servers/mermet/networking.nix

   1 { pkgs, lib, config, ipv4, ... }:
   2 with builtins;
   3 let
   4   inherit (builtins.extraBuiltins) pass pass-to-file;
   5   inherit (config) networking users;
   6   netIPv4        = ipv4;
   7   netIPv4Gateway = "80.67.180.134";
   8   #netIPv6        = "2001:912:400:104::35";
   9   #netIPv6Gateway = "2001:912:400:104::1";
  10   lanIPv4        = "192.168.1.214";
  11   lanNet         = "192.168.1.0/24";
  12   lanIPv4Gateway = "192.168.1.1";
  13 in
  14 {
  15 boot.initrd.network = {
  16   enable = true;
  17   ssh = {
  18      enable = true;
  19      # To prevent ssh from freaking out because a different host key is used,
  20      # a different port for dropbear is useful
  21      # (assuming the same host has also a normal sshd running)
  22      port = 2222;
  23      # The initrd needs a cleartext key and is built on the host,
  24      # hence this key needs to be cleartext on the host.
  25      # Moreover building the initrd means that the key will go into the Nix store,
  26      # of the host, then of the target on deployment,
  27      # because GRUB does not support boot.initrd.secrets
  28      # (only systemd-boot does, but sticking to GRUB is more reassuring).
  29      # In any case, the initrd is sent to a non-encrypted /boot partition
  30      # to be able to start unattended, hence the key will be available
  31      # to anyone who has physically access to the disk where /boot is.
  32      # NOTE: dropbearkey -t ecdsa -f /tmp/dropbear-ecdsa.key
  33     hostKeys = [
  34       (pass-to-file "servers/mermet/ssh/ecdsa.key"
  35                     (../../../sec + "/tmp/mermet.ecdsa.key"))
  36     ];
  37
  38      authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
  39   };
  40   # This will automatically load the zfs password prompt on login
  41   # and kill the other prompt so boot can continue
  42   # The pkill zfs kills the zfs load-key from the console
  43   # allowing the boot to continue.
  44   postCommands = ''
  45     echo >>/root/.profile "zfs load-key -a && pkill zfs"
  46   '';
  47 };
  48
  49 /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
  50    a 91.216.110.35/32 becomes a 91.216.110.35/8
  51 boot.kernelParams = map
  52   (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
  53   [ { clientIP = netIPv4; serverIP = "";
  54       gatewayIP = networking.defaultGateway.address;
  55       netmask = "255.255.255.255";
  56       hostname = ""; device = networking.defaultGateway.interface;
  57       autoconf = "off";
  58     }
  59     { clientIP = lanIPv4; serverIP = "";
  60       gatewayIP = "";
  61       netmask = "255.255.255.0";
  62       hostname = ""; device = "enp2s0";
  63       autoconf = "off";
  64     }
  65   ];
  66 */
  67 /* DIY network config, but a right one */
  68 boot.initrd.preLVMCommands = ''
  69   set -x
  70
  71   # IPv4 net
  72   ip link set enp1s0 up
  73   ip address add ${netIPv4}/32 dev enp1s0
  74   ip route add ${netIPv4Gateway} dev enp1s0
  75   ip route add default via ${netIPv4Gateway} dev enp1s0
  76
  77   # IPv4 lan
  78   ip link set enp2s0 up
  79   ip address add ${lanIPv4}/32 dev enp2s0
  80   ip route add ${lanIPv4Gateway} dev enp2s0
  81   ip route add ${lanNet} dev enp2s0 src ${lanIPv4} proto kernel
  82     # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
  83
  84   # IPv6 net
  85   #ip -6 address add ''${netIPv6} dev enp1s0
  86   #ip -6 route add ''${netIPv6Gateway} dev enp1s0
  87   #ip -6 route add default via ''${netIPv6Gateway} dev enp1s0
  88
  89   ip -4 address
  90   ip -4 route
  91   #ip -6 address
  92   #ip -6 route
  93
  94   set +x
  95
  96   # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
  97   # we have to run the postCommands ourselves.
  98   ${config.boot.initrd.network.postCommands}
  99 '';
 100
 101 # Workaround https://github.com/NixOS/nixpkgs/issues/56822
 102 #boot.initrd.kernelModules = [ "ipv6" ];
 103
 104 # Useless without an out-of-band access, and unsecure
 105 # (though / may still be encrypted at this point).
 106 # boot.kernelParams = [ "boot.shell_on_fail" ];
 107
 108 # Disable IPv6 entirely until it's available
 109 boot.kernel.sysctl = {
 110   "net.ipv6.conf.enp1s0.disable_ipv6" = 1;
 111 };
 112
 113 services.knot.extraConfig = lib.mkBefore ''
 114   server:
 115     listen: ${netIPv4}@53
 116     #listen: ::@53
 117 '';
 118
 119 networking = rec {
 120   hostName   = "mermet";
 121   domainBase = "sourcephile";
 122   domain     = "${domainBase}.fr";
 123
 124   useDHCP = false;
 125   defaultGateway = {
 126     address = netIPv4Gateway;
 127     interface = "enp1s0";
 128   };
 129   /*
 130   defaultGateway6 = {
 131     address = netIPv6Gateway;
 132     interface = "enp1s0";
 133   };
 134   */
 135   #nameservers = [ ];
 136   interfaces.enp1s0 = {
 137     useDHCP = false;
 138     ipv4.addresses = [ { address = netIPv4; prefixLength = 32; } ];
 139     ipv4.routes    = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
 140
 141     /*
 142     ipv6.addresses = [ { address = netIPv6; prefixLength = 64; }
 143                        { address = "fe80::1"; prefixLength = 10; }
 144                      ];
 145     ipv6.routes    = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
 146     */
 147   };
 148   interfaces.enp2s0 = {
 149     useDHCP = false;
 150     ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
 151     /*
 152     # FIXME: remove this /1 hack when the machine will be racked at PTT
 153     ipv4.routes    = [ { address = "0.0.0.0";   prefixLength = 1; via = "192.168.1.1"; }
 154                        { address = "128.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
 155                        ];
 156     */
 157     /*
 158     ipv6.addresses = [ { address = "fe80::1"; prefixLength = 10; } ];
 159     ipv6.routes    = [ ];
 160     */
 161   };
 162   interfaces.enp3s0 = {
 163     useDHCP = false;
 164   };
 165 };
 166 }