machines/losurdo/networking.nix

   1 { pkgs, lib, config, machineName, ... }:
   2 with builtins;
   3 let
   4   inherit (config) networking;
   5   inherit (config.security) gnupg;
   6   lanIPv4        = "192.168.1.215";
   7   lanNet         = "192.168.1.0/24";
   8   lanIPv4Gateway = "192.168.1.1";
   9 in
  10 {
  11 imports = [
  12   networking/nftables.nix
  13   networking/ssh.nix
  14   networking/wireguard/intranet.nix
  15   networking/wireguard/extranet.nix
  16   networking/tor.nix
  17   networking/nsupdate.nix
  18 ];
  19
  20 boot.initrd.network = {
  21   enable = true;
  22   flushBeforeStage2 = true;
  23   # This will automatically load the zfs password prompt on login
  24   # and kill the other prompt so boot can continue
  25   # The pkill zfs kills the zfs load-key from the console
  26   # allowing the boot to continue.
  27   postCommands = ''
  28     echo >>/root/.profile "zfs load-key ${machineName} && pkill zfs"
  29   '';
  30 };
  31
  32 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
  33    a 91.216.110.35/32 becomes a 91.216.110.35/8
  34 boot.kernelParams = map
  35   (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
  36   [ { clientIP = netIPv4; serverIP = "";
  37       gatewayIP = networking.defaultGateway.address;
  38       netmask = "255.255.255.255";
  39       hostname = ""; device = networking.defaultGateway.interface;
  40       autoconf = "off";
  41     }
  42     { clientIP = lanIPv4; serverIP = "";
  43       gatewayIP = "";
  44       netmask = "255.255.255.0";
  45       hostname = ""; device = "enp2s0";
  46       autoconf = "off";
  47     }
  48   ];
  49 */
  50 /* DIY network config, but a right one */
  51 boot.initrd.preLVMCommands = ''
  52   set -x
  53
  54   # IPv4 lan
  55   ip link set enp5s0 up
  56   ip address add ${lanIPv4}/32 dev enp5s0
  57   ip route add ${lanIPv4Gateway} dev enp5s0
  58   ip route add ${lanNet} dev enp5s0 src ${lanIPv4} proto kernel
  59     # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
  60   ip route add default via ${lanIPv4Gateway} dev enp5s0
  61
  62   # IPv6 net
  63   #ip -6 address add ''${lanIPv6} dev enp5s0
  64   #ip -6 route add ''${lanIPv6Gateway} dev enp5s0
  65   #ip -6 route add default via ''${lanIPv6Gateway} dev enp5s0
  66
  67   ip -4 address
  68   ip -4 route
  69   #ip -6 address
  70   #ip -6 route
  71
  72   set +x
  73 '';
  74 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
  75 #boot.initrd.kernelModules = [ "ipv6" ];
  76
  77 # Useless without an out-of-band access, and unsecure
  78 # (though / may still be encrypted at this point).
  79 # boot.kernelParams = [ "boot.shell_on_fail" ];
  80
  81 /*
  82 # Disable IPv6 entirely until it's available
  83 boot.kernel.sysctl = {
  84   "net.ipv6.conf.enp5s0.disable_ipv6" = 1;
  85 };
  86 */
  87
  88 networking = {
  89   hostName = machineName;
  90   domain = "sourcephile.fr";
  91
  92   useDHCP = false;
  93   enableIPv6 = true;
  94   defaultGateway = {
  95     address = lanIPv4Gateway;
  96     interface = "enp5s0";
  97   };
  98   /*
  99   defaultGateway6 = {
 100     address = lanIPv6Gateway;
 101     interface = "enp5s0";
 102   };
 103   */
 104   #nameservers = [ ];
 105 };
 106
 107 networking.nftables.ruleset = ''
 108   add rule inet filter input  iifname "enp5s0" goto net2fw
 109   add rule inet filter output oifname "enp5s0" jump fw2net
 110   add rule inet filter output oifname "enp5s0" log level warn prefix "fw2net: " counter drop
 111   add rule inet filter fw2net ip daddr ${lanNet} log level info prefix "fw2net: lan: " counter accept comment "LAN"
 112   add rule inet nat postrouting oifname "enp5s0" masquerade
 113 '';
 114 boot.kernel.sysctl."net.ipv6.conf.enp5s0.addr_gen_mode" = 1;
 115 /*
 116 security.gnupg.secrets."ipv6/enp5s0/stable_secret" = {};
 117 # This is only active in stage2, the initrd will still use the MAC-based SLAAC IPv6.
 118 system.activationScripts.ipv6 = ''
 119   ${pkgs.procps}/bin/sysctl --quiet net.ipv6.conf.enp5s0.stable_secret="$(cat ${gnupg.secrets."ipv6/enp5s0/stable_secret".path})"
 120 '';
 121 */
 122 networking.interfaces.enp5s0 = {
 123   useDHCP = false;
 124   ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
 125
 126   /*
 127   ipv4.routes    = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
 128   ipv6.addresses = [ { address = lanIPv6; prefixLength = 64; }
 129                      { address = "fe80::1"; prefixLength = 10; }
 130                    ];
 131   ipv6.routes    = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
 132   */
 133 };
 134 networking.interfaces.wlp4s0 = {
 135   useDHCP = false;
 136 };
 137 }