1 { pkgs, lib, config, hostName, ipv4, hosts, ... }:
4 inherit (config) networking users;
6 netIPv4Gateway = "80.67.180.134";
7 #netIPv6 = "2001:912:400:104::35";
8 #netIPv6Gateway = "2001:912:400:104::1";
9 lanIPv4 = "192.168.1.214";
10 lanNet = "192.168.1.0/24";
11 lanIPv4Gateway = "192.168.1.1";
15 networking/nftables.nix
17 networking/wireguard.nix
20 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
21 a 91.216.110.35/32 becomes a 91.216.110.35/8
22 boot.kernelParams = map
23 (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
24 [ { clientIP = netIPv4; serverIP = "";
25 gatewayIP = networking.defaultGateway.address;
26 netmask = "255.255.255.255";
27 hostname = ""; device = networking.defaultGateway.interface;
30 { clientIP = lanIPv4; serverIP = "";
32 netmask = "255.255.255.0";
33 hostname = ""; device = "enp2s0";
38 /* DIY network config, but a right one */
39 boot.initrd.preLVMCommands = ''
44 ip address add ${netIPv4}/32 dev enp1s0
45 ip route add ${netIPv4Gateway} dev enp1s0
46 ip route add default via ${netIPv4Gateway} dev enp1s0
50 ip address add ${lanIPv4}/32 dev enp2s0
51 ip route add ${lanIPv4Gateway} dev enp2s0
52 ip route add ${lanNet} dev enp2s0 src ${lanIPv4} proto kernel
53 # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
56 #ip -6 address add ''${netIPv6} dev enp1s0
57 #ip -6 route add ''${netIPv6Gateway} dev enp1s0
58 #ip -6 route add default via ''${netIPv6Gateway} dev enp1s0
67 # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
68 # we have to run the postCommands ourselves.
69 ${config.boot.initrd.network.postCommands}
72 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
73 # TODO: the issue is now closed
74 #boot.initrd.kernelModules = [ "ipv6" ];
76 # Useless without an out-of-band access, and unsecure
77 # (though / may still be encrypted at this point).
78 # boot.kernelParams = [ "boot.shell_on_fail" ];
80 # Disable IPv6 entirely until it's available
81 boot.kernel.sysctl = {
82 "net.ipv6.conf.enp1s0.disable_ipv6" = 1;
85 services.knot.extraConfig = lib.mkBefore ''
93 domain = "sourcephile.fr";
97 address = netIPv4Gateway;
102 address = netIPv6Gateway;
103 interface = "enp1s0";
107 nftables.ruleset = ''
108 add rule inet filter input iifname "enp1s0" goto net2fw
109 add rule inet filter output oifname "enp1s0" jump fw2net
110 add rule inet filter output oifname "enp1s0" log level warn prefix "fw2net: " counter drop
112 add rule inet filter input iifname "enp2s0" goto lan2fw
113 add rule inet filter output oifname "enp2s0" goto fw2lan
115 interfaces.enp1s0 = {
117 ipv4.addresses = [ { address = netIPv4; prefixLength = 32; } ];
118 ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
121 ipv6.addresses = [ { address = netIPv6; prefixLength = 64; }
122 { address = "fe80::1"; prefixLength = 10; }
124 ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
127 interfaces.enp2s0 = {
129 ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
131 # FIXME: remove this /1 hack when the host will be racked at PTT
132 ipv4.routes = [ { address = "0.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
133 { address = "128.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
137 ipv6.addresses = [ { address = "fe80::1"; prefixLength = 10; } ];
141 interfaces.enp3s0 = {