNS forwarding through Pi-hole, and NAT configuration.

CLAUDE.md

@@ -171,10 +171,13 @@ Services are organized by host in `nixos/<hostname>/services/`:
 - **Unfree packages**: Add to allowlist in `nixos/common/global/default.nix`
 
 ### Testing Changes
-1. Build configuration: `just build <hostname>`
-2. Check for evaluation errors: `nix flake check`
-3. Review changes before switching
-4. Switch: `just switch <hostname>` (local) or `just deploy <hostname>` (remote)
+1. **IMPORTANT**: Stage new files with git before building or checking
+   - Nix flakes only evaluate files tracked in git
+   - Run `git add <file>` for any new files before `nix flake check` or build
+2. Build configuration: `just build <hostname>`
+3. Check for evaluation errors: `nix flake check`
+4. Review changes before switching
+5. Switch: `just switch <hostname>` (local) or `just deploy <hostname>` (remote)
 
 ### Managing Secrets
 - Secrets are encrypted per-host and stored in
@@ -186,6 +189,23 @@ Services are organized by host in `nixos/<hostname>/services/`:
 
 ## Important Conventions
 
+### Network IP Allocation
+This infrastructure uses the following IP range scheme to avoid conflicts:
+
+**Allocated Ranges:**
+- `192.168.50.0/24` - Home router/main LAN
+- `10.1.0.0/24` - Internet sharing from fuchsia (Ethernet to printer)
+- `10.2.0.0/24` - Reserved for future internet sharing from another host
+- `10.3.0.0/24` - Reserved for future internet sharing from another host
+- `10.39.179.0/24` - WireGuard VPN on Raspberry Pi
+- `172.17.0.0/16` - Docker default bridge network (viridian)
+
+**Conventions:**
+- Internet connection sharing uses `10.N.0.0/24` where N is 1, 2, 3, etc.
+- Gateway host is always `10.N.0.1`
+- DHCP pools typically use `10.N.0.2` through `10.N.0.10`
+- Keep VPN/tunnel ranges in the `10.30.0.0/16` and higher space
+
 ### Line Length
 Keep all Nix code to a maximum of 100 characters per line for consistency.
 

nixos/fuchsia/services/default.nix

@@ -3,6 +3,7 @@
     ./amdgpu-clocks
     ./borgbackup
     ./flatpak
+    ./internet-sharing
     ./libinput
     ./pipewire
     ./printing

nixos/fuchsia/services/internet-sharing/default.nix

@@ -0,0 +1,76 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  # Internet connection sharing for 3D printer over Ethernet
+  # Shares WiFi connection (wlo1) to Ethernet (enp34s0) using 10.1.0.0/24
+
+  # Enable IP forwarding to route traffic between interfaces
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+    "net.ipv6.conf.all.forwarding" = 1;
+  };
+
+  networking = {
+    # Tell NetworkManager not to manage the Ethernet interface
+    networkmanager.unmanaged = ["enp34s0"];
+
+    # Configure static IP on Ethernet interface
+    interfaces.enp34s0 = {
+      useDHCP = false;
+      ipv4.addresses = [
+        {
+          address = "10.1.0.1";
+          prefixLength = 24;
+        }
+      ];
+    };
+
+    # Firewall configuration for connection sharing
+    firewall = {
+      # Allow DHCP and DNS traffic on the Ethernet interface
+      interfaces.enp34s0 = {
+        allowedUDPPorts = [
+          53  # DNS queries
+          67  # DHCP server
+        ];
+      };
+
+      # Allow traffic forwarding
+      extraCommands = ''
+        # NAT: masquerade traffic from Ethernet going to WiFi
+        iptables -t nat -A POSTROUTING -o wlo1 -j MASQUERADE
+        # Allow forwarding from Ethernet to WiFi
+        iptables -A FORWARD -i enp34s0 -o wlo1 -j ACCEPT
+        # Allow established connections back from WiFi to Ethernet
+        iptables -A FORWARD -i wlo1 -o enp34s0 -m state \
+          --state RELATED,ESTABLISHED -j ACCEPT
+      '';
+    };
+  };
+
+  # DHCP server for automatic IP assignment to printer
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      # Only listen on the Ethernet interface
+      interface = "enp34s0";
+      # Bind only to specified interface
+      bind-interfaces = true;
+      # Don't read /etc/resolv.conf
+      no-resolv = true;
+      # DHCP range: 10.1.0.2 through 10.1.0.10, 24h lease
+      dhcp-range = ["10.1.0.2,10.1.0.10,24h"];
+      # Upstream DNS: Pi-hole for ad-blocking and network-wide filtering
+      server = ["192.168.50.249"];
+      # Gateway for DHCP clients
+      dhcp-option = ["option:router,10.1.0.1"];
+      # Static DHCP reservation for 3D printer (BigTreeTech CB1)
+      dhcp-host = [
+        "5a:0a:da:dc:b8:2f,10.1.0.2,bigtreetech-cb1,infinite"
+      ];
+    };
+  };
+}