machines/mermet/networking.nix

   1 { pkgs, lib, config, machineName, ipv4, machines, ... }:
   2 with builtins;
   3 let
   4   inherit (builtins.extraBuiltins) pass-to-file;
   5   inherit (config) networking users;
   6   netIPv4        = ipv4;
   7   netIPv4Gateway = "80.67.180.134";
   8   #netIPv6        = "2001:912:400:104::35";
   9   #netIPv6Gateway = "2001:912:400:104::1";
  10   lanIPv4        = "192.168.1.214";
  11   lanNet         = "192.168.1.0/24";
  12   lanIPv4Gateway = "192.168.1.1";
  13 in
  14 {
  15 imports = [
  16   networking/nftables.nix
  17   networking/ssh.nix
  18   networking/wireguard.nix
  19 ];
  20 boot.initrd.network = {
  21   enable = true;
  22   ssh = {
  23     enable = true;
  24     # To prevent ssh from freaking out because a different host key is used,
  25     # a different port for dropbear is useful
  26     # (assuming the same host has also a normal sshd running)
  27     port = 2222;
  28     authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
  29   };
  30   # This will automatically load the zfs password prompt on login
  31   # and kill the other prompt so boot can continue
  32   # The pkill zfs kills the zfs load-key from the console
  33   # allowing the boot to continue.
  34   postCommands = ''
  35     echo >>/root/.profile "zfs load-key -a && pkill zfs"
  36   '';
  37 };
  38
  39 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
  40    a 91.216.110.35/32 becomes a 91.216.110.35/8
  41 boot.kernelParams = map
  42   (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
  43   [ { clientIP = netIPv4; serverIP = "";
  44       gatewayIP = networking.defaultGateway.address;
  45       netmask = "255.255.255.255";
  46       hostname = ""; device = networking.defaultGateway.interface;
  47       autoconf = "off";
  48     }
  49     { clientIP = lanIPv4; serverIP = "";
  50       gatewayIP = "";
  51       netmask = "255.255.255.0";
  52       hostname = ""; device = "enp2s0";
  53       autoconf = "off";
  54     }
  55   ];
  56 */
  57 /* DIY network config, but a right one */
  58 boot.initrd.preLVMCommands = ''
  59   set -x
  60
  61   # IPv4 net
  62   ip link set enp1s0 up
  63   ip address add ${netIPv4}/32 dev enp1s0
  64   ip route add ${netIPv4Gateway} dev enp1s0
  65   ip route add default via ${netIPv4Gateway} dev enp1s0
  66
  67   # IPv4 lan
  68   ip link set enp2s0 up
  69   ip address add ${lanIPv4}/32 dev enp2s0
  70   ip route add ${lanIPv4Gateway} dev enp2s0
  71   ip route add ${lanNet} dev enp2s0 src ${lanIPv4} proto kernel
  72     # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
  73
  74   # IPv6 net
  75   #ip -6 address add ''${netIPv6} dev enp1s0
  76   #ip -6 route add ''${netIPv6Gateway} dev enp1s0
  77   #ip -6 route add default via ''${netIPv6Gateway} dev enp1s0
  78
  79   ip -4 address
  80   ip -4 route
  81   #ip -6 address
  82   #ip -6 route
  83
  84   set +x
  85
  86   # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
  87   # we have to run the postCommands ourselves.
  88   ${config.boot.initrd.network.postCommands}
  89 '';
  90
  91 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
  92 #boot.initrd.kernelModules = [ "ipv6" ];
  93
  94 # Useless without an out-of-band access, and unsecure
  95 # (though / may still be encrypted at this point).
  96 # boot.kernelParams = [ "boot.shell_on_fail" ];
  97
  98 # Disable IPv6 entirely until it's available
  99 boot.kernel.sysctl = {
 100   "net.ipv6.conf.enp1s0.disable_ipv6" = 1;
 101 };
 102
 103 services.knot.extraConfig = lib.mkBefore ''
 104   server:
 105     listen: ${netIPv4}@53
 106     #listen: ::@53
 107 '';
 108
 109 networking = {
 110   hostName = machineName;
 111   domain = "sourcephile.fr";
 112
 113   useDHCP = false;
 114   defaultGateway = {
 115     address = netIPv4Gateway;
 116     interface = "enp1s0";
 117   };
 118   /*
 119   defaultGateway6 = {
 120     address = netIPv6Gateway;
 121     interface = "enp1s0";
 122   };
 123   */
 124   #nameservers = [ ];
 125   nftables.ruleset = ''
 126     add rule inet filter input  iifname "enp1s0" goto net2fw
 127     add rule inet filter output oifname "enp1s0" jump fw2net
 128     add rule inet filter output oifname "enp1s0" log level warn prefix "fw2net: " counter drop
 129     add rule inet filter fw2net ip daddr ${machines.losurdo.extraArgs.ipv4} counter accept comment "losurdo"
 130
 131     add rule inet filter input  iifname "enp2s0" goto lan2fw
 132     add rule inet filter output oifname "enp2s0" goto fw2lan
 133   '';
 134   interfaces.enp1s0 = {
 135     useDHCP = false;
 136     ipv4.addresses = [ { address = netIPv4; prefixLength = 32; } ];
 137     ipv4.routes    = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
 138
 139     /*
 140     ipv6.addresses = [ { address = netIPv6; prefixLength = 64; }
 141                        { address = "fe80::1"; prefixLength = 10; }
 142                      ];
 143     ipv6.routes    = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
 144     */
 145   };
 146   interfaces.enp2s0 = {
 147     useDHCP = false;
 148     ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
 149     /*
 150     # FIXME: remove this /1 hack when the machine will be racked at PTT
 151     ipv4.routes    = [ { address = "0.0.0.0";   prefixLength = 1; via = "192.168.1.1"; }
 152                        { address = "128.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
 153                        ];
 154     */
 155     /*
 156     ipv6.addresses = [ { address = "fe80::1"; prefixLength = 10; } ];
 157     ipv6.routes    = [ ];
 158     */
 159   };
 160   interfaces.enp3s0 = {
 161     useDHCP = false;
 162   };
 163 };
 164 }