diff options
| -rw-r--r-- | machines/corsac/devices.nix | 3 | ||||
| -rw-r--r-- | machines/corsac/hardware.nix | 7 | ||||
| -rw-r--r-- | machines/fourmi/devices.nix | 24 | ||||
| -rw-r--r-- | machines/fourmi/hardware.nix | 7 | ||||
| -rw-r--r-- | machines/lapin/devices.nix | 41 | ||||
| -rw-r--r-- | machines/lapin/hardware.nix | 7 | ||||
| -rw-r--r-- | machines/renard/devices.nix | 3 | ||||
| -rw-r--r-- | machines/renard/hardware.nix | 7 | ||||
| -rw-r--r-- | machines/taupe/devices.nix | 9 | ||||
| -rw-r--r-- | machines/taupe/hardware.nix | 7 | ||||
| -rw-r--r-- | machines/taureau/devices.nix | 9 | ||||
| -rw-r--r-- | machines/taureau/hardware.nix | 7 | ||||
| -rw-r--r-- | machines/truite/devices.nix | 20 | ||||
| -rw-r--r-- | modules/common.nix | 19 | ||||
| -rw-r--r-- | modules/foundation/services/default.nix | 4 | ||||
| -rw-r--r-- | modules/foundation/services/networks.nix | 25 | ||||
| -rw-r--r-- | modules/tunnel/ingress.nix | 15 |
17 files changed, 65 insertions, 149 deletions
diff --git a/machines/corsac/devices.nix b/machines/corsac/devices.nix index a2215fd..971983b 100644 --- a/machines/corsac/devices.nix +++ b/machines/corsac/devices.nix @@ -11,9 +11,6 @@ initrd.systemd.enable = true; }; - networking.useDHCP = false; - - systemd.network.enable = true; systemd.network.networks."20-wired" = { name = "enp1s0"; DHCP = "yes"; diff --git a/machines/corsac/hardware.nix b/machines/corsac/hardware.nix index 8ac85c4..bbb4b30 100644 --- a/machines/corsac/hardware.nix +++ b/machines/corsac/hardware.nix @@ -28,12 +28,5 @@ [ { device = "/dev/disk/by-uuid/ce3c3e2c-1f16-4e37-90f3-9ccfc81ee4c8"; } ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/machines/fourmi/devices.nix b/machines/fourmi/devices.nix index c8d2e72..56d243f 100644 --- a/machines/fourmi/devices.nix +++ b/machines/fourmi/devices.nix @@ -51,18 +51,28 @@ }; networking = { - # todo: configure properly firewall.enable = lib.mkForce false; - - useDHCP = true; wireless = { enable = true; interfaces = [ "wlan0" ]; secretsFile = config.age.secrets.wireless-secrets.path; - networks = { - # yea this is my home network :3 - # (my boyfriends brother picked the name) - "Das asoziale Netzwerk".pskRaw = "ext:psk_home"; + networks."Das asoziale Netzwerk".pskRaw = "ext:psk_home"; + }; + }; + + systemd.network = { + networks = { + "10-wired" = { + name = "end0"; + DHCP = "yes"; + dhcpV4Config.RouteMetric = 100; + networkConfig.RequiredForOnline = "no"; + }; + "20-wireless" = { + name = "wlan0"; + DHCP = "yes"; + dhcpV4Config.RouteMetric = 600; + networkConfig.RequiredForOnline = "no"; }; }; }; diff --git a/machines/fourmi/hardware.nix b/machines/fourmi/hardware.nix index 1738e23..3395bdf 100644 --- a/machines/fourmi/hardware.nix +++ b/machines/fourmi/hardware.nix @@ -20,12 +20,5 @@ swapDevices = [ ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.end0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; } diff --git a/machines/lapin/devices.nix b/machines/lapin/devices.nix index 450baf3..239242a 100644 --- a/machines/lapin/devices.nix +++ b/machines/lapin/devices.nix @@ -15,18 +15,7 @@ memoryPercent = 50; }; - networking = { - # Network configuration is managed with networkd. - useDHCP = false; - nameservers = [ - "1.1.1.1" "1.0.0.1" - "2606:4700:4700::1111" "2606:4700:4700::1001" - ]; - }; - - # Static IPv6 network configuration - # + soliciting of IPv4 via DHCP. - systemd.network.enable = true; + # static ipv6 + dhcp ipv4 systemd.network.networks."10-wan" = { name = "enp1s0"; DHCP = "ipv4"; @@ -35,32 +24,24 @@ }; services.resolved = { - # LLMNR and MulticastDNS both give DNS timeouts. - # MDNS specifically for some reason gives Docker bridge interfaces it's scope, - # which means every DNS request waits for an answer... from every interface... + # llmnr and multicastdns both give dns timeouts. + # mdns specifically for some reason gives docker bridge interfaces it's scope, + # which means every dns request waits for an answer... from every interface... llmnr = "false"; extraConfig = "MulticastDNS=no"; - dnssec = "false"; # DNSSEC breaks IPv6, for some reason :( - }; - - virtualisation.docker.daemon.settings = { - "experimental" = true; - "ipv6" = true; - "ip6tables" = true; - "fixed-cidr-v6" = "fc00:d0c:b1b1::/48"; - "bip" = "172.17.0.1/24"; - "default-address-pools" = [ - { base = "172.17.0.0/16"; size = 24; } - { base = "fc00:d0c::/32"; size = 48; } - ]; + dnssec = "false"; # dnssec breaks ipv6, for some reason :( }; + fileSystems = { - # Mount the large-ish service state folder to a regrowable volume. :) + # mount the large-ish service state folder to a regrowable volume. :) "/srv" = { device = "/dev/disk/by-id/scsi-0HC_Volume_101611810"; fsType = "ext4"; - options = [ "defaults" "discard" ]; + options = [ + "defaults" + "discard" + ]; }; }; } diff --git a/machines/lapin/hardware.nix b/machines/lapin/hardware.nix index cc32191..4d07099 100644 --- a/machines/lapin/hardware.nix +++ b/machines/lapin/hardware.nix @@ -25,11 +25,4 @@ swapDevices = [ ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; - } diff --git a/machines/renard/devices.nix b/machines/renard/devices.nix index aa8d7b9..d952488 100644 --- a/machines/renard/devices.nix +++ b/machines/renard/devices.nix @@ -18,9 +18,6 @@ memoryPercent = 50; }; - networking.useDHCP = false; - - systemd.network.enable = true; systemd.network.networks."10-wan" = { name = "ens18"; DHCP = "ipv4"; diff --git a/machines/renard/hardware.nix b/machines/renard/hardware.nix index d79dee9..f7d1d6b 100644 --- a/machines/renard/hardware.nix +++ b/machines/renard/hardware.nix @@ -20,11 +20,4 @@ swapDevices = [ ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens18.useDHCP = lib.mkDefault true; - } diff --git a/machines/taupe/devices.nix b/machines/taupe/devices.nix index a07f794..22587a9 100644 --- a/machines/taupe/devices.nix +++ b/machines/taupe/devices.nix @@ -12,16 +12,7 @@ memoryPercent = 50; }; - networking = { - useDHCP = false; - nameservers = [ - "1.1.1.1" "1.0.0.1" - "2606:4700:4700::1111" "2606:4700:4700::1001" - ]; - }; - # static ipv6 + dhcp ipv4 - systemd.network.enable = true; systemd.network.networks."10-wan" = { name = "enp1s0"; DHCP = "ipv4"; diff --git a/machines/taupe/hardware.nix b/machines/taupe/hardware.nix index 810fafd..2fb0cf3 100644 --- a/machines/taupe/hardware.nix +++ b/machines/taupe/hardware.nix @@ -26,11 +26,4 @@ swapDevices = [ ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; - } diff --git a/machines/taureau/devices.nix b/machines/taureau/devices.nix index 856dcf1..012b0ce 100644 --- a/machines/taureau/devices.nix +++ b/machines/taureau/devices.nix @@ -10,15 +10,6 @@ kernelModules = [ ]; }; - networking = { - nameservers = [ - "1.1.1.1" "1.0.0.1" - ]; - # networkd handles our network - useDHCP = false; - }; - - systemd.network.enable = true; systemd.network.networks."10-wan" = { name = "enp6s16"; # ipv4 gets it's config through dhcp just fine! diff --git a/machines/taureau/hardware.nix b/machines/taureau/hardware.nix index 3c30146..7fbaf1d 100644 --- a/machines/taureau/hardware.nix +++ b/machines/taureau/hardware.nix @@ -18,12 +18,5 @@ swapDevices = [ ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp6s16.useDHCP = lib.mkDefault true; - virtualisation.hypervGuest.enable = true; } diff --git a/machines/truite/devices.nix b/machines/truite/devices.nix index bc432c1..cdc3982 100644 --- a/machines/truite/devices.nix +++ b/machines/truite/devices.nix @@ -17,21 +17,13 @@ memoryPercent = 50; }; - networking = { - nameservers = [ "1.1.1.1" "1.0.0.1" ]; - useDHCP = false; - }; - - systemd.network = { - enable = true; - networks."10-wan" = { - name = "ens18"; + systemd.network.networks."10-wan" = { + name = "ens18"; - address = [ "194.87.197.92/23" "2a00:b700:5::3:1cb/118" ]; - gateway = [ "194.87.196.1" ]; - routes = [ { Gateway = "2a00:b700:5::1"; GatewayOnLink = true; } ]; - DHCP = "no"; - }; + address = [ "194.87.197.92/23" "2a00:b700:5::3:1cb/118" ]; + gateway = [ "194.87.196.1" ]; + routes = [ { Gateway = "2a00:b700:5::1"; GatewayOnLink = true; } ]; + DHCP = "no"; }; } diff --git a/modules/common.nix b/modules/common.nix index c363201..9ad59aa 100644 --- a/modules/common.nix +++ b/modules/common.nix @@ -28,6 +28,14 @@ networking = { hostName = me.name; + useDHCP = false; + dhcpcd.enable = false; + nameservers = [ "1.1.1.1" "1.0.0.1" ]; + + nftables = { + enable = true; + flushRuleset = false; + }; firewall = { enable = true; @@ -35,6 +43,15 @@ }; }; + systemd.network = { + enable = true; + wait-online.anyInterface = true; + }; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = lib.mkDefault 1; + }; + services.envfs.enable = true; virtualisation = { @@ -86,7 +103,7 @@ gnupg pinentry-curses age agenix inetutils pciutils lshw inxi iw dmidecode tcpdump - iptables nftables wireguard-tools + nftables wireguard-tools ffmpeg_7-headless ripgrep gnumake gdb gcc clang dtc diff --git a/modules/foundation/services/default.nix b/modules/foundation/services/default.nix index 8136ce0..4c01bd7 100644 --- a/modules/foundation/services/default.nix +++ b/modules/foundation/services/default.nix @@ -13,8 +13,8 @@ driver = "bridge"; ipv6 = { enable = true; - subnet = "2001:d0c:1::/48"; - gateway = "2001:d0c:1::1"; + subnet = "fc00:d0c:1::/48"; + gateway = "fc00:d0c:1::1"; }; }; } diff --git a/modules/foundation/services/networks.nix b/modules/foundation/services/networks.nix index 7205ec1..b5f1732 100644 --- a/modules/foundation/services/networks.nix +++ b/modules/foundation/services/networks.nix @@ -81,7 +81,7 @@ in Don't set to get a random subnet assigned to you within the subnet defined in `defaultIPv6SubnetPrefix`. ''; - example = "2001:d0c:123::/64"; + example = "fc00:d0c:123::/64"; default = null; }; @@ -91,7 +91,7 @@ in IPv6 gateway for this network. Should match the subnet. ''; - example = "2001:d0c:123::1"; + example = "fc00:d0c:123::1"; default = null; }; }; @@ -157,7 +157,7 @@ in a set subnet. Prefix length defined by `defaultIPv6SubnetLength`. ''; - default = "2001:d0c"; + default = "fc00:d0c"; }; defaultIPv6SubnetLength = mkOption { @@ -190,6 +190,8 @@ in experimental = true; ipv6 = true; ip6tables = true; + "ip-forward" = true; + "firewall-backend" = "nftables"; fixed-cidr-v6 = "${cfg.defaultIPv6SubnetPrefix}:255::/${toString cfg.defaultIPv6SubnetLength}"; }; @@ -200,24 +202,7 @@ in }; networking.firewall = { - # both options should work together to let all packets coming from - # docker bridges through. trustedInterfaces = [ "br-*" ]; - extraCommands = '' - # allow inbound packets - ip6tables -A nixos-fw -i br-+ -j nixos-fw-accept 2>/dev/null || true - - # allow outbound to the docker bridge - ip6tables -A nixos-fw -o br-+ -j nixos-fw-accept 2>/dev/null || true - - # allow forwarding between bridges+external interfaces - ip6tables -I FORWARD -i br-+ -j ACCEPT 2>/dev/null || true - ip6tables -I FORWARD -o br-+ -j ACCEPT 2>/dev/null || true - - # allow return traffic - # note: nothing works without this! - ip6tables -I FORWARD ! -i br-+ -o br-+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true - ''; }; systemd.services = diff --git a/modules/tunnel/ingress.nix b/modules/tunnel/ingress.nix index 8a6ae3b..1ea1613 100644 --- a/modules/tunnel/ingress.nix +++ b/modules/tunnel/ingress.nix @@ -32,10 +32,6 @@ let mtu = 1400; in { - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = 1; # allow ipv4 forwarding - }; - networking.firewall = { allowedUDPPorts = map (x: x.port) paths; allowedTCPPorts = map (x: x.port) paths; @@ -118,12 +114,13 @@ in # allow forwarding packets between egress and ingress, but avoid any snat, # ip should always keep it's origin form, for correct egress routing. # also adapt mss to outgoing mss value, so that we don't shatter packets. - networking.nftables.ruleset = + networking.nftables.tables.tunnel-forward = let ingressInterfaces = concatImapStringsSep "\", \"" (i: _: ingressName (i - 1)) paths; in - '' - table inet filter { + { + family = "inet"; + content = '' chain forward { type filter hook forward priority 0; policy drop; @@ -132,8 +129,8 @@ in iifname { "${ingressInterfaces}" } oifname "${egressName}" accept iifname "${egressName}" oifname { "${ingressInterfaces}" } accept } - } - ''; + ''; + }; # sing-box is a vpn client supporting various protocols which will allow us # to configure it in whichever way we want to avoid russian dpi. |