1 { pkgs, lib, config, nodes, ... }:
4 inherit (builtins.extraBuiltins) pass pass-to-file;
5 inherit (config) networking users;
6 netIPv4 = "91.216.110.35";
7 netIPv4Gateway = "91.216.110.1";
8 netIPv6 = "2001:912:400:104::35";
9 netIPv6Gateway = "2001:912:400:104::1";
10 lanIPv4 = "192.168.1.214";
11 lanNet = "192.168.1.0/24";
12 lanIPv4Gateway = "192.168.1.1";
15 boot.initrd.network = {
19 # To prevent ssh from freaking out because a different host key is used,
20 # a different port for dropbear is useful
21 # (assuming the same host has also a normal sshd running)
23 # The initrd needs a cleartext key and is built on the host,
24 # hence this key needs to be cleartext on the host.
25 # Moreover building the initrd means that the key will go into the Nix store,
26 # of the host, then of the target on deployment,
27 # because GRUB does not support boot.initrd.secrets
28 # (only systemd-boot does, but sticking to GRUB is more reassuring).
29 # In any case, the initrd is sent to a non-encrypted /boot partition
30 # to be able to start unattended, hence the key will be available
31 # to anyone who has physically access to the disk where /boot is.
32 # NOTE: dropbearkey -t ecdsa -f /tmp/dropbear-ecdsa.key
33 #hostECDSAKey = "../../../sec/tmp/dropbear-ecdsa.key";
34 hostECDSAKey = pass-to-file "servers/mermet/dropbear/ecdsa.key"
35 (../../../sec + "/tmp/dropbear-ecdsa.key");
37 # WARNING: dropbear does not support (and will ignore) ssh-ed25519 keys
38 authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
40 # This will automatically load the zfs password prompt on login
41 # and kill the other prompt so boot can continue
42 # The pkill zfs kills the zfs load-key from the console
43 # allowing the boot to continue.
45 echo >>/root/.profile "zfs load-key -a && pkill zfs"
49 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
50 a 91.216.110.35/32 becomes a 91.216.110.35/8
51 boot.kernelParams = map
52 (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
53 [ { clientIP = netIPv4; serverIP = "";
54 gatewayIP = networking.defaultGateway.address;
55 netmask = "255.255.255.255";
56 hostname = ""; device = networking.defaultGateway.interface;
59 { clientIP = lanIPv4; serverIP = "";
61 netmask = "255.255.255.0";
62 hostname = ""; device = "enp2s0";
67 /* DIY network config, but a right one */
68 boot.initrd.preLVMCommands = ''
73 ip address add ${netIPv4}/32 dev enp1s0
74 ip route add ${netIPv4Gateway} dev enp1s0
75 ip route add default via ${netIPv4Gateway} dev enp1s0
79 ip address add ${lanIPv4}/32 dev enp2s0
80 ip route add ${lanIPv4Gateway} dev enp2s0
81 ip route add ${lanNet} dev enp2s0 src ${lanIPv4} proto kernel
82 # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
85 ip -6 address add ${netIPv6} dev enp1s0
86 ip -6 route add ${netIPv6Gateway} dev enp1s0
87 ip -6 route add default via ${netIPv6Gateway} dev enp1s0
96 # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
97 # we have to run the postCommands ourselves.
98 ${config.boot.initrd.network.postCommands}
100 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
101 boot.initrd.kernelModules = [ "ipv6" ];
103 # This is a remote headless server: always try to start all the units (default.target)
104 # systemd's emergency shell does not try to start sshd, hence is no help.
105 # https://wiki.archlinux.org/index.php/systemd#Disable_emergency_mode_on_remote_machine
106 systemd.enableEmergencyMode = false;
108 # This is a remote headless server: always reboot on a kernel panic,
109 # to not have to physically go power cycle the apu2e4.
110 # Which happens if the wrong ZFS password is used
111 # but the boot is manually forced to continue.
112 # Using kernelParams instead of kernel.sysctl
113 # sets this up as soon as the initrd.
114 boot.kernelParams = [ "panic=10" ];
116 # Useless without an out-of-band access, and unsecure
117 # (though / may still be encrypted at this point).
118 # boot.kernelParams = [ "boot.shell_on_fail" ];
123 address = netIPv4Gateway;
124 interface = "enp1s0";
127 address = netIPv6Gateway;
128 interface = "enp1s0";
131 interfaces.enp1s0 = {
133 ipv4.addresses = [ { address = netIPv4; prefixLength = 32; } ];
134 ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
136 ipv6.addresses = [ { address = netIPv6; prefixLength = 64; }
137 { address = "fe80::1"; prefixLength = 10; }
139 ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
141 interfaces.enp2s0 = {
143 ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
144 # FIXME: remove this /1 hack when the machine will be racked at PTT
145 ipv4.routes = [ { address = "0.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
146 { address = "128.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
148 ipv6.addresses = [ { address = "fe80::1"; prefixLength = 10; } ];
151 interfaces.enp3s0 = {
156 targetHost = (elemAt networking.interfaces.enp2s0.ipv4.addresses 0).address;