1 { pkgs, lib, config, machineName, ... }:
4 inherit (builtins.extraBuiltins) pass-to-file;
5 inherit (config) networking users;
6 lanIPv4 = "192.168.1.215";
7 lanNet = "192.168.1.0/24";
8 lanIPv4Gateway = "192.168.1.1";
12 networking/nftables.nix
14 boot.initrd.network = {
18 # To prevent ssh from freaking out because a different host key is used,
19 # a different port for dropbear is useful
20 # (assuming the same host has also a normal sshd running)
22 authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
24 # This will automatically load the zfs password prompt on login
25 # and kill the other prompt so boot can continue
26 # The pkill zfs kills the zfs load-key from the console
27 # allowing the boot to continue.
29 echo >>/root/.profile "zfs load-key -a && pkill zfs"
33 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
34 a 91.216.110.35/32 becomes a 91.216.110.35/8
35 boot.kernelParams = map
36 (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
37 [ { clientIP = netIPv4; serverIP = "";
38 gatewayIP = networking.defaultGateway.address;
39 netmask = "255.255.255.255";
40 hostname = ""; device = networking.defaultGateway.interface;
43 { clientIP = lanIPv4; serverIP = "";
45 netmask = "255.255.255.0";
46 hostname = ""; device = "enp2s0";
51 /* DIY network config, but a right one */
52 boot.initrd.preLVMCommands = ''
57 ip address add ${lanIPv4}/32 dev enp5s0
58 ip route add ${lanIPv4Gateway} dev enp5s0
59 ip route add ${lanNet} dev enp5s0 src ${lanIPv4} proto kernel
60 # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
61 ip route add default via ${lanIPv4Gateway} dev enp5s0
64 #ip -6 address add ''${lanIPv6} dev enp5s0
65 #ip -6 route add ''${lanIPv6Gateway} dev enp5s0
66 #ip -6 route add default via ''${lanIPv6Gateway} dev enp5s0
75 # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
76 # we have to run the postCommands ourselves.
77 ${config.boot.initrd.network.postCommands}
79 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
80 #boot.initrd.kernelModules = [ "ipv6" ];
82 # Useless without an out-of-band access, and unsecure
83 # (though / may still be encrypted at this point).
84 # boot.kernelParams = [ "boot.shell_on_fail" ];
86 # Disable IPv6 entirely until it's available
87 boot.kernel.sysctl = {
88 "net.ipv6.conf.enp5s0.disable_ipv6" = 1;
92 hostName = machineName;
93 domain = "sourcephile.fr";
97 address = lanIPv4Gateway;
102 address = lanIPv6Gateway;
103 interface = "enp5s0";
107 nftables.ruleset = ''
108 add rule inet filter input iifname "enp5s0" goto net2fw
109 add rule inet filter output oifname "enp5s0" jump fw2net
110 add rule inet filter output oifname "enp5s0" log level warn prefix \"fw2net: \" counter drop
111 add rule inet filter fw2net ip daddr ${lanNet} counter accept comment "LAN"
112 add rule inet filter fw2net ip daddr 224.0.0.0/4 udp dport 1900 counter accept comment "UPnP"
114 interfaces.enp5s0 = {
116 ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
117 ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
120 ipv6.addresses = [ { address = lanIPv6; prefixLength = 64; }
121 { address = "fe80::1"; prefixLength = 10; }
123 ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
126 interfaces.wlp4s0 = {