]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/networking.nix
dovecot: set ssl_min_protocol = TLSv1.2
[sourcephile-nix.git] / machines / losurdo / networking.nix
1 { pkgs, lib, config, machineName, ... }:
2 with builtins;
3 let
4 inherit (config) networking;
5 inherit (config.security) gnupg;
6 lanIPv4 = "192.168.1.215";
7 lanNet = "192.168.1.0/24";
8 lanIPv4Gateway = "192.168.1.1";
9 in
10 {
11 imports = [
12 networking/nftables.nix
13 networking/ssh.nix
14 networking/wireguard/intranet.nix
15 networking/wireguard/extranet.nix
16 networking/tor.nix
17 ];
18
19 boot.initrd.network = {
20 enable = true;
21 flushBeforeStage2 = true;
22 # This will automatically load the zfs password prompt on login
23 # and kill the other prompt so boot can continue
24 # The pkill zfs kills the zfs load-key from the console
25 # allowing the boot to continue.
26 postCommands = ''
27 echo >>/root/.profile "zfs load-key ${machineName} && pkill zfs"
28 '';
29 };
30
31 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
32 a 91.216.110.35/32 becomes a 91.216.110.35/8
33 boot.kernelParams = map
34 (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
35 [ { clientIP = netIPv4; serverIP = "";
36 gatewayIP = networking.defaultGateway.address;
37 netmask = "255.255.255.255";
38 hostname = ""; device = networking.defaultGateway.interface;
39 autoconf = "off";
40 }
41 { clientIP = lanIPv4; serverIP = "";
42 gatewayIP = "";
43 netmask = "255.255.255.0";
44 hostname = ""; device = "enp2s0";
45 autoconf = "off";
46 }
47 ];
48 */
49 /* DIY network config, but a right one */
50 boot.initrd.preLVMCommands = ''
51 set -x
52
53 # IPv4 lan
54 ip link set enp5s0 up
55 ip address add ${lanIPv4}/32 dev enp5s0
56 ip route add ${lanIPv4Gateway} dev enp5s0
57 ip route add ${lanNet} dev enp5s0 src ${lanIPv4} proto kernel
58 # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
59 ip route add default via ${lanIPv4Gateway} dev enp5s0
60
61 # IPv6 net
62 #ip -6 address add ''${lanIPv6} dev enp5s0
63 #ip -6 route add ''${lanIPv6Gateway} dev enp5s0
64 #ip -6 route add default via ''${lanIPv6Gateway} dev enp5s0
65
66 ip -4 address
67 ip -4 route
68 #ip -6 address
69 #ip -6 route
70
71 set +x
72 '';
73 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
74 #boot.initrd.kernelModules = [ "ipv6" ];
75
76 # Useless without an out-of-band access, and unsecure
77 # (though / may still be encrypted at this point).
78 # boot.kernelParams = [ "boot.shell_on_fail" ];
79
80 /*
81 # Disable IPv6 entirely until it's available
82 boot.kernel.sysctl = {
83 "net.ipv6.conf.enp5s0.disable_ipv6" = 1;
84 };
85 */
86
87 networking = {
88 hostName = machineName;
89 domain = "sourcephile.fr";
90
91 useDHCP = false;
92 enableIPv6 = true;
93 defaultGateway = {
94 address = lanIPv4Gateway;
95 interface = "enp5s0";
96 };
97 /*
98 defaultGateway6 = {
99 address = lanIPv6Gateway;
100 interface = "enp5s0";
101 };
102 */
103 #nameservers = [ ];
104 };
105
106 networking.nftables.ruleset = ''
107 add rule inet filter input iifname "enp5s0" goto net2fw
108 add rule inet filter output oifname "enp5s0" jump fw2net
109 add rule inet filter output oifname "enp5s0" log level warn prefix "fw2net: " counter drop
110 add rule inet filter fw2net ip daddr ${lanNet} log level info prefix "fw2net: lan: " counter accept comment "LAN"
111 add rule inet nat postrouting oifname "enp5s0" masquerade
112 '';
113 boot.kernel.sysctl."net.ipv6.conf.enp5s0.addr_gen_mode" = 1;
114 /*
115 security.gnupg.secrets."ipv6/enp5s0/stable_secret" = {};
116 # This is only active in stage2, the initrd will still use the MAC-based SLAAC IPv6.
117 system.activationScripts.ipv6 = ''
118 ${pkgs.procps}/bin/sysctl --quiet net.ipv6.conf.enp5s0.stable_secret="$(cat ${gnupg.secrets."ipv6/enp5s0/stable_secret".path})"
119 '';
120 */
121 networking.interfaces.enp5s0 = {
122 useDHCP = false;
123 ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
124
125 /*
126 ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
127 ipv6.addresses = [ { address = lanIPv6; prefixLength = 64; }
128 { address = "fe80::1"; prefixLength = 10; }
129 ];
130 ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
131 */
132 };
133 networking.interfaces.wlp4s0 = {
134 useDHCP = false;
135 };
136 }