1 { pkgs, lib, config, machineName, ... }:
4 inherit (builtins.extraBuiltins) pass-to-file;
5 inherit (config) networking users;
6 lanIPv4 = "192.168.1.215";
7 lanNet = "192.168.1.0/24";
8 lanIPv4Gateway = "192.168.1.1";
12 networking/nftables.nix
15 boot.initrd.network = {
19 # To prevent ssh from freaking out because a different host key is used,
20 # a different port for dropbear is useful
21 # (assuming the same host has also a normal sshd running)
23 authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
25 # This will automatically load the zfs password prompt on login
26 # and kill the other prompt so boot can continue
27 # The pkill zfs kills the zfs load-key from the console
28 # allowing the boot to continue.
30 echo >>/root/.profile "zfs load-key -a && pkill zfs"
34 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
35 a 91.216.110.35/32 becomes a 91.216.110.35/8
36 boot.kernelParams = map
37 (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
38 [ { clientIP = netIPv4; serverIP = "";
39 gatewayIP = networking.defaultGateway.address;
40 netmask = "255.255.255.255";
41 hostname = ""; device = networking.defaultGateway.interface;
44 { clientIP = lanIPv4; serverIP = "";
46 netmask = "255.255.255.0";
47 hostname = ""; device = "enp2s0";
52 /* DIY network config, but a right one */
53 boot.initrd.preLVMCommands = ''
58 ip address add ${lanIPv4}/32 dev enp5s0
59 ip route add ${lanIPv4Gateway} dev enp5s0
60 ip route add ${lanNet} dev enp5s0 src ${lanIPv4} proto kernel
61 # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
62 ip route add default via ${lanIPv4Gateway} dev enp5s0
65 #ip -6 address add ''${lanIPv6} dev enp5s0
66 #ip -6 route add ''${lanIPv6Gateway} dev enp5s0
67 #ip -6 route add default via ''${lanIPv6Gateway} dev enp5s0
76 # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
77 # we have to run the postCommands ourselves.
78 ${config.boot.initrd.network.postCommands}
80 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
81 #boot.initrd.kernelModules = [ "ipv6" ];
83 # Useless without an out-of-band access, and unsecure
84 # (though / may still be encrypted at this point).
85 # boot.kernelParams = [ "boot.shell_on_fail" ];
87 # Disable IPv6 entirely until it's available
88 boot.kernel.sysctl = {
89 "net.ipv6.conf.enp5s0.disable_ipv6" = 1;
93 hostName = machineName;
94 domain = "sourcephile.fr";
98 address = lanIPv4Gateway;
103 address = lanIPv6Gateway;
104 interface = "enp5s0";
108 nftables.ruleset = ''
109 add rule inet filter input iifname "enp5s0" goto net2fw
110 add rule inet filter output oifname "enp5s0" jump fw2net
111 add rule inet filter output oifname "enp5s0" log level warn prefix "fw2net: " counter drop
112 add rule inet filter fw2net ip daddr ${lanNet} counter accept comment "LAN"
113 add rule inet filter fw2net ip daddr 224.0.0.0/4 udp dport 1900 counter accept comment "UPnP"
115 interfaces.enp5s0 = {
117 ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
118 ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
121 ipv6.addresses = [ { address = lanIPv6; prefixLength = 64; }
122 { address = "fe80::1"; prefixLength = 10; }
124 ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
127 interfaces.wlp4s0 = {