machines/losurdo/networking.nix

   1 { pkgs, lib, config, machineName, ... }:
   2 with builtins;
   3 let
   4   inherit (builtins.extraBuiltins) pass-to-file;
   5   inherit (config) networking users;
   6   lanIPv4        = "192.168.1.215";
   7   lanNet         = "192.168.1.0/24";
   8   lanIPv4Gateway = "192.168.1.1";
   9 in
  10 {
  11 imports = [
  12   networking/nftables.nix
  13   networking/ssh.nix
  14 ];
  15 boot.initrd.network = {
  16   enable = true;
  17   ssh = {
  18     enable = true;
  19     # To prevent ssh from freaking out because a different host key is used,
  20     # a different port for dropbear is useful
  21     # (assuming the same host has also a normal sshd running)
  22     port = 2222;
  23     authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
  24   };
  25   # This will automatically load the zfs password prompt on login
  26   # and kill the other prompt so boot can continue
  27   # The pkill zfs kills the zfs load-key from the console
  28   # allowing the boot to continue.
  29   postCommands = ''
  30     echo >>/root/.profile "zfs load-key -a && pkill zfs"
  31   '';
  32 };
  33
  34 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
  35    a 91.216.110.35/32 becomes a 91.216.110.35/8
  36 boot.kernelParams = map
  37   (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
  38   [ { clientIP = netIPv4; serverIP = "";
  39       gatewayIP = networking.defaultGateway.address;
  40       netmask = "255.255.255.255";
  41       hostname = ""; device = networking.defaultGateway.interface;
  42       autoconf = "off";
  43     }
  44     { clientIP = lanIPv4; serverIP = "";
  45       gatewayIP = "";
  46       netmask = "255.255.255.0";
  47       hostname = ""; device = "enp2s0";
  48       autoconf = "off";
  49     }
  50   ];
  51 */
  52 /* DIY network config, but a right one */
  53 boot.initrd.preLVMCommands = ''
  54   set -x
  55
  56   # IPv4 lan
  57   ip link set enp5s0 up
  58   ip address add ${lanIPv4}/32 dev enp5s0
  59   ip route add ${lanIPv4Gateway} dev enp5s0
  60   ip route add ${lanNet} dev enp5s0 src ${lanIPv4} proto kernel
  61     # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
  62   ip route add default via ${lanIPv4Gateway} dev enp5s0
  63
  64   # IPv6 net
  65   #ip -6 address add ''${lanIPv6} dev enp5s0
  66   #ip -6 route add ''${lanIPv6Gateway} dev enp5s0
  67   #ip -6 route add default via ''${lanIPv6Gateway} dev enp5s0
  68
  69   ip -4 address
  70   ip -4 route
  71   #ip -6 address
  72   #ip -6 route
  73
  74   set +x
  75
  76   # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
  77   # we have to run the postCommands ourselves.
  78   ${config.boot.initrd.network.postCommands}
  79 '';
  80 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
  81 #boot.initrd.kernelModules = [ "ipv6" ];
  82
  83 # Useless without an out-of-band access, and unsecure
  84 # (though / may still be encrypted at this point).
  85 # boot.kernelParams = [ "boot.shell_on_fail" ];
  86
  87 # Disable IPv6 entirely until it's available
  88 boot.kernel.sysctl = {
  89   "net.ipv6.conf.enp5s0.disable_ipv6" = 1;
  90 };
  91
  92 networking = {
  93   hostName = machineName;
  94   domain = "sourcephile.fr";
  95
  96   useDHCP = false;
  97   defaultGateway = {
  98     address = lanIPv4Gateway;
  99     interface = "enp5s0";
 100   };
 101   /*
 102   defaultGateway6 = {
 103     address = lanIPv6Gateway;
 104     interface = "enp5s0";
 105   };
 106   */
 107   #nameservers = [ ];
 108   nftables.ruleset = ''
 109     add rule inet filter input  iifname "enp5s0" goto net2fw
 110     add rule inet filter output oifname "enp5s0" jump fw2net
 111     add rule inet filter output oifname "enp5s0" log level warn prefix "fw2net: " counter drop
 112     add rule inet filter fw2net ip daddr ${lanNet} counter accept comment "LAN"
 113     add rule inet filter fw2net ip daddr 224.0.0.0/4 udp dport 1900 counter accept comment "UPnP"
 114   '';
 115   interfaces.enp5s0 = {
 116     useDHCP = false;
 117     ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
 118     ipv4.routes    = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
 119
 120     /*
 121     ipv6.addresses = [ { address = lanIPv6; prefixLength = 64; }
 122                        { address = "fe80::1"; prefixLength = 10; }
 123                      ];
 124     ipv6.routes    = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
 125     */
 126   };
 127   interfaces.wlp4s0 = {
 128     useDHCP = false;
 129   };
 130 };
 131 }