1 { pkgs, lib, config, machineName, ... }:
4 inherit (builtins.extraBuiltins) pass-to-file;
5 inherit (config) networking users;
6 lanIPv4 = "192.168.1.215";
7 lanNet = "192.168.1.0/24";
8 lanIPv4Gateway = "192.168.1.1";
12 networking/nftables.nix
14 networking/wireguard.nix
16 boot.initrd.network = {
20 # To prevent ssh from freaking out because a different host key is used,
21 # a different port for dropbear is useful
22 # (assuming the same host has also a normal sshd running)
24 authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
26 # This will automatically load the zfs password prompt on login
27 # and kill the other prompt so boot can continue
28 # The pkill zfs kills the zfs load-key from the console
29 # allowing the boot to continue.
31 echo >>/root/.profile "zfs load-key -a && pkill zfs"
35 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
36 a 91.216.110.35/32 becomes a 91.216.110.35/8
37 boot.kernelParams = map
38 (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
39 [ { clientIP = netIPv4; serverIP = "";
40 gatewayIP = networking.defaultGateway.address;
41 netmask = "255.255.255.255";
42 hostname = ""; device = networking.defaultGateway.interface;
45 { clientIP = lanIPv4; serverIP = "";
47 netmask = "255.255.255.0";
48 hostname = ""; device = "enp2s0";
53 /* DIY network config, but a right one */
54 boot.initrd.preLVMCommands = ''
59 ip address add ${lanIPv4}/32 dev enp5s0
60 ip route add ${lanIPv4Gateway} dev enp5s0
61 ip route add ${lanNet} dev enp5s0 src ${lanIPv4} proto kernel
62 # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
63 ip route add default via ${lanIPv4Gateway} dev enp5s0
66 #ip -6 address add ''${lanIPv6} dev enp5s0
67 #ip -6 route add ''${lanIPv6Gateway} dev enp5s0
68 #ip -6 route add default via ''${lanIPv6Gateway} dev enp5s0
77 # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
78 # we have to run the postCommands ourselves.
79 ${config.boot.initrd.network.postCommands}
81 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
82 #boot.initrd.kernelModules = [ "ipv6" ];
84 # Useless without an out-of-band access, and unsecure
85 # (though / may still be encrypted at this point).
86 # boot.kernelParams = [ "boot.shell_on_fail" ];
88 # Disable IPv6 entirely until it's available
89 boot.kernel.sysctl = {
90 "net.ipv6.conf.enp5s0.disable_ipv6" = 1;
94 hostName = machineName;
95 domain = "sourcephile.fr";
99 address = lanIPv4Gateway;
100 interface = "enp5s0";
104 address = lanIPv6Gateway;
105 interface = "enp5s0";
109 nftables.ruleset = ''
110 add rule inet filter input iifname "enp5s0" goto net2fw
111 add rule inet filter output oifname "enp5s0" jump fw2net
112 add rule inet filter output oifname "enp5s0" log level warn prefix "fw2net: " counter drop
113 add rule inet filter fw2net ip daddr ${lanNet} counter accept comment "LAN"
114 add rule inet filter fw2net ip daddr 224.0.0.0/4 udp dport 1900 counter accept comment "UPnP"
116 interfaces.enp5s0 = {
118 ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
119 ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
122 ipv6.addresses = [ { address = lanIPv6; prefixLength = 64; }
123 { address = "fe80::1"; prefixLength = 10; }
125 ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
128 interfaces.wlp4s0 = {