tor: improve type-checking and hardening (bis)

[sourcephile-nix.git] / machines / losurdo / networking.nix

{ pkgs, lib, config, machineName, machines, wireguard, ... }:
with builtins;
let
  inherit (config) networking;
  #lanIPv4        = "192.168.1.215";
  lanNet         = "192.168.1.0/24";
  #lanIPv4Gateway = "192.168.1.1";
in
{
imports = [
  networking/nftables.nix
  networking/ssh.nix
  networking/wireguard.nix
  networking/tor.nix
];

boot.initrd.network = {
  enable = true;
  flushBeforeStage2 = true;
  # This will automatically load the zfs password prompt on login
  # and kill the other prompt so boot can continue
  # The pkill zfs kills the zfs load-key from the console
  # allowing the boot to continue.
  postCommands = ''
    echo >>/root/.profile "zfs load-key ${machineName} && pkill zfs"
  '';
};

/* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
   a 91.216.110.35/32 becomes a 91.216.110.35/8
boot.kernelParams = map
  (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
  [ { clientIP = netIPv4; serverIP = "";
      gatewayIP = networking.defaultGateway.address;
      netmask = "255.255.255.255";
      hostname = ""; device = networking.defaultGateway.interface;
      autoconf = "off";
    }
    { clientIP = lanIPv4; serverIP = "";
      gatewayIP = "";
      netmask = "255.255.255.0";
      hostname = ""; device = "enp2s0";
      autoconf = "off";
    }
  ];
*/
/* DIY network config, but a right one */
/*
boot.initrd.preLVMCommands = ''
  set -x

  # IPv4 lan
  ip link set enp5s0 up
  ip address add ${lanIPv4}/32 dev enp5s0
  ip route add ${lanIPv4Gateway} dev enp5s0
  ip route add ${lanNet} dev enp5s0 src ${lanIPv4} proto kernel
    # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
  ip route add default via ${lanIPv4Gateway} dev enp5s0

  # IPv6 net
  #ip -6 address add ''${lanIPv6} dev enp5s0
  #ip -6 route add ''${lanIPv6Gateway} dev enp5s0
  #ip -6 route add default via ''${lanIPv6Gateway} dev enp5s0

  ip -4 address
  ip -4 route
  #ip -6 address
  #ip -6 route

  set +x

  # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
  # we have to run the postCommands ourselves.
  ${config.boot.initrd.network.postCommands}
'';
*/
# Workaround https://github.com/NixOS/nixpkgs/issues/56822
#boot.initrd.kernelModules = [ "ipv6" ];

# Useless without an out-of-band access, and unsecure
# (though / may still be encrypted at this point).
# boot.kernelParams = [ "boot.shell_on_fail" ];

/*
# Disable IPv6 entirely until it's available
boot.kernel.sysctl = {
  "net.ipv6.conf.enp5s0.disable_ipv6" = 1;
};
*/

networking = {
  hostName = machineName;
  domain = "sourcephile.fr";

  useDHCP = false;
  enableIPv6 = true;
  /*
  defaultGateway = {
    address = lanIPv4Gateway;
    interface = "enp5s0";
  };
  defaultGateway6 = {
    address = lanIPv6Gateway;
    interface = "enp5s0";
  };
  */
  #nameservers = [ ];
};

networking.nftables.ruleset = ''
  add rule inet filter input  iifname "enp5s0" goto net2fw
  add rule inet filter output oifname "enp5s0" jump fw2net
  add rule inet filter output oifname "enp5s0" log level warn prefix "fw2net: " counter drop
  add rule inet filter fw2net ip daddr ${lanNet} log level info prefix "fw2net: lan: " counter accept comment "LAN"
'';
networking.interfaces.enp5s0 = {
  useDHCP = true;
  #ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
  #ipv4.routes    = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];

  /*
  ipv6.addresses = [ { address = lanIPv6; prefixLength = 64; }
                     { address = "fe80::1"; prefixLength = 10; }
                   ];
  ipv6.routes    = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
  */
};
networking.interfaces.wlp4s0 = {
  useDHCP = false;
};
}