1 { pkgs, lib, config, machineName, ... }:
4 inherit (config) networking;
5 inherit (config.security) gnupg;
6 #lanIPv4 = "192.168.1.215";
7 lanNet = "192.168.1.0/24";
8 #lanIPv4Gateway = "192.168.1.1";
12 networking/nftables.nix
14 networking/wireguard.nix
18 boot.initrd.network = {
20 flushBeforeStage2 = true;
21 # This will automatically load the zfs password prompt on login
22 # and kill the other prompt so boot can continue
23 # The pkill zfs kills the zfs load-key from the console
24 # allowing the boot to continue.
26 echo >>/root/.profile "zfs load-key ${machineName} && pkill zfs"
30 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
31 a 91.216.110.35/32 becomes a 91.216.110.35/8
32 boot.kernelParams = map
33 (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
34 [ { clientIP = netIPv4; serverIP = "";
35 gatewayIP = networking.defaultGateway.address;
36 netmask = "255.255.255.255";
37 hostname = ""; device = networking.defaultGateway.interface;
40 { clientIP = lanIPv4; serverIP = "";
42 netmask = "255.255.255.0";
43 hostname = ""; device = "enp2s0";
48 /* DIY network config, but a right one */
50 boot.initrd.preLVMCommands = ''
55 ip address add ${lanIPv4}/32 dev enp5s0
56 ip route add ${lanIPv4Gateway} dev enp5s0
57 ip route add ${lanNet} dev enp5s0 src ${lanIPv4} proto kernel
58 # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
59 ip route add default via ${lanIPv4Gateway} dev enp5s0
62 #ip -6 address add ''${lanIPv6} dev enp5s0
63 #ip -6 route add ''${lanIPv6Gateway} dev enp5s0
64 #ip -6 route add default via ''${lanIPv6Gateway} dev enp5s0
73 # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
74 # we have to run the postCommands ourselves.
75 ${config.boot.initrd.network.postCommands}
78 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
79 #boot.initrd.kernelModules = [ "ipv6" ];
81 # Useless without an out-of-band access, and unsecure
82 # (though / may still be encrypted at this point).
83 # boot.kernelParams = [ "boot.shell_on_fail" ];
86 # Disable IPv6 entirely until it's available
87 boot.kernel.sysctl = {
88 "net.ipv6.conf.enp5s0.disable_ipv6" = 1;
93 hostName = machineName;
94 domain = "sourcephile.fr";
100 address = lanIPv4Gateway;
101 interface = "enp5s0";
104 address = lanIPv6Gateway;
105 interface = "enp5s0";
111 networking.nftables.ruleset = ''
112 add rule inet filter input iifname "enp5s0" goto net2fw
113 add rule inet filter output oifname "enp5s0" jump fw2net
114 add rule inet filter output oifname "enp5s0" log level warn prefix "fw2net: " counter drop
115 add rule inet filter fw2net ip daddr ${lanNet} log level info prefix "fw2net: lan: " counter accept comment "LAN"
117 boot.kernel.sysctl."net.ipv6.conf.enp5s0.addr_gen_mode" = 3;
118 security.gnupg.secrets."ipv6/enp5s0/stable_secret" = {};
119 # This is only active in stage2, the initrd will still use the MAC-based SLAAC IPv6.
120 system.activationScripts.ipv6 = ''
121 ${pkgs.procps}/bin/sysctl --quiet net.ipv6.conf.enp5s0.stable_secret="$(cat ${gnupg.secrets."ipv6/enp5s0/stable_secret".path})"
123 networking.interfaces.enp5s0 = {
125 #ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
126 #ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
129 ipv6.addresses = [ { address = lanIPv6; prefixLength = 64; }
130 { address = "fe80::1"; prefixLength = 10; }
132 ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
135 networking.interfaces.wlp4s0 = {