]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/networking.nix
losurdo: nftables: fix chain declaration
[sourcephile-nix.git] / hosts / mermet / networking.nix
1 { pkgs, lib, config, hostName, ipv4, hosts, ... }:
2 with builtins;
3 let
4 inherit (config) networking users;
5 netIPv4 = ipv4;
6 netIPv4Gateway = "80.67.180.134";
7 #netIPv6 = "2001:912:400:104::35";
8 #netIPv6Gateway = "2001:912:400:104::1";
9 lanIPv4 = "192.168.1.214";
10 lanNet = "192.168.1.0/24";
11 lanIPv4Gateway = "192.168.1.1";
12 in
13 {
14 imports = [
15 networking/nftables.nix
16 networking/ssh.nix
17 networking/wireguard.nix
18 ];
19
20 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
21 a 91.216.110.35/32 becomes a 91.216.110.35/8
22 boot.kernelParams = map
23 (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
24 [ { clientIP = netIPv4; serverIP = "";
25 gatewayIP = networking.defaultGateway.address;
26 netmask = "255.255.255.255";
27 hostname = ""; device = networking.defaultGateway.interface;
28 autoconf = "off";
29 }
30 { clientIP = lanIPv4; serverIP = "";
31 gatewayIP = "";
32 netmask = "255.255.255.0";
33 hostname = ""; device = "enp2s0";
34 autoconf = "off";
35 }
36 ];
37 */
38 /* DIY network config, but a right one */
39 boot.initrd.preLVMCommands = ''
40 set -x
41
42 # IPv4 net
43 ip link set enp1s0 up
44 ip address add ${netIPv4}/32 dev enp1s0
45 ip route add ${netIPv4Gateway} dev enp1s0
46 ip route add default via ${netIPv4Gateway} dev enp1s0
47
48 # IPv4 lan
49 ip link set enp2s0 up
50 ip address add ${lanIPv4}/32 dev enp2s0
51 ip route add ${lanIPv4Gateway} dev enp2s0
52 ip route add ${lanNet} dev enp2s0 src ${lanIPv4} proto kernel
53 # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
54
55 # IPv6 net
56 #ip -6 address add ''${netIPv6} dev enp1s0
57 #ip -6 route add ''${netIPv6Gateway} dev enp1s0
58 #ip -6 route add default via ''${netIPv6Gateway} dev enp1s0
59
60 ip -4 address
61 ip -4 route
62 #ip -6 address
63 #ip -6 route
64
65 set +x
66
67 # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
68 # we have to run the postCommands ourselves.
69 ${config.boot.initrd.network.postCommands}
70 '';
71
72 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
73 # TODO: the issue is now closed
74 #boot.initrd.kernelModules = [ "ipv6" ];
75
76 # Useless without an out-of-band access, and unsecure
77 # (though / may still be encrypted at this point).
78 # boot.kernelParams = [ "boot.shell_on_fail" ];
79
80 # Disable IPv6 entirely until it's available
81 boot.kernel.sysctl = {
82 "net.ipv6.conf.enp1s0.disable_ipv6" = 1;
83 };
84
85 services.knot.extraConfig = lib.mkBefore ''
86 server:
87 listen: ${netIPv4}@53
88 #listen: ::@53
89 '';
90
91 networking = {
92 hostName = hostName;
93 domain = "sourcephile.fr";
94
95 useDHCP = false;
96 defaultGateway = {
97 address = netIPv4Gateway;
98 interface = "enp1s0";
99 };
100 /*
101 defaultGateway6 = {
102 address = netIPv6Gateway;
103 interface = "enp1s0";
104 };
105 */
106 #nameservers = [ ];
107 nftables.ruleset = ''
108 add rule inet filter input iifname "enp1s0" goto net2fw
109 add rule inet filter output oifname "enp1s0" jump fw2net
110 add rule inet filter output oifname "enp1s0" log level warn prefix "fw2net: " counter drop
111
112 add rule inet filter input iifname "enp2s0" goto lan2fw
113 add rule inet filter output oifname "enp2s0" goto fw2lan
114 '';
115 interfaces.enp1s0 = {
116 useDHCP = false;
117 ipv4.addresses = [ { address = netIPv4; prefixLength = 32; } ];
118 ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
119
120 /*
121 ipv6.addresses = [ { address = netIPv6; prefixLength = 64; }
122 { address = "fe80::1"; prefixLength = 10; }
123 ];
124 ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
125 */
126 };
127 interfaces.enp2s0 = {
128 useDHCP = false;
129 ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
130 /*
131 # FIXME: remove this /1 hack when the host will be racked at PTT
132 ipv4.routes = [ { address = "0.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
133 { address = "128.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
134 ];
135 */
136 /*
137 ipv6.addresses = [ { address = "fe80::1"; prefixLength = 10; } ];
138 ipv6.routes = [ ];
139 */
140 };
141 interfaces.enp3s0 = {
142 useDHCP = false;
143 };
144 };
145 }