{ pkgs, lib, config, ipv4, ... }: with builtins; let inherit (builtins.extraBuiltins) pass-to-file; inherit (config) networking users; netIPv4 = ipv4; netIPv4Gateway = "80.67.180.134"; #netIPv6 = "2001:912:400:104::35"; #netIPv6Gateway = "2001:912:400:104::1"; lanIPv4 = "192.168.1.214"; lanNet = "192.168.1.0/24"; lanIPv4Gateway = "192.168.1.1"; in { imports = [ networking/nftables.nix ]; boot.initrd.network = { enable = true; ssh = { enable = true; # To prevent ssh from freaking out because a different host key is used, # a different port for dropbear is useful # (assuming the same host has also a normal sshd running) port = 2222; # The initrd needs a cleartext key and is built on the host, # hence this key needs to be cleartext on the host. # Moreover building the initrd means that the key will go into the Nix store, # of the host, then of the target on deployment, # because GRUB does not support boot.initrd.secrets # (only systemd-boot does, but sticking to GRUB is more reassuring). # In any case, the initrd is sent to a non-encrypted /boot partition # to be able to start unattended, hence the key will be available # to anyone who has physically access to the disk where /boot is. # NOTE: dropbearkey -t ecdsa -f /tmp/dropbear-ecdsa.key hostKeys = [ (pass-to-file "servers/mermet/ssh/ecdsa.key" (../../../sec + "/tmp/mermet.ecdsa.key")) ]; authorizedKeys = users.users.root.openssh.authorizedKeys.keys; }; # This will automatically load the zfs password prompt on login # and kill the other prompt so boot can continue # The pkill zfs kills the zfs load-key from the console # allowing the boot to continue. postCommands = '' echo >>/root/.profile "zfs load-key -a && pkill zfs" ''; }; /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE: a 91.216.110.35/32 becomes a 91.216.110.35/8 boot.kernelParams = map (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}") [ { clientIP = netIPv4; serverIP = ""; gatewayIP = networking.defaultGateway.address; netmask = "255.255.255.255"; hostname = ""; device = networking.defaultGateway.interface; autoconf = "off"; } { clientIP = lanIPv4; serverIP = ""; gatewayIP = ""; netmask = "255.255.255.0"; hostname = ""; device = "enp2s0"; autoconf = "off"; } ]; */ /* DIY network config, but a right one */ boot.initrd.preLVMCommands = '' set -x # IPv4 net ip link set enp1s0 up ip address add ${netIPv4}/32 dev enp1s0 ip route add ${netIPv4Gateway} dev enp1s0 ip route add default via ${netIPv4Gateway} dev enp1s0 # IPv4 lan ip link set enp2s0 up ip address add ${lanIPv4}/32 dev enp2s0 ip route add ${lanIPv4Gateway} dev enp2s0 ip route add ${lanNet} dev enp2s0 src ${lanIPv4} proto kernel # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet} # IPv6 net #ip -6 address add ''${netIPv6} dev enp1s0 #ip -6 route add ''${netIPv6Gateway} dev enp1s0 #ip -6 route add default via ''${netIPv6Gateway} dev enp1s0 ip -4 address ip -4 route #ip -6 address #ip -6 route set +x # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1 # we have to run the postCommands ourselves. ${config.boot.initrd.network.postCommands} ''; # Workaround https://github.com/NixOS/nixpkgs/issues/56822 #boot.initrd.kernelModules = [ "ipv6" ]; # Useless without an out-of-band access, and unsecure # (though / may still be encrypted at this point). # boot.kernelParams = [ "boot.shell_on_fail" ]; # Disable IPv6 entirely until it's available boot.kernel.sysctl = { "net.ipv6.conf.enp1s0.disable_ipv6" = 1; }; services.knot.extraConfig = lib.mkBefore '' server: listen: ${netIPv4}@53 #listen: ::@53 ''; networking = rec { hostName = "mermet"; domainBase = "sourcephile"; domain = "${domainBase}.fr"; useDHCP = false; defaultGateway = { address = netIPv4Gateway; interface = "enp1s0"; }; /* defaultGateway6 = { address = netIPv6Gateway; interface = "enp1s0"; }; */ #nameservers = [ ]; nftables.ruleset = '' add rule inet filter input iifname "enp1s0" goto net2fw add rule inet filter output oifname "enp1s0" goto fw2net add rule inet filter input iifname "enp2s0" goto lan2fw add rule inet filter output oifname "enp2s0" goto fw2lan ''; interfaces.enp1s0 = { useDHCP = false; ipv4.addresses = [ { address = netIPv4; prefixLength = 32; } ]; ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ]; /* ipv6.addresses = [ { address = netIPv6; prefixLength = 64; } { address = "fe80::1"; prefixLength = 10; } ]; ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ]; */ }; interfaces.enp2s0 = { useDHCP = false; ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ]; /* # FIXME: remove this /1 hack when the machine will be racked at PTT ipv4.routes = [ { address = "0.0.0.0"; prefixLength = 1; via = "192.168.1.1"; } { address = "128.0.0.0"; prefixLength = 1; via = "192.168.1.1"; } ]; */ /* ipv6.addresses = [ { address = "fe80::1"; prefixLength = 10; } ]; ipv6.routes = [ ]; */ }; interfaces.enp3s0 = { useDHCP = false; }; }; }