hosts/losurdo/networking.nix

   1 { pkgs, lib, config, hostName, ... }:
   2 with builtins;
   3 let
   4   inherit (config) networking;
   5   lanIPv4        = "192.168.1.215";
   6   lanNet         = "192.168.1.0/24";
   7   lanIPv4Gateway = "192.168.1.1";
   8 in
   9 {
  10 imports = [
  11   networking/nftables.nix
  12   networking/ssh.nix
  13   networking/wireguard/intranet.nix
  14   networking/wireguard/extranet.nix
  15   #networking/tor.nix
  16   networking/nsupdate.nix
  17   networking/wireless.nix
  18   networking/openvpn.nix
  19 ];
  20
  21 boot.initrd.network = {
  22   enable = true;
  23   flushBeforeStage2 = true;
  24   # This will automatically load the zfs password prompt on login
  25   # and kill the other prompt so boot can continue
  26   # The pkill zfs kills the zfs load-key from the console
  27   # allowing the boot to continue.
  28   postCommands = ''
  29     echo >>/root/.profile "zfs load-key ${hostName} && pkill zfs"
  30   '';
  31 };
  32
  33 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
  34    a 91.216.110.35/32 becomes a 91.216.110.35/8
  35 boot.kernelParams = map
  36   (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
  37   [ { clientIP = netIPv4; serverIP = "";
  38       gatewayIP = networking.defaultGateway.address;
  39       netmask = "255.255.255.255";
  40       hostname = ""; device = networking.defaultGateway.interface;
  41       autoconf = "off";
  42     }
  43     { clientIP = lanIPv4; serverIP = "";
  44       gatewayIP = "";
  45       netmask = "255.255.255.0";
  46       hostname = ""; device = "enp2s0";
  47       autoconf = "off";
  48     }
  49   ];
  50 */
  51 /* DIY network config, but a right one */
  52 /*
  53 boot.initrd.preLVMCommands = ''
  54   set -x
  55
  56   # IPv4 lan
  57   ip link set enp5s0 up
  58   ip address add ${lanIPv4}/32 dev enp5s0
  59   ip route add ${lanIPv4Gateway} dev enp5s0
  60   ip route add ${lanNet} dev enp5s0 src ${lanIPv4} proto kernel
  61     # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
  62   ip route add default via ${lanIPv4Gateway} dev enp5s0
  63
  64   # IPv6 net
  65   #ip -6 address add ''${lanIPv6} dev enp5s0
  66   #ip -6 route add ''${lanIPv6Gateway} dev enp5s0
  67   #ip -6 route add default via ''${lanIPv6Gateway} dev enp5s0
  68
  69   ip -4 address
  70   ip -4 route
  71   #ip -6 address
  72   #ip -6 route
  73
  74   set +x
  75 '';
  76 */
  77 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
  78 #boot.initrd.kernelModules = [ "ipv6" ];
  79
  80 # Useless without an out-of-band access, and unsecure
  81 # (though / may still be encrypted at this point).
  82 # boot.kernelParams = [ "boot.shell_on_fail" ];
  83
  84 /*
  85 # Disable IPv6 entirely until it's available
  86 boot.kernel.sysctl = {
  87   "net.ipv6.conf.enp5s0.disable_ipv6" = 1;
  88 };
  89 */
  90
  91 networking = {
  92   hostName = hostName;
  93   domain = "sourcephile.fr";
  94
  95   useDHCP = false;
  96   enableIPv6 = true;
  97   /*
  98   defaultGateway = {
  99     address = lanIPv4Gateway;
 100     interface = "enp5s0";
 101   };
 102   defaultGateway6 = {
 103     address = lanIPv6Gateway;
 104     interface = "enp5s0";
 105   };
 106   */
 107   #nameservers = [ ];
 108 };
 109
 110 networking.nftables.ruleset = ''
 111   add rule inet filter input  iifname "enp5s0" goto net2fw
 112   add rule inet filter output oifname "enp5s0" jump fw2net
 113   add rule inet filter output oifname "enp5s0" log level warn prefix "fw2net: " counter drop
 114   add rule inet filter fw2net ip daddr ${lanNet} log level info prefix "fw2net: lan: " counter accept comment "LAN"
 115   add rule inet nat postrouting oifname "enp5s0" masquerade
 116 '';
 117 boot.kernel.sysctl."net.ipv6.conf.enp5s0.addr_gen_mode" = 1;
 118 /*
 119 security.gnupg.secrets."ipv6/enp5s0/stable_secret" = {};
 120 # This is only active in stage2, the initrd will still use the MAC-based SLAAC IPv6.
 121 system.activationScripts.ipv6 = ''
 122   ${pkgs.procps}/bin/sysctl --quiet net.ipv6.conf.enp5s0.stable_secret="$(cat ${gnupg.secrets."ipv6/enp5s0/stable_secret".path})"
 123 '';
 124 */
 125 networking.interfaces.enp5s0 = {
 126   useDHCP = true;
 127   /*
 128   ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
 129
 130   ipv4.routes    = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
 131   ipv6.addresses = [ { address = lanIPv6; prefixLength = 64; }
 132                      { address = "fe80::1"; prefixLength = 10; }
 133                    ];
 134   ipv6.routes    = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
 135   */
 136 };
 137 }