machines/losurdo/networking.nix

   1 { pkgs, lib, config, machineName, ... }:
   2 with builtins;
   3 let
   4   inherit (config) networking;
   5   inherit (config.security) gnupg;
   6   lanIPv4        = "192.168.1.215";
   7   lanNet         = "192.168.1.0/24";
   8   lanIPv4Gateway = "192.168.1.1";
   9 in
  10 {
  11 imports = [
  12   networking/nftables.nix
  13   networking/ssh.nix
  14   networking/wireguard/intranet.nix
  15   networking/wireguard/extranet.nix
  16   networking/tor.nix
  17   networking/nsupdate.nix
  18   networking/upnpc.nix
  19   networking/wireless.nix
  20   networking/openvpn.nix
  21 ];
  22
  23 boot.initrd.network = {
  24   enable = true;
  25   flushBeforeStage2 = true;
  26   # This will automatically load the zfs password prompt on login
  27   # and kill the other prompt so boot can continue
  28   # The pkill zfs kills the zfs load-key from the console
  29   # allowing the boot to continue.
  30   postCommands = ''
  31     echo >>/root/.profile "zfs load-key ${machineName} && pkill zfs"
  32   '';
  33 };
  34
  35 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
  36    a 91.216.110.35/32 becomes a 91.216.110.35/8
  37 boot.kernelParams = map
  38   (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
  39   [ { clientIP = netIPv4; serverIP = "";
  40       gatewayIP = networking.defaultGateway.address;
  41       netmask = "255.255.255.255";
  42       hostname = ""; device = networking.defaultGateway.interface;
  43       autoconf = "off";
  44     }
  45     { clientIP = lanIPv4; serverIP = "";
  46       gatewayIP = "";
  47       netmask = "255.255.255.0";
  48       hostname = ""; device = "enp2s0";
  49       autoconf = "off";
  50     }
  51   ];
  52 */
  53 /* DIY network config, but a right one */
  54 /*
  55 boot.initrd.preLVMCommands = ''
  56   set -x
  57
  58   # IPv4 lan
  59   ip link set enp5s0 up
  60   ip address add ${lanIPv4}/32 dev enp5s0
  61   ip route add ${lanIPv4Gateway} dev enp5s0
  62   ip route add ${lanNet} dev enp5s0 src ${lanIPv4} proto kernel
  63     # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
  64   ip route add default via ${lanIPv4Gateway} dev enp5s0
  65
  66   # IPv6 net
  67   #ip -6 address add ''${lanIPv6} dev enp5s0
  68   #ip -6 route add ''${lanIPv6Gateway} dev enp5s0
  69   #ip -6 route add default via ''${lanIPv6Gateway} dev enp5s0
  70
  71   ip -4 address
  72   ip -4 route
  73   #ip -6 address
  74   #ip -6 route
  75
  76   set +x
  77 '';
  78 */
  79 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
  80 #boot.initrd.kernelModules = [ "ipv6" ];
  81
  82 # Useless without an out-of-band access, and unsecure
  83 # (though / may still be encrypted at this point).
  84 # boot.kernelParams = [ "boot.shell_on_fail" ];
  85
  86 /*
  87 # Disable IPv6 entirely until it's available
  88 boot.kernel.sysctl = {
  89   "net.ipv6.conf.enp5s0.disable_ipv6" = 1;
  90 };
  91 */
  92
  93 networking = {
  94   hostName = machineName;
  95   domain = "sourcephile.fr";
  96
  97   useDHCP = false;
  98   enableIPv6 = true;
  99   /*
 100   defaultGateway = {
 101     address = lanIPv4Gateway;
 102     interface = "enp5s0";
 103   };
 104   defaultGateway6 = {
 105     address = lanIPv6Gateway;
 106     interface = "enp5s0";
 107   };
 108   */
 109   #nameservers = [ ];
 110 };
 111
 112 networking.nftables.ruleset = ''
 113   add rule inet filter input  iifname "enp5s0" goto net2fw
 114   add rule inet filter output oifname "enp5s0" jump fw2net
 115   add rule inet filter output oifname "enp5s0" log level warn prefix "fw2net: " counter drop
 116   add rule inet filter fw2net ip daddr ${lanNet} log level info prefix "fw2net: lan: " counter accept comment "LAN"
 117   add rule inet nat postrouting oifname "enp5s0" masquerade
 118 '';
 119 boot.kernel.sysctl."net.ipv6.conf.enp5s0.addr_gen_mode" = 1;
 120 /*
 121 security.gnupg.secrets."ipv6/enp5s0/stable_secret" = {};
 122 # This is only active in stage2, the initrd will still use the MAC-based SLAAC IPv6.
 123 system.activationScripts.ipv6 = ''
 124   ${pkgs.procps}/bin/sysctl --quiet net.ipv6.conf.enp5s0.stable_secret="$(cat ${gnupg.secrets."ipv6/enp5s0/stable_secret".path})"
 125 '';
 126 */
 127 networking.interfaces.enp5s0 = {
 128   useDHCP = true;
 129   /*
 130   ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
 131
 132   ipv4.routes    = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
 133   ipv6.addresses = [ { address = lanIPv6; prefixLength = 64; }
 134                      { address = "fe80::1"; prefixLength = 10; }
 135                    ];
 136   ipv6.routes    = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
 137   */
 138 };
 139 }