servers/mermet/production/lesptts.nix

   1 { pkgs, lib, config, nodes, ... }:
   2 with builtins;
   3 let
   4   inherit (builtins.extraBuiltins) pass pass-to-file;
   5   inherit (config) networking users;
   6   netIPv4        = "80.67.180.129";
   7   netIPv4Gateway = "80.67.180.134";
   8   #netIPv6        = "2001:912:400:104::35";
   9   #netIPv6Gateway = "2001:912:400:104::1";
  10   lanIPv4        = "192.168.1.214";
  11   lanNet         = "192.168.1.0/24";
  12   lanIPv4Gateway = "192.168.1.1";
  13 in
  14 {
  15   boot.initrd.network = {
  16     enable = true;
  17     ssh = {
  18        enable = true;
  19        # To prevent ssh from freaking out because a different host key is used,
  20        # a different port for dropbear is useful
  21        # (assuming the same host has also a normal sshd running)
  22        port = 2222;
  23        # The initrd needs a cleartext key and is built on the host,
  24        # hence this key needs to be cleartext on the host.
  25        # Moreover building the initrd means that the key will go into the Nix store,
  26        # of the host, then of the target on deployment,
  27        # because GRUB does not support boot.initrd.secrets
  28        # (only systemd-boot does, but sticking to GRUB is more reassuring).
  29        # In any case, the initrd is sent to a non-encrypted /boot partition
  30        # to be able to start unattended, hence the key will be available
  31        # to anyone who has physically access to the disk where /boot is.
  32        # NOTE: dropbearkey -t ecdsa -f /tmp/dropbear-ecdsa.key
  33        #hostECDSAKey = "../../../sec/tmp/dropbear-ecdsa.key";
  34        hostECDSAKey = pass-to-file "servers/mermet/dropbear/ecdsa.key"
  35                                    (../../../sec + "/tmp/dropbear-ecdsa.key");
  36
  37        # WARNING: dropbear does not support (and will ignore) ssh-ed25519 keys
  38        authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
  39     };
  40     # This will automatically load the zfs password prompt on login
  41     # and kill the other prompt so boot can continue
  42     # The pkill zfs kills the zfs load-key from the console
  43     # allowing the boot to continue.
  44     postCommands = ''
  45       echo >>/root/.profile "zfs load-key -a && pkill zfs"
  46     '';
  47   };
  48
  49   /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
  50      a 91.216.110.35/32 becomes a 91.216.110.35/8
  51   boot.kernelParams = map
  52     (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}")
  53     [ { clientIP = netIPv4; serverIP = "";
  54         gatewayIP = networking.defaultGateway.address;
  55         netmask = "255.255.255.255";
  56         hostname = ""; device = networking.defaultGateway.interface;
  57         autoconf = "off";
  58       }
  59       { clientIP = lanIPv4; serverIP = "";
  60         gatewayIP = "";
  61         netmask = "255.255.255.0";
  62         hostname = ""; device = "enp2s0";
  63         autoconf = "off";
  64       }
  65     ];
  66   */
  67   /* DIY network config, but a right one */
  68   boot.initrd.preLVMCommands = ''
  69     set -x
  70
  71     # IPv4 net
  72     ip link set enp1s0 up
  73     ip address add ${netIPv4}/32 dev enp1s0
  74     ip route add ${netIPv4Gateway} dev enp1s0
  75     ip route add default via ${netIPv4Gateway} dev enp1s0
  76
  77     # IPv4 lan
  78     ip link set enp2s0 up
  79     ip address add ${lanIPv4}/32 dev enp2s0
  80     ip route add ${lanIPv4Gateway} dev enp2s0
  81     ip route add ${lanNet} dev enp2s0 src ${lanIPv4} proto kernel
  82       # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
  83
  84     # IPv6 net
  85     #ip -6 address add ''${netIPv6} dev enp1s0
  86     #ip -6 route add ''${netIPv6Gateway} dev enp1s0
  87     #ip -6 route add default via ''${netIPv6Gateway} dev enp1s0
  88
  89     ip -4 address
  90     ip -4 route
  91     #ip -6 address
  92     #ip -6 route
  93
  94     set +x
  95
  96     # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1
  97     # we have to run the postCommands ourselves.
  98     ${config.boot.initrd.network.postCommands}
  99   '';
 100   # Workaround https://github.com/NixOS/nixpkgs/issues/56822
 101   #boot.initrd.kernelModules = [ "ipv6" ];
 102
 103   # This is a remote headless server: always try to start all the units (default.target)
 104   # systemd's emergency shell does not try to start sshd, hence is no help.
 105   # https://wiki.archlinux.org/index.php/systemd#Disable_emergency_mode_on_remote_machine
 106   systemd.enableEmergencyMode = false;
 107
 108   # This is a remote headless server: always reboot on a kernel panic,
 109   # to not have to physically go power cycle the apu2e4.
 110   # Which happens if the wrong ZFS password is used
 111   # but the boot is manually forced to continue.
 112   # Using kernelParams instead of kernel.sysctl
 113   # sets this up as soon as the initrd.
 114   boot.kernelParams = [ "panic=10" ];
 115
 116   # Useless without an out-of-band access, and unsecure
 117   # (though / may still be encrypted at this point).
 118   # boot.kernelParams = [ "boot.shell_on_fail" ];
 119
 120   services.nsd.interfaces = [ netIPv4 ];
 121   networking = {
 122     useDHCP = false;
 123     defaultGateway = {
 124       address = netIPv4Gateway;
 125       interface = "enp1s0";
 126     };
 127     /*
 128     defaultGateway6 = {
 129       address = netIPv6Gateway;
 130       interface = "enp1s0";
 131     };
 132     */
 133     #nameservers = [ ];
 134     interfaces.enp1s0 = {
 135       useDHCP = false;
 136       ipv4.addresses = [ { address = netIPv4; prefixLength = 32; } ];
 137       ipv4.routes    = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
 138
 139       /*
 140       ipv6.addresses = [ { address = netIPv6; prefixLength = 64; }
 141                          { address = "fe80::1"; prefixLength = 10; }
 142                        ];
 143       ipv6.routes    = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
 144       */
 145     };
 146     interfaces.enp2s0 = {
 147       useDHCP = false;
 148       ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
 149       /*
 150       # FIXME: remove this /1 hack when the machine will be racked at PTT
 151       ipv4.routes    = [ { address = "0.0.0.0";   prefixLength = 1; via = "192.168.1.1"; }
 152                          { address = "128.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
 153                          ];
 154       */
 155       /*
 156       ipv6.addresses = [ { address = "fe80::1"; prefixLength = 10; } ];
 157       ipv6.routes    = [ ];
 158       */
 159     };
 160     interfaces.enp3s0 = {
 161       useDHCP = false;
 162     };
 163   };
 164 }