From 5fcb54cc6342b03f9a5643d61cb6e052ce4f8d09 Mon Sep 17 00:00:00 2001
From: DannyDannyDanny <dth@taiga.ai>
Date: Wed, 1 Apr 2026 13:04:19 +0200
Subject: [PATCH] =?UTF-8?q?feat:=20NAT=20+=20DHCP=20on=20phantom-ship=20et?=
 =?UTF-8?q?hernet=20for=20rusty-anchor=20install=20=F0=9F=8C=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Shares WiFi internet to rusty-anchor over ethernet via dnsmasq DHCP
and iptables NAT. Rusty-anchor gets DHCP on 10.0.0.x with phantom-ship
as gateway and DNS.
---
 nixos/hosts/phantom-ship.nix | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/nixos/hosts/phantom-ship.nix b/nixos/hosts/phantom-ship.nix
index c981e50..d2a236e 100644
--- a/nixos/hosts/phantom-ship.nix
+++ b/nixos/hosts/phantom-ship.nix
@@ -13,6 +13,26 @@ in
   networking.useDHCP = lib.mkDefault true;
   networking.wireless.enable = true;  # credentials in /etc/wpa_supplicant.conf (outside repo)
 
+  # NAT: share WiFi internet to rusty-anchor over ethernet
+  networking.nat = {
+    enable = true;
+    externalInterface = "wlp1s0";
+    internalInterfaces = [ "enp0s31f6" ];
+  };
+  networking.interfaces.enp0s31f6.ipv4.addresses = [{
+    address = "10.0.0.1";
+    prefixLength = 24;
+  }];
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      interface = "enp0s31f6";
+      dhcp-range = "10.0.0.10,10.0.0.50,24h";
+      dhcp-option = [ "3,10.0.0.1" "6,10.0.0.1" ];  # gateway + DNS
+    };
+  };
+  networking.firewall.trustedInterfaces = [ "enp0s31f6" ];
+
   hardware.enableRedistributableFirmware = true;  # iwlwifi (Intel 8260) + GPU + BT firmware
   time.timeZone = "Europe/Copenhagen";