]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/networking.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nftables: replace shorewall on mermet too
[sourcephile-nix.git] / servers / mermet / networking.nix
1 { pkgs, lib, config, ipv4, ... }:
2 with builtins;
3 let
4 inherit (builtins.extraBuiltins) pass-to-file;
5 inherit (config) networking users;
6 netIPv4 = ipv4;
7 netIPv4Gateway = "80.67.180.134";
8 #netIPv6 = "2001:912:400:104::35";
9 #netIPv6Gateway = "2001:912:400:104::1";
10 lanIPv4 = "192.168.1.214";
11 lanNet = "192.168.1.0/24";
12 lanIPv4Gateway = "192.168.1.1";
13 in
14 {
15 imports = [
16 networking/nftables.nix
17 ];
18 boot.initrd.network = {
19 enable = true;
20 ssh = {
21 enable = true;
22 # To prevent ssh from freaking out because a different host key is used,
23 # a different port for dropbear is useful
24 # (assuming the same host has also a normal sshd running)
25 port = 2222;
26 # The initrd needs a cleartext key and is built on the host,
27 # hence this key needs to be cleartext on the host.
28 # Moreover building the initrd means that the key will go into the Nix store,
29 # of the host, then of the target on deployment,
30 # because GRUB does not support boot.initrd.secrets
31 # (only systemd-boot does, but sticking to GRUB is more reassuring).
32 # In any case, the initrd is sent to a non-encrypted /boot partition
33 # to be able to start unattended, hence the key will be available
34 # to anyone who has physically access to the disk where /boot is.
35 # NOTE: dropbearkey -t ecdsa -f /tmp/dropbear-ecdsa.key
36 hostKeys = [
37 (pass-to-file "servers/mermet/ssh/ecdsa.key"
38 (../../../sec + "/tmp/mermet.ecdsa.key"))
39 ];
40
41 authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
42 };
43 # This will automatically load the zfs password prompt on login
44 # and kill the other prompt so boot can continue
45 # The pkill zfs kills the zfs load-key from the console
46 # allowing the boot to continue.
47 postCommands = ''
48 echo >>/root/.profile "zfs load-key -a && pkill zfs"
49 '';
50 };
51
52 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
53 a 91.216.110.35/32 becomes a 91.216.110.35/8
54 boot.kernelParams = map
55 (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
56 [ { clientIP = netIPv4; serverIP = "";
57 gatewayIP = networking.defaultGateway.address;
58 netmask = "255.255.255.255";
59 hostname = ""; device = networking.defaultGateway.interface;
60 autoconf = "off";
61 }
62 { clientIP = lanIPv4; serverIP = "";
63 gatewayIP = "";
64 netmask = "255.255.255.0";
65 hostname = ""; device = "enp2s0";
66 autoconf = "off";
67 }
68 ];
69 */
70 /* DIY network config, but a right one */
71 boot.initrd.preLVMCommands = ''
72 set -x
73
74 # IPv4 net
75 ip link set enp1s0 up
76 ip address add ${netIPv4}/32 dev enp1s0
77 ip route add ${netIPv4Gateway} dev enp1s0
78 ip route add default via ${netIPv4Gateway} dev enp1s0
79
80 # IPv4 lan
81 ip link set enp2s0 up
82 ip address add ${lanIPv4}/32 dev enp2s0
83 ip route add ${lanIPv4Gateway} dev enp2s0
84 ip route add ${lanNet} dev enp2s0 src ${lanIPv4} proto kernel
85 # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
86
87 # IPv6 net
88 #ip -6 address add ''${netIPv6} dev enp1s0
89 #ip -6 route add ''${netIPv6Gateway} dev enp1s0
90 #ip -6 route add default via ''${netIPv6Gateway} dev enp1s0
91
92 ip -4 address
93 ip -4 route
94 #ip -6 address
95 #ip -6 route
96
97 set +x
98
99 # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
100 # we have to run the postCommands ourselves.
101 ${config.boot.initrd.network.postCommands}
102 '';
103
104 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
105 #boot.initrd.kernelModules = [ "ipv6" ];
106
107 # Useless without an out-of-band access, and unsecure
108 # (though / may still be encrypted at this point).
109 # boot.kernelParams = [ "boot.shell_on_fail" ];
110
111 # Disable IPv6 entirely until it's available
112 boot.kernel.sysctl = {
113 "net.ipv6.conf.enp1s0.disable_ipv6" = 1;
114 };
115
116 services.knot.extraConfig = lib.mkBefore ''
117 server:
118 listen: ${netIPv4}@53
119 #listen: ::@53
120 '';
121
122 networking = rec {
123 hostName = "mermet";
124 domainBase = "sourcephile";
125 domain = "${domainBase}.fr";
126
127 useDHCP = false;
128 defaultGateway = {
129 address = netIPv4Gateway;
130 interface = "enp1s0";
131 };
132 /*
133 defaultGateway6 = {
134 address = netIPv6Gateway;
135 interface = "enp1s0";
136 };
137 */
138 #nameservers = [ ];
139 nftables.ruleset = ''
140 add rule inet filter input iifname "enp1s0" goto net2fw
141 add rule inet filter output oifname "enp1s0" goto fw2net
142
143 add rule inet filter input iifname "enp2s0" goto lan2fw
144 add rule inet filter output oifname "enp2s0" goto fw2lan
145 '';
146 interfaces.enp1s0 = {
147 useDHCP = false;
148 ipv4.addresses = [ { address = netIPv4; prefixLength = 32; } ];
149 ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
150
151 /*
152 ipv6.addresses = [ { address = netIPv6; prefixLength = 64; }
153 { address = "fe80::1"; prefixLength = 10; }
154 ];
155 ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
156 */
157 };
158 interfaces.enp2s0 = {
159 useDHCP = false;
160 ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
161 /*
162 # FIXME: remove this /1 hack when the machine will be racked at PTT
163 ipv4.routes = [ { address = "0.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
164 { address = "128.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
165 ];
166 */
167 /*
168 ipv6.addresses = [ { address = "fe80::1"; prefixLength = 10; } ];
169 ipv6.routes = [ ];
170 */
171 };
172 interfaces.enp3s0 = {
173 useDHCP = false;
174 };
175 };
176 }
NixOS configurations for Sourcephile's infrastructure