]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/lesptts.nix
nix: shell: add aes256-ctr cipher to ssh for dropbear
[sourcephile-nix.git] / servers / mermet / lesptts.nix
1 { pkgs, lib, config, nodes, ... }:
2 with builtins;
3 let
4 inherit (builtins.extraBuiltins) pass pass-to-file;
5 inherit (config) networking users;
6 netIPv4 = "91.216.110.35";
7 netIPv4Gateway = "91.216.110.1";
8 netIPv6 = "2001:912:400:104::35";
9 netIPv6Gateway = "2001:912:400:104::1";
10 lanIPv4 = "192.168.1.214";
11 lanNet = "192.168.1.0/24";
12 lanIPv4Gateway = "192.168.1.1";
13 in
14 {
15 boot.initrd.network = {
16 enable = true;
17 ssh = {
18 enable = true;
19 # To prevent ssh from freaking out because a different host key is used,
20 # a different port for dropbear is useful
21 # (assuming the same host has also a normal sshd running)
22 port = 2222;
23 # The initrd needs a cleartext key and is built on the host,
24 # hence this key needs to be cleartext on the host.
25 # Moreover building the initrd means that the key will go into the Nix store,
26 # of the host, then of the target on deployment,
27 # because GRUB does not support boot.initrd.secrets
28 # (only systemd-boot does, but sticking to GRUB is more reassuring).
29 # In any case, the initrd is sent to a non-encrypted /boot partition
30 # to be able to start unattended, hence the key will be available
31 # to anyone who has physically access to the disk where /boot is.
32 # NOTE: dropbearkey -t ecdsa -f /tmp/dropbear-ecdsa.key
33 #hostECDSAKey = "../../../sec/tmp/dropbear-ecdsa.key";
34 hostECDSAKey = pass-to-file "servers/mermet/dropbear/ecdsa.key"
35 (../../../sec + "/tmp/dropbear-ecdsa.key");
36
37 # WARNING: dropbear does not support (and will ignore) ssh-ed25519 keys
38 authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
39 };
40 # This will automatically load the zfs password prompt on login
41 # and kill the other prompt so boot can continue
42 # The pkill zfs kills the zfs load-key from the console
43 # allowing the boot to continue.
44 postCommands = ''
45 echo >>/root/.profile "zfs load-key -a && pkill zfs"
46 '';
47 };
48
49 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
50 a 91.216.110.35/32 becomes a 91.216.110.35/8
51 boot.kernelParams = map
52 (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
53 [ { clientIP = netIPv4; serverIP = "";
54 gatewayIP = networking.defaultGateway.address;
55 netmask = "255.255.255.255";
56 hostname = ""; device = networking.defaultGateway.interface;
57 autoconf = "off";
58 }
59 { clientIP = lanIPv4; serverIP = "";
60 gatewayIP = "";
61 netmask = "255.255.255.0";
62 hostname = ""; device = "enp2s0";
63 autoconf = "off";
64 }
65 ];
66 */
67 /* DIY network config, but a right one */
68 boot.initrd.preLVMCommands = ''
69 set -x
70
71 # IPv4 net
72 ip link set enp1s0 up
73 ip address add ${netIPv4}/32 dev enp1s0
74 ip route add ${netIPv4Gateway} dev enp1s0
75 ip route add default via ${netIPv4Gateway} dev enp1s0
76
77 # IPv4 lan
78 ip link set enp2s0 up
79 ip address add ${lanIPv4}/32 dev enp2s0
80 ip route add ${lanIPv4Gateway} dev enp2s0
81 ip route add ${lanNet} dev enp2s0 src ${lanIPv4} proto kernel
82 # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
83
84 # IPv6 net
85 ip -6 address add ${netIPv6} dev enp1s0
86 ip -6 route add ${netIPv6Gateway} dev enp1s0
87 ip -6 route add default via ${netIPv6Gateway} dev enp1s0
88
89 ip -4 address
90 ip -4 route
91 ip -6 address
92 ip -6 route
93
94 set +x
95
96 # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
97 # we have to run the postCommands ourselves.
98 ${config.boot.initrd.network.postCommands}
99 '';
100 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
101 boot.initrd.kernelModules = [ "ipv6" ];
102
103 # This is a remote headless server: always try to start all the units (default.target)
104 # systemd's emergency shell does not try to start sshd, hence is no help.
105 # https://wiki.archlinux.org/index.php/systemd#Disable_emergency_mode_on_remote_machine
106 systemd.enableEmergencyMode = false;
107
108 # This is a remote headless server: always reboot on a kernel panic,
109 # to not have to physically go power cycle the apu2e4.
110 # Which happens if the wrong ZFS password is used
111 # but the boot is manually forced to continue.
112 # Using kernelParams instead of kernel.sysctl
113 # sets this up as soon as the initrd.
114 boot.kernelParams = [ "panic=10" ];
115
116 # Useless without an out-of-band access, and unsecure
117 # (though / may still be encrypted at this point).
118 # boot.kernelParams = [ "boot.shell_on_fail" ];
119
120 networking = {
121 useDHCP = false;
122 defaultGateway = {
123 address = netIPv4Gateway;
124 interface = "enp1s0";
125 };
126 defaultGateway6 = {
127 address = netIPv6Gateway;
128 interface = "enp1s0";
129 };
130 #nameservers = [ ];
131 interfaces.enp1s0 = {
132 useDHCP = false;
133 ipv4.addresses = [ { address = netIPv4; prefixLength = 32; } ];
134 ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
135
136 ipv6.addresses = [ { address = netIPv6; prefixLength = 64; }
137 { address = "fe80::1"; prefixLength = 10; }
138 ];
139 ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
140 };
141 interfaces.enp2s0 = {
142 useDHCP = false;
143 ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
144 # FIXME: remove this /1 hack when the machine will be racked at PTT
145 ipv4.routes = [ { address = "0.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
146 { address = "128.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
147 ];
148 ipv6.addresses = [ { address = "fe80::1"; prefixLength = 10; } ];
149 ipv6.routes = [ ];
150 };
151 interfaces.enp3s0 = {
152 useDHCP = false;
153 };
154 };
155 deployment = {
156 targetHost = (elemAt networking.interfaces.enp2s0.ipv4.addresses 0).address;
157 };
158 }