]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/networking.nix
fail2ban: update whitelist
[sourcephile-nix.git] / servers / mermet / networking.nix
1 { pkgs, lib, config, ipv4, ... }:
2 with builtins;
3 let
4 inherit (builtins.extraBuiltins) pass-to-file;
5 inherit (config) networking users;
6 netIPv4 = ipv4;
7 netIPv4Gateway = "80.67.180.134";
8 #netIPv6 = "2001:912:400:104::35";
9 #netIPv6Gateway = "2001:912:400:104::1";
10 lanIPv4 = "192.168.1.214";
11 lanNet = "192.168.1.0/24";
12 lanIPv4Gateway = "192.168.1.1";
13 in
14 {
15 imports = [
16 networking/nftables.nix
17 ];
18 boot.initrd.network = {
19 enable = true;
20 ssh = {
21 enable = true;
22 # To prevent ssh from freaking out because a different host key is used,
23 # a different port for dropbear is useful
24 # (assuming the same host has also a normal sshd running)
25 port = 2222;
26 authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
27 };
28 # This will automatically load the zfs password prompt on login
29 # and kill the other prompt so boot can continue
30 # The pkill zfs kills the zfs load-key from the console
31 # allowing the boot to continue.
32 postCommands = ''
33 echo >>/root/.profile "zfs load-key -a && pkill zfs"
34 '';
35 };
36
37 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
38 a 91.216.110.35/32 becomes a 91.216.110.35/8
39 boot.kernelParams = map
40 (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
41 [ { clientIP = netIPv4; serverIP = "";
42 gatewayIP = networking.defaultGateway.address;
43 netmask = "255.255.255.255";
44 hostname = ""; device = networking.defaultGateway.interface;
45 autoconf = "off";
46 }
47 { clientIP = lanIPv4; serverIP = "";
48 gatewayIP = "";
49 netmask = "255.255.255.0";
50 hostname = ""; device = "enp2s0";
51 autoconf = "off";
52 }
53 ];
54 */
55 /* DIY network config, but a right one */
56 boot.initrd.preLVMCommands = ''
57 set -x
58
59 # IPv4 net
60 ip link set enp1s0 up
61 ip address add ${netIPv4}/32 dev enp1s0
62 ip route add ${netIPv4Gateway} dev enp1s0
63 ip route add default via ${netIPv4Gateway} dev enp1s0
64
65 # IPv4 lan
66 ip link set enp2s0 up
67 ip address add ${lanIPv4}/32 dev enp2s0
68 ip route add ${lanIPv4Gateway} dev enp2s0
69 ip route add ${lanNet} dev enp2s0 src ${lanIPv4} proto kernel
70 # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
71
72 # IPv6 net
73 #ip -6 address add ''${netIPv6} dev enp1s0
74 #ip -6 route add ''${netIPv6Gateway} dev enp1s0
75 #ip -6 route add default via ''${netIPv6Gateway} dev enp1s0
76
77 ip -4 address
78 ip -4 route
79 #ip -6 address
80 #ip -6 route
81
82 set +x
83
84 # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
85 # we have to run the postCommands ourselves.
86 ${config.boot.initrd.network.postCommands}
87 '';
88
89 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
90 #boot.initrd.kernelModules = [ "ipv6" ];
91
92 # Useless without an out-of-band access, and unsecure
93 # (though / may still be encrypted at this point).
94 # boot.kernelParams = [ "boot.shell_on_fail" ];
95
96 # Disable IPv6 entirely until it's available
97 boot.kernel.sysctl = {
98 "net.ipv6.conf.enp1s0.disable_ipv6" = 1;
99 };
100
101 services.knot.extraConfig = lib.mkBefore ''
102 server:
103 listen: ${netIPv4}@53
104 #listen: ::@53
105 '';
106
107 networking = rec {
108 hostName = "mermet";
109 domainBase = "sourcephile";
110 domain = "${domainBase}.fr";
111
112 useDHCP = false;
113 defaultGateway = {
114 address = netIPv4Gateway;
115 interface = "enp1s0";
116 };
117 /*
118 defaultGateway6 = {
119 address = netIPv6Gateway;
120 interface = "enp1s0";
121 };
122 */
123 #nameservers = [ ];
124 nftables.ruleset = ''
125 add rule inet filter input iifname "enp1s0" goto net2fw
126 add rule inet filter output oifname "enp1s0" goto fw2net
127
128 add rule inet filter input iifname "enp2s0" goto lan2fw
129 add rule inet filter output oifname "enp2s0" goto fw2lan
130 '';
131 interfaces.enp1s0 = {
132 useDHCP = false;
133 ipv4.addresses = [ { address = netIPv4; prefixLength = 32; } ];
134 ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
135
136 /*
137 ipv6.addresses = [ { address = netIPv6; prefixLength = 64; }
138 { address = "fe80::1"; prefixLength = 10; }
139 ];
140 ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
141 */
142 };
143 interfaces.enp2s0 = {
144 useDHCP = false;
145 ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
146 /*
147 # FIXME: remove this /1 hack when the machine will be racked at PTT
148 ipv4.routes = [ { address = "0.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
149 { address = "128.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
150 ];
151 */
152 /*
153 ipv6.addresses = [ { address = "fe80::1"; prefixLength = 10; } ];
154 ipv6.routes = [ ];
155 */
156 };
157 interfaces.enp3s0 = {
158 useDHCP = false;
159 };
160 };
161 }