machines/losurdo/networking.nix

   1 { pkgs, lib, config, machineName, ... }:
   2 with builtins;
   3 let
   4   inherit (builtins.extraBuiltins) pass-to-file;
   5   inherit (config) networking users;
   6   lanIPv4        = "192.168.1.215";
   7   lanNet         = "192.168.1.0/24";
   8   lanIPv4Gateway = "192.168.1.1";
   9 in
  10 {
  11 imports = [
  12   networking/nftables.nix
  13 ];
  14 boot.initrd.network = {
  15   enable = true;
  16   ssh = {
  17     enable = true;
  18     # To prevent ssh from freaking out because a different host key is used,
  19     # a different port for dropbear is useful
  20     # (assuming the same host has also a normal sshd running)
  21     port = 2222;
  22     authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
  23   };
  24   # This will automatically load the zfs password prompt on login
  25   # and kill the other prompt so boot can continue
  26   # The pkill zfs kills the zfs load-key from the console
  27   # allowing the boot to continue.
  28   postCommands = ''
  29     echo >>/root/.profile "zfs load-key -a && pkill zfs"
  30   '';
  31 };
  32
  33 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
  34    a 91.216.110.35/32 becomes a 91.216.110.35/8
  35 boot.kernelParams = map
  36   (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
  37   [ { clientIP = netIPv4; serverIP = "";
  38       gatewayIP = networking.defaultGateway.address;
  39       netmask = "255.255.255.255";
  40       hostname = ""; device = networking.defaultGateway.interface;
  41       autoconf = "off";
  42     }
  43     { clientIP = lanIPv4; serverIP = "";
  44       gatewayIP = "";
  45       netmask = "255.255.255.0";
  46       hostname = ""; device = "enp2s0";
  47       autoconf = "off";
  48     }
  49   ];
  50 */
  51 /* DIY network config, but a right one */
  52 boot.initrd.preLVMCommands = ''
  53   set -x
  54
  55   # IPv4 lan
  56   ip link set enp5s0 up
  57   ip address add ${lanIPv4}/32 dev enp5s0
  58   ip route add ${lanIPv4Gateway} dev enp5s0
  59   ip route add ${lanNet} dev enp5s0 src ${lanIPv4} proto kernel
  60     # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
  61   ip route add default via ${lanIPv4Gateway} dev enp5s0
  62
  63   # IPv6 net
  64   #ip -6 address add ''${lanIPv6} dev enp5s0
  65   #ip -6 route add ''${lanIPv6Gateway} dev enp5s0
  66   #ip -6 route add default via ''${lanIPv6Gateway} dev enp5s0
  67
  68   ip -4 address
  69   ip -4 route
  70   #ip -6 address
  71   #ip -6 route
  72
  73   set +x
  74
  75   # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
  76   # we have to run the postCommands ourselves.
  77   ${config.boot.initrd.network.postCommands}
  78 '';
  79 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
  80 #boot.initrd.kernelModules = [ "ipv6" ];
  81
  82 # Useless without an out-of-band access, and unsecure
  83 # (though / may still be encrypted at this point).
  84 # boot.kernelParams = [ "boot.shell_on_fail" ];
  85
  86 # Disable IPv6 entirely until it's available
  87 boot.kernel.sysctl = {
  88   "net.ipv6.conf.enp5s0.disable_ipv6" = 1;
  89 };
  90
  91 networking = {
  92   hostName = machineName;
  93   domain = "sourcephile.fr";
  94
  95   useDHCP = false;
  96   defaultGateway = {
  97     address = lanIPv4Gateway;
  98     interface = "enp5s0";
  99   };
 100   /*
 101   defaultGateway6 = {
 102     address = lanIPv6Gateway;
 103     interface = "enp5s0";
 104   };
 105   */
 106   #nameservers = [ ];
 107   nftables.ruleset = ''
 108     add rule inet filter input  iifname "enp5s0" goto net2fw
 109     add rule inet filter output oifname "enp5s0" jump fw2net
 110     add rule inet filter output oifname "enp5s0" log level warn prefix \"fw2net: \" counter drop
 111     add rule inet filter fw2net ip daddr ${lanNet} counter accept comment "LAN"
 112     add rule inet filter fw2net ip daddr 224.0.0.0/4 udp dport 1900 counter accept comment "UPnP"
 113   '';
 114   interfaces.enp5s0 = {
 115     useDHCP = false;
 116     ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
 117     ipv4.routes    = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
 118
 119     /*
 120     ipv6.addresses = [ { address = lanIPv6; prefixLength = 64; }
 121                        { address = "fe80::1"; prefixLength = 10; }
 122                      ];
 123     ipv6.routes    = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
 124     */
 125   };
 126   interfaces.wlp4s0 = {
 127     useDHCP = false;
 128   };
 129 };
 130 }