-{ pkgs, lib, config, hostName, ... }:
+{ pkgs, config, hostName, ... }:
with builtins;
let
inherit (config) networking;
- inherit (config.security) gnupg;
- lanIPv4 = "192.168.1.215";
- lanNet = "192.168.1.0/24";
- lanIPv4Gateway = "192.168.1.1";
+ netIface = "enp5s0";
+ lanNet = "192.168.1.0/24";
in
{
-imports = [
- networking/nftables.nix
- networking/ssh.nix
- networking/wireguard/intranet.nix
- networking/wireguard/extranet.nix
- networking/tor.nix
- networking/nsupdate.nix
- networking/wireless.nix
- networking/openvpn.nix
-];
+ imports = [
+ networking/nftables.nix
+ #networking/tor.nix
+ networking/nsupdate.nix
+ networking/wireless.nix
+ networking/openvpn.nix
+ ];
-boot.initrd.network = {
- enable = true;
- flushBeforeStage2 = true;
- # This will automatically load the zfs password prompt on login
- # and kill the other prompt so boot can continue
- # The pkill zfs kills the zfs load-key from the console
- # allowing the boot to continue.
- postCommands = ''
- echo >>/root/.profile "zfs load-key ${hostName} && pkill zfs"
- '';
-};
+ boot.initrd.network = {
+ enable = true;
+ flushBeforeStage2 = true;
+ };
+ boot.initrd.systemd = {
+ network.networks = {
+ "10-${netIface}" = {
+ name = netIface;
+ # Start a DHCP Client for IPv4 Addressing/Routing
+ DHCP = "ipv4";
+ networkConfig = {
+ # Accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
+ IPv6AcceptRA = true;
+ IPv6PrivacyExtensions = true;
+ KeepConfiguration = "dhcp-on-stop";
+ };
+ };
+ };
+ };
+
+ systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
+ systemd.network = {
+ enable = true;
+ wait-online = {
+ enable = false;
+ };
+ networks = {
+ "10-${netIface}" = {
+ name = netIface;
+ # Start a DHCP Client for IPv4 Addressing/Routing
+ DHCP = "ipv4";
+ networkConfig = {
+ # Accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
+ IPv6AcceptRA = true;
+ IPv6PrivacyExtensions = true;
+ KeepConfiguration = "dhcp-on-stop";
+ };
+ linkConfig = {
+ RequiredForOnline = "no";
+ };
+ };
+ };
+ };
-/* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
- a 91.216.110.35/32 becomes a 91.216.110.35/8
-boot.kernelParams = map
- (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
- [ { clientIP = netIPv4; serverIP = "";
+ /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
+ a 91.216.110.35/32 becomes a 91.216.110.35/8
+ boot.kernelParams = map
+ (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
+ [ { clientIP = netIPv4; serverIP = "";
gatewayIP = networking.defaultGateway.address;
netmask = "255.255.255.255";
hostname = ""; device = networking.defaultGateway.interface;
hostname = ""; device = "enp2s0";
autoconf = "off";
}
- ];
-*/
-/* DIY network config, but a right one */
-/*
-boot.initrd.preLVMCommands = ''
- set -x
+ ];
+ */
+ /* DIY network config, but a right one */
+ /*
+ boot.initrd.preLVMCommands = ''
+ set -x
- # IPv4 lan
- ip link set enp5s0 up
- ip address add ${lanIPv4}/32 dev enp5s0
- ip route add ${lanIPv4Gateway} dev enp5s0
- ip route add ${lanNet} dev enp5s0 src ${lanIPv4} proto kernel
+ # IPv4 lan
+ ip link set ${netIface} up
+ ip address add ${lanIPv4}/32 dev ${netIface}
+ ip route add ${lanIPv4Gateway} dev ${netIface}
+ ip route add ${lanNet} dev ${netIface} src ${lanIPv4} proto kernel
# NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
- ip route add default via ${lanIPv4Gateway} dev enp5s0
+ ip route add default via ${lanIPv4Gateway} dev ${netIface}
- # IPv6 net
- #ip -6 address add ''${lanIPv6} dev enp5s0
- #ip -6 route add ''${lanIPv6Gateway} dev enp5s0
- #ip -6 route add default via ''${lanIPv6Gateway} dev enp5s0
+ # IPv6 net
+ #ip -6 address add ''${lanIPv6} dev ${netIface}
+ #ip -6 route add ''${lanIPv6Gateway} dev ${netIface}
+ #ip -6 route add default via ''${lanIPv6Gateway} dev ${netIface}
- ip -4 address
- ip -4 route
- #ip -6 address
- #ip -6 route
+ ip -4 address
+ ip -4 route
+ #ip -6 address
+ #ip -6 route
- set +x
-'';
-*/
-# Workaround https://github.com/NixOS/nixpkgs/issues/56822
-#boot.initrd.kernelModules = [ "ipv6" ];
+ set +x
+ '';
+ */
+ # Workaround https://github.com/NixOS/nixpkgs/issues/56822
+ #boot.initrd.kernelModules = [ "ipv6" ];
-# Useless without an out-of-band access, and unsecure
-# (though / may still be encrypted at this point).
-# boot.kernelParams = [ "boot.shell_on_fail" ];
+ # Useless without an out-of-band access, and unsecure
+ # (though / may still be encrypted at this point).
+ # boot.kernelParams = [ "boot.shell_on_fail" ];
-/*
-# Disable IPv6 entirely until it's available
-boot.kernel.sysctl = {
- "net.ipv6.conf.enp5s0.disable_ipv6" = 1;
-};
-*/
+ /*
+ # Disable IPv6 entirely until it's available
+ boot.kernel.sysctl = {
+ "net.ipv6.conf.${netIface}.disable_ipv6" = 1;
+ };
+ */
-networking = {
- hostName = hostName;
- domain = "sourcephile.fr";
+ networking = {
+ hostName = hostName;
+ domain = "sourcephile.fr";
- useDHCP = false;
- enableIPv6 = true;
- /*
- defaultGateway = {
- address = lanIPv4Gateway;
- interface = "enp5s0";
+ useDHCP = false;
+ enableIPv6 = true;
};
- defaultGateway6 = {
- address = lanIPv6Gateway;
- interface = "enp5s0";
- };
- */
- #nameservers = [ ];
-};
-networking.nftables.ruleset = ''
- add rule inet filter input iifname "enp5s0" goto net2fw
- add rule inet filter output oifname "enp5s0" jump fw2net
- add rule inet filter output oifname "enp5s0" log level warn prefix "fw2net: " counter drop
- add rule inet filter fw2net ip daddr ${lanNet} log level info prefix "fw2net: lan: " counter accept comment "LAN"
- add rule inet nat postrouting oifname "enp5s0" masquerade
-'';
-boot.kernel.sysctl."net.ipv6.conf.enp5s0.addr_gen_mode" = 1;
-/*
-security.gnupg.secrets."ipv6/enp5s0/stable_secret" = {};
-# This is only active in stage2, the initrd will still use the MAC-based SLAAC IPv6.
-system.activationScripts.ipv6 = ''
- ${pkgs.procps}/bin/sysctl --quiet net.ipv6.conf.enp5s0.stable_secret="$(cat ${gnupg.secrets."ipv6/enp5s0/stable_secret".path})"
-'';
-*/
-networking.interfaces.enp5s0 = {
- useDHCP = true;
+ networking.nftables.ruleset = ''
+ table inet filter {
+ chain input {
+ iifname ${netIface} goto input-net
+ }
+ chain output {
+ oifname ${netIface} jump output-net
+ oifname ${netIface} log level warn prefix "output-net: " counter drop
+ }
+ chain output-net {
+ ip daddr ${lanNet} log level info prefix "output-net: lan: " counter accept comment "LAN"
+ }
+ }
+ table inet nat {
+ chain postrouting {
+ oifname ${netIface} masquerade
+ }
+ }
+ '';
/*
- ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
-
- ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
- ipv6.addresses = [ { address = lanIPv6; prefixLength = 64; }
- { address = "fe80::1"; prefixLength = 10; }
- ];
- ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
+ security.gnupg.secrets."ipv6/${netIface}/stable_secret" = {};
+ # This is only active in stage2, the initrd will still use the MAC-based SLAAC IPv6.
+ system.activationScripts.ipv6 = ''
+ ${pkgs.procps}/bin/sysctl --quiet net.ipv6.conf.${netIface}.stable_secret="$(cat ${gnupg.secrets."ipv6/${netIface}/stable_secret".path})"
+ '';
*/
-};
+ environment.systemPackages = [
+ pkgs.iodine
+ ];
+ services.vnstat.enable = true;
}