]> Git — Sourcephile - sourcephile-nix.git/blob - machines/mermet/networking.nix
nix: fix PASSWORD_STORE_DIR
[sourcephile-nix.git] / machines / mermet / networking.nix
1 { pkgs, lib, config, machineName, ipv4, machines, ... }:
2 with builtins;
3 let
4 inherit (config) networking users;
5 netIPv4 = ipv4;
6 netIPv4Gateway = "80.67.180.134";
7 #netIPv6 = "2001:912:400:104::35";
8 #netIPv6Gateway = "2001:912:400:104::1";
9 lanIPv4 = "192.168.1.214";
10 lanNet = "192.168.1.0/24";
11 lanIPv4Gateway = "192.168.1.1";
12 in
13 {
14 imports = [
15 networking/nftables.nix
16 networking/ssh.nix
17 networking/wireguard.nix
18 ];
19 boot.initrd.network = {
20 enable = true;
21 ssh = {
22 enable = true;
23 # To prevent ssh from freaking out because a different host key is used,
24 # a different port for dropbear is useful
25 # (assuming the same host has also a normal sshd running)
26 port = 2222;
27 authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
28 };
29 # This will automatically load the zfs password prompt on login
30 # and kill the other prompt so boot can continue
31 # The pkill zfs kills the zfs load-key from the console
32 # allowing the boot to continue.
33 postCommands = ''
34 echo >>/root/.profile "zfs load-key -a && pkill zfs"
35 '';
36 };
37
38 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
39 a 91.216.110.35/32 becomes a 91.216.110.35/8
40 boot.kernelParams = map
41 (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
42 [ { clientIP = netIPv4; serverIP = "";
43 gatewayIP = networking.defaultGateway.address;
44 netmask = "255.255.255.255";
45 hostname = ""; device = networking.defaultGateway.interface;
46 autoconf = "off";
47 }
48 { clientIP = lanIPv4; serverIP = "";
49 gatewayIP = "";
50 netmask = "255.255.255.0";
51 hostname = ""; device = "enp2s0";
52 autoconf = "off";
53 }
54 ];
55 */
56 /* DIY network config, but a right one */
57 boot.initrd.preLVMCommands = ''
58 set -x
59
60 # IPv4 net
61 ip link set enp1s0 up
62 ip address add ${netIPv4}/32 dev enp1s0
63 ip route add ${netIPv4Gateway} dev enp1s0
64 ip route add default via ${netIPv4Gateway} dev enp1s0
65
66 # IPv4 lan
67 ip link set enp2s0 up
68 ip address add ${lanIPv4}/32 dev enp2s0
69 ip route add ${lanIPv4Gateway} dev enp2s0
70 ip route add ${lanNet} dev enp2s0 src ${lanIPv4} proto kernel
71 # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
72
73 # IPv6 net
74 #ip -6 address add ''${netIPv6} dev enp1s0
75 #ip -6 route add ''${netIPv6Gateway} dev enp1s0
76 #ip -6 route add default via ''${netIPv6Gateway} dev enp1s0
77
78 ip -4 address
79 ip -4 route
80 #ip -6 address
81 #ip -6 route
82
83 set +x
84
85 # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
86 # we have to run the postCommands ourselves.
87 ${config.boot.initrd.network.postCommands}
88 '';
89
90 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
91 #boot.initrd.kernelModules = [ "ipv6" ];
92
93 # Useless without an out-of-band access, and unsecure
94 # (though / may still be encrypted at this point).
95 # boot.kernelParams = [ "boot.shell_on_fail" ];
96
97 # Disable IPv6 entirely until it's available
98 boot.kernel.sysctl = {
99 "net.ipv6.conf.enp1s0.disable_ipv6" = 1;
100 };
101
102 services.knot.extraConfig = lib.mkBefore ''
103 server:
104 listen: ${netIPv4}@53
105 #listen: ::@53
106 '';
107
108 networking = {
109 hostName = machineName;
110 domain = "sourcephile.fr";
111
112 useDHCP = false;
113 defaultGateway = {
114 address = netIPv4Gateway;
115 interface = "enp1s0";
116 };
117 /*
118 defaultGateway6 = {
119 address = netIPv6Gateway;
120 interface = "enp1s0";
121 };
122 */
123 #nameservers = [ ];
124 nftables.ruleset = ''
125 add rule inet filter input iifname "enp1s0" goto net2fw
126 add rule inet filter output oifname "enp1s0" jump fw2net
127 add rule inet filter output oifname "enp1s0" log level warn prefix "fw2net: " counter drop
128 add rule inet filter fw2net ip daddr ${machines.losurdo.extraArgs.ipv4} counter accept comment "losurdo"
129
130 add rule inet filter input iifname "enp2s0" goto lan2fw
131 add rule inet filter output oifname "enp2s0" goto fw2lan
132 '';
133 interfaces.enp1s0 = {
134 useDHCP = false;
135 ipv4.addresses = [ { address = netIPv4; prefixLength = 32; } ];
136 ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
137
138 /*
139 ipv6.addresses = [ { address = netIPv6; prefixLength = 64; }
140 { address = "fe80::1"; prefixLength = 10; }
141 ];
142 ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
143 */
144 };
145 interfaces.enp2s0 = {
146 useDHCP = false;
147 ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
148 /*
149 # FIXME: remove this /1 hack when the machine will be racked at PTT
150 ipv4.routes = [ { address = "0.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
151 { address = "128.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
152 ];
153 */
154 /*
155 ipv6.addresses = [ { address = "fe80::1"; prefixLength = 10; } ];
156 ipv6.routes = [ ];
157 */
158 };
159 interfaces.enp3s0 = {
160 useDHCP = false;
161 };
162 };
163 }