-{ pkgs, lib, config, machineName, ... }:
+{ pkgs, lib, config, machineName, machines, wireguard, ... }:
with builtins;
let
- inherit (builtins.extraBuiltins) pass-to-file;
- inherit (config) networking users;
- lanIPv4 = "192.168.1.215";
+ #lanIPv4 = "192.168.1.215";
lanNet = "192.168.1.0/24";
- lanIPv4Gateway = "192.168.1.1";
+ #lanIPv4Gateway = "192.168.1.1";
in
{
imports = [
networking/nftables.nix
+ networking/ssh.nix
+ networking/wireguard.nix
];
+
boot.initrd.network = {
enable = true;
- ssh = {
- enable = true;
- # To prevent ssh from freaking out because a different host key is used,
- # a different port for dropbear is useful
- # (assuming the same host has also a normal sshd running)
- port = 2222;
- authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
- };
+ flushBeforeStage2 = true;
# This will automatically load the zfs password prompt on login
# and kill the other prompt so boot can continue
# The pkill zfs kills the zfs load-key from the console
# allowing the boot to continue.
postCommands = ''
- echo >>/root/.profile "zfs load-key -a && pkill zfs"
+ echo >>/root/.profile "zfs load-key ${machineName} && pkill zfs"
'';
};
];
*/
/* DIY network config, but a right one */
+/*
boot.initrd.preLVMCommands = ''
set -x
# we have to run the postCommands ourselves.
${config.boot.initrd.network.postCommands}
'';
+*/
# Workaround https://github.com/NixOS/nixpkgs/issues/56822
#boot.initrd.kernelModules = [ "ipv6" ];
# (though / may still be encrypted at this point).
# boot.kernelParams = [ "boot.shell_on_fail" ];
+/*
# Disable IPv6 entirely until it's available
boot.kernel.sysctl = {
"net.ipv6.conf.enp5s0.disable_ipv6" = 1;
};
+*/
networking = {
hostName = machineName;
domain = "sourcephile.fr";
useDHCP = false;
+ /*
defaultGateway = {
address = lanIPv4Gateway;
interface = "enp5s0";
};
- /*
defaultGateway6 = {
address = lanIPv6Gateway;
interface = "enp5s0";
};
*/
#nameservers = [ ];
- nftables.ruleset = ''
- add rule inet filter input iifname "enp5s0" goto net2fw
- add rule inet filter output oifname "enp5s0" goto fw2net
- add rule inet filter fw2net ip daddr ${lanNet} counter accept comment "LAN"
- add rule inet filter fw2net ip daddr 224.0.0.0/4 udp dport 1900 counter accept comment "UPnP"
- '';
- interfaces.enp5s0 = {
- useDHCP = false;
- ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
- ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
+};
- /*
- ipv6.addresses = [ { address = lanIPv6; prefixLength = 64; }
- { address = "fe80::1"; prefixLength = 10; }
- ];
- ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
- */
- };
- interfaces.wlp4s0 = {
- useDHCP = false;
- };
+networking.nftables.ruleset = ''
+ add rule inet filter input iifname "enp5s0" goto net2fw
+ add rule inet filter output oifname "enp5s0" jump fw2net
+ add rule inet filter output oifname "enp5s0" log level warn prefix "fw2net: " counter drop
+ add rule inet filter fw2net ip daddr ${lanNet} counter accept comment "LAN"
+'';
+networking.interfaces.enp5s0 = {
+ useDHCP = true;
+ #ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
+ #ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
+
+ /*
+ ipv6.addresses = [ { address = lanIPv6; prefixLength = 64; }
+ { address = "fe80::1"; prefixLength = 10; }
+ ];
+ ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
+ */
+};
+networking.interfaces.wlp4s0 = {
+ useDHCP = false;
};
}
sourcephile / git / sourcephile-nix.git / blobdiff