]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking.nix
nftables: fix buggy ip6 nexthdr
[sourcephile-nix.git] / hosts / losurdo / networking.nix
1 { pkgs, lib, config, hostName, ... }:
2 with builtins;
3 let
4 inherit (config) networking;
5 lanIPv4 = "192.168.1.215";
6 lanNet = "192.168.1.0/24";
7 lanIPv4Gateway = "192.168.1.1";
8 in
9 {
10 imports = [
11 networking/nftables.nix
12 networking/ssh.nix
13 networking/wireguard/intranet.nix
14 networking/wireguard/extranet.nix
15 #networking/tor.nix
16 networking/nsupdate.nix
17 networking/wireless.nix
18 networking/openvpn.nix
19 ];
20
21 boot.initrd.network = {
22 enable = true;
23 flushBeforeStage2 = true;
24 # This will automatically load the zfs password prompt on login
25 # and kill the other prompt so boot can continue
26 # The pkill zfs kills the zfs load-key from the console
27 # allowing the boot to continue.
28 postCommands = ''
29 echo >>/root/.profile "zfs load-key ${hostName} && pkill zfs"
30 '';
31 # Retry DHCP forever (because in case of power failure,
32 # the router may take longer to boot).
33 # Beware that this is not interruptible with Ctrl-C
34 udhcpc.extraArgs = [ "--retries=0" ];
35 };
36
37 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
38 a 91.216.110.35/32 becomes a 91.216.110.35/8
39 boot.kernelParams = map
40 (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
41 [ { clientIP = netIPv4; serverIP = "";
42 gatewayIP = networking.defaultGateway.address;
43 netmask = "255.255.255.255";
44 hostname = ""; device = networking.defaultGateway.interface;
45 autoconf = "off";
46 }
47 { clientIP = lanIPv4; serverIP = "";
48 gatewayIP = "";
49 netmask = "255.255.255.0";
50 hostname = ""; device = "enp2s0";
51 autoconf = "off";
52 }
53 ];
54 */
55 /* DIY network config, but a right one */
56 /*
57 boot.initrd.preLVMCommands = ''
58 set -x
59
60 # IPv4 lan
61 ip link set enp5s0 up
62 ip address add ${lanIPv4}/32 dev enp5s0
63 ip route add ${lanIPv4Gateway} dev enp5s0
64 ip route add ${lanNet} dev enp5s0 src ${lanIPv4} proto kernel
65 # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
66 ip route add default via ${lanIPv4Gateway} dev enp5s0
67
68 # IPv6 net
69 #ip -6 address add ''${lanIPv6} dev enp5s0
70 #ip -6 route add ''${lanIPv6Gateway} dev enp5s0
71 #ip -6 route add default via ''${lanIPv6Gateway} dev enp5s0
72
73 ip -4 address
74 ip -4 route
75 #ip -6 address
76 #ip -6 route
77
78 set +x
79 '';
80 */
81 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
82 #boot.initrd.kernelModules = [ "ipv6" ];
83
84 # Useless without an out-of-band access, and unsecure
85 # (though / may still be encrypted at this point).
86 # boot.kernelParams = [ "boot.shell_on_fail" ];
87
88 /*
89 # Disable IPv6 entirely until it's available
90 boot.kernel.sysctl = {
91 "net.ipv6.conf.enp5s0.disable_ipv6" = 1;
92 };
93 */
94
95 networking = {
96 hostName = hostName;
97 domain = "sourcephile.fr";
98
99 useDHCP = false;
100 enableIPv6 = true;
101 /*
102 defaultGateway = {
103 address = lanIPv4Gateway;
104 interface = "enp5s0";
105 };
106 defaultGateway6 = {
107 address = lanIPv6Gateway;
108 interface = "enp5s0";
109 };
110 */
111 #nameservers = [ ];
112 };
113
114 networking.nftables.ruleset = ''
115 add rule inet filter input iifname "enp5s0" goto net2fw
116 add rule inet filter output oifname "enp5s0" jump fw2net
117 add rule inet filter output oifname "enp5s0" log level warn prefix "fw2net: " counter drop
118 add rule inet filter fw2net ip daddr ${lanNet} log level info prefix "fw2net: lan: " counter accept comment "LAN"
119 add rule inet nat postrouting oifname "enp5s0" masquerade
120 '';
121 boot.kernel.sysctl."net.ipv6.conf.enp5s0.addr_gen_mode" = 1;
122 /*
123 security.gnupg.secrets."ipv6/enp5s0/stable_secret" = {};
124 # This is only active in stage2, the initrd will still use the MAC-based SLAAC IPv6.
125 system.activationScripts.ipv6 = ''
126 ${pkgs.procps}/bin/sysctl --quiet net.ipv6.conf.enp5s0.stable_secret="$(cat ${gnupg.secrets."ipv6/enp5s0/stable_secret".path})"
127 '';
128 */
129 networking.interfaces.enp5s0 = {
130 useDHCP = true;
131 /*
132 ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
133
134 ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
135 ipv6.addresses = [ { address = lanIPv6; prefixLength = 64; }
136 { address = "fe80::1"; prefixLength = 10; }
137 ];
138 ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
139 */
140 };
141 }