]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking.nix
sourcehut: initialize OAuth only for enabled services
[sourcephile-nix.git] / hosts / losurdo / networking.nix
1 { pkgs, lib, config, hostName, ... }:
2 with builtins;
3 let
4 inherit (config) networking;
5 inherit (config.security) gnupg;
6 lanIPv4 = "192.168.1.215";
7 lanNet = "192.168.1.0/24";
8 lanIPv4Gateway = "192.168.1.1";
9 in
10 {
11 imports = [
12 networking/nftables.nix
13 networking/ssh.nix
14 networking/wireguard/intranet.nix
15 networking/wireguard/extranet.nix
16 networking/tor.nix
17 networking/nsupdate.nix
18 networking/wireless.nix
19 networking/openvpn.nix
20 ];
21
22 boot.initrd.network = {
23 enable = true;
24 flushBeforeStage2 = true;
25 # This will automatically load the zfs password prompt on login
26 # and kill the other prompt so boot can continue
27 # The pkill zfs kills the zfs load-key from the console
28 # allowing the boot to continue.
29 postCommands = ''
30 echo >>/root/.profile "zfs load-key ${hostName} && pkill zfs"
31 '';
32 };
33
34 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
35 a 91.216.110.35/32 becomes a 91.216.110.35/8
36 boot.kernelParams = map
37 (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
38 [ { clientIP = netIPv4; serverIP = "";
39 gatewayIP = networking.defaultGateway.address;
40 netmask = "255.255.255.255";
41 hostname = ""; device = networking.defaultGateway.interface;
42 autoconf = "off";
43 }
44 { clientIP = lanIPv4; serverIP = "";
45 gatewayIP = "";
46 netmask = "255.255.255.0";
47 hostname = ""; device = "enp2s0";
48 autoconf = "off";
49 }
50 ];
51 */
52 /* DIY network config, but a right one */
53 /*
54 boot.initrd.preLVMCommands = ''
55 set -x
56
57 # IPv4 lan
58 ip link set enp5s0 up
59 ip address add ${lanIPv4}/32 dev enp5s0
60 ip route add ${lanIPv4Gateway} dev enp5s0
61 ip route add ${lanNet} dev enp5s0 src ${lanIPv4} proto kernel
62 # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
63 ip route add default via ${lanIPv4Gateway} dev enp5s0
64
65 # IPv6 net
66 #ip -6 address add ''${lanIPv6} dev enp5s0
67 #ip -6 route add ''${lanIPv6Gateway} dev enp5s0
68 #ip -6 route add default via ''${lanIPv6Gateway} dev enp5s0
69
70 ip -4 address
71 ip -4 route
72 #ip -6 address
73 #ip -6 route
74
75 set +x
76 '';
77 */
78 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
79 #boot.initrd.kernelModules = [ "ipv6" ];
80
81 # Useless without an out-of-band access, and unsecure
82 # (though / may still be encrypted at this point).
83 # boot.kernelParams = [ "boot.shell_on_fail" ];
84
85 /*
86 # Disable IPv6 entirely until it's available
87 boot.kernel.sysctl = {
88 "net.ipv6.conf.enp5s0.disable_ipv6" = 1;
89 };
90 */
91
92 networking = {
93 hostName = hostName;
94 domain = "sourcephile.fr";
95
96 useDHCP = false;
97 enableIPv6 = true;
98 /*
99 defaultGateway = {
100 address = lanIPv4Gateway;
101 interface = "enp5s0";
102 };
103 defaultGateway6 = {
104 address = lanIPv6Gateway;
105 interface = "enp5s0";
106 };
107 */
108 #nameservers = [ ];
109 };
110
111 networking.nftables.ruleset = ''
112 add rule inet filter input iifname "enp5s0" goto net2fw
113 add rule inet filter output oifname "enp5s0" jump fw2net
114 add rule inet filter output oifname "enp5s0" log level warn prefix "fw2net: " counter drop
115 add rule inet filter fw2net ip daddr ${lanNet} log level info prefix "fw2net: lan: " counter accept comment "LAN"
116 add rule inet nat postrouting oifname "enp5s0" masquerade
117 '';
118 boot.kernel.sysctl."net.ipv6.conf.enp5s0.addr_gen_mode" = 1;
119 /*
120 security.gnupg.secrets."ipv6/enp5s0/stable_secret" = {};
121 # This is only active in stage2, the initrd will still use the MAC-based SLAAC IPv6.
122 system.activationScripts.ipv6 = ''
123 ${pkgs.procps}/bin/sysctl --quiet net.ipv6.conf.enp5s0.stable_secret="$(cat ${gnupg.secrets."ipv6/enp5s0/stable_secret".path})"
124 '';
125 */
126 networking.interfaces.enp5s0 = {
127 useDHCP = true;
128 /*
129 ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
130
131 ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
132 ipv6.addresses = [ { address = lanIPv6; prefixLength = 64; }
133 { address = "fe80::1"; prefixLength = 10; }
134 ];
135 ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
136 */
137 };
138 }