diff --git a/hosts/toaster/default.nix b/hosts/toaster/default.nix index ae1b2db..a5d8ee4 100644 --- a/hosts/toaster/default.nix +++ b/hosts/toaster/default.nix @@ -4,7 +4,7 @@ ./amdgpu-sg-fix.nix ./hardware-configuration.nix ./irc.nix - ./network.nix + ./stateful-network.nix ./secrets.nix ./secure-boot.nix ./zfs.nix diff --git a/hosts/toaster/network.nix b/hosts/toaster/network.nix index 2bb0e04..26def6b 100644 --- a/hosts/toaster/network.nix +++ b/hosts/toaster/network.nix @@ -1,10 +1,13 @@ -{ pkgs, ... }: { - users.users.grue.extraGroups = [ "networkmanager" ]; +{ config, pkgs, ... }: { + environment.systemPackages = with pkgs; [ iwgtk ]; networking = { hostName = "toaster"; firewall.enable = true; + networkmanager.enable = false; + useNetworkd = true; wireguard.enable = true; + wireless.iwd.enable = true; }; services.resolved = { @@ -18,22 +21,37 @@ ]; }; - # fixup the rpfilter fucking up the networkmanager wireguard - networking.firewall = { - # if packets are still dropped, they will show up in dmesg - logReversePathDrops = true; - # wireguard trips rpfilter up - extraCommands = '' - ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN - ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN - ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1337 -j RETURN - ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1337 -j RETURN - ''; - extraStopCommands = '' - ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true - ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true - ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1337 -j RETURN || true - ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1337 -j RETURN || true - ''; + # workaround for networkd waiting for shit + systemd.services.systemd-networkd-wait-online.serviceConfig.ExecStart = [ + "" # clear old command + "${config.systemd.package}/lib/systemd/systemd-networkd-wait-online --any" + ]; + + systemd.network = { + enable = true; + + networks."10-ether" = { + matchConfig.MACAddress = "e8:80:88:2f:c6:70"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = true; + }; + }; + networks."10-dock" = { + matchConfig.Name = "enp5s0f4u1u1"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = true; + }; + dhcpV4Config = { RouteMetric = 666; }; + }; + networks."10-wlan" = { + # matchConfig.MACAddress = "04:7b:cb:2a:aa:8c"; + matchConfig.Name = "wlan0"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = true; + }; + }; }; } diff --git a/hosts/toaster/stateful-network.nix b/hosts/toaster/stateful-network.nix new file mode 100644 index 0000000..2bb0e04 --- /dev/null +++ b/hosts/toaster/stateful-network.nix @@ -0,0 +1,39 @@ +{ pkgs, ... }: { + users.users.grue.extraGroups = [ "networkmanager" ]; + + networking = { + hostName = "toaster"; + firewall.enable = true; + wireguard.enable = true; + }; + + services.resolved = { + enable = true; + dnssec = "allow-downgrade"; + fallbackDns = [ + "9.9.9.9" + "2620:fe::fe" + "149.112.112.112" + "2620:fe::9" + ]; + }; + + # fixup the rpfilter fucking up the networkmanager wireguard + networking.firewall = { + # if packets are still dropped, they will show up in dmesg + logReversePathDrops = true; + # wireguard trips rpfilter up + extraCommands = '' + ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN + ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN + ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1337 -j RETURN + ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1337 -j RETURN + ''; + extraStopCommands = '' + ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true + ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true + ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1337 -j RETURN || true + ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1337 -j RETURN || true + ''; + }; +}