machines/losurdo/networking.nix

   1 { pkgs, lib, config, machineName, ... }:
   2 with builtins;
   3 let
   4   inherit (builtins.extraBuiltins) pass-to-file;
   5   inherit (config) networking users;
   6   lanIPv4        = "192.168.1.215";
   7   lanNet         = "192.168.1.0/24";
   8   lanIPv4Gateway = "192.168.1.1";
   9 in
  10 {
  11 imports = [
  12   networking/nftables.nix
  13   networking/ssh.nix
  14   networking/wireguard.nix
  15 ];
  16 boot.initrd.network = {
  17   enable = true;
  18   ssh = {
  19     enable = true;
  20     # To prevent ssh from freaking out because a different host key is used,
  21     # a different port for dropbear is useful
  22     # (assuming the same host has also a normal sshd running)
  23     port = 2222;
  24     authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
  25   };
  26   # This will automatically load the zfs password prompt on login
  27   # and kill the other prompt so boot can continue
  28   # The pkill zfs kills the zfs load-key from the console
  29   # allowing the boot to continue.
  30   postCommands = ''
  31     echo >>/root/.profile "zfs load-key -a && pkill zfs"
  32   '';
  33 };
  34
  35 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
  36    a 91.216.110.35/32 becomes a 91.216.110.35/8
  37 boot.kernelParams = map
  38   (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
  39   [ { clientIP = netIPv4; serverIP = "";
  40       gatewayIP = networking.defaultGateway.address;
  41       netmask = "255.255.255.255";
  42       hostname = ""; device = networking.defaultGateway.interface;
  43       autoconf = "off";
  44     }
  45     { clientIP = lanIPv4; serverIP = "";
  46       gatewayIP = "";
  47       netmask = "255.255.255.0";
  48       hostname = ""; device = "enp2s0";
  49       autoconf = "off";
  50     }
  51   ];
  52 */
  53 /* DIY network config, but a right one */
  54 boot.initrd.preLVMCommands = ''
  55   set -x
  56
  57   # IPv4 lan
  58   ip link set enp5s0 up
  59   ip address add ${lanIPv4}/32 dev enp5s0
  60   ip route add ${lanIPv4Gateway} dev enp5s0
  61   ip route add ${lanNet} dev enp5s0 src ${lanIPv4} proto kernel
  62     # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
  63   ip route add default via ${lanIPv4Gateway} dev enp5s0
  64
  65   # IPv6 net
  66   #ip -6 address add ''${lanIPv6} dev enp5s0
  67   #ip -6 route add ''${lanIPv6Gateway} dev enp5s0
  68   #ip -6 route add default via ''${lanIPv6Gateway} dev enp5s0
  69
  70   ip -4 address
  71   ip -4 route
  72   #ip -6 address
  73   #ip -6 route
  74
  75   set +x
  76
  77   # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
  78   # we have to run the postCommands ourselves.
  79   ${config.boot.initrd.network.postCommands}
  80 '';
  81 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
  82 #boot.initrd.kernelModules = [ "ipv6" ];
  83
  84 # Useless without an out-of-band access, and unsecure
  85 # (though / may still be encrypted at this point).
  86 # boot.kernelParams = [ "boot.shell_on_fail" ];
  87
  88 # Disable IPv6 entirely until it's available
  89 boot.kernel.sysctl = {
  90   "net.ipv6.conf.enp5s0.disable_ipv6" = 1;
  91 };
  92
  93 networking = {
  94   hostName = machineName;
  95   domain = "sourcephile.fr";
  96
  97   useDHCP = false;
  98   defaultGateway = {
  99     address = lanIPv4Gateway;
 100     interface = "enp5s0";
 101   };
 102   /*
 103   defaultGateway6 = {
 104     address = lanIPv6Gateway;
 105     interface = "enp5s0";
 106   };
 107   */
 108   #nameservers = [ ];
 109   nftables.ruleset = ''
 110     add rule inet filter input  iifname "enp5s0" goto net2fw
 111     add rule inet filter output oifname "enp5s0" jump fw2net
 112     add rule inet filter output oifname "enp5s0" log level warn prefix "fw2net: " counter drop
 113     add rule inet filter fw2net ip daddr ${lanNet} counter accept comment "LAN"
 114     add rule inet filter fw2net ip daddr 224.0.0.0/4 udp dport 1900 counter accept comment "UPnP"
 115   '';
 116   interfaces.enp5s0 = {
 117     useDHCP = false;
 118     ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
 119     ipv4.routes    = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
 120
 121     /*
 122     ipv6.addresses = [ { address = lanIPv6; prefixLength = 64; }
 123                        { address = "fe80::1"; prefixLength = 10; }
 124                      ];
 125     ipv6.routes    = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
 126     */
 127   };
 128   interfaces.wlp4s0 = {
 129     useDHCP = false;
 130   };
 131 };
 132 }