{ pkgs, lib, config, nodes, ... }: with builtins; let inherit (builtins.extraBuiltins) pass pass-to-file; inherit (config) networking users; netIPv4 = "91.216.110.35"; netIPv4Gateway = "91.216.110.1"; netIPv6 = "2001:912:400:104::35"; netIPv6Gateway = "2001:912:400:104::1"; lanIPv4 = "192.168.1.214"; lanNet = "192.168.1.0/24"; lanIPv4Gateway = "192.168.1.1"; in { boot.initrd.network = { enable = true; ssh = { enable = true; # To prevent ssh from freaking out because a different host key is used, # a different port for dropbear is useful # (assuming the same host has also a normal sshd running) port = 2222; # The initrd needs a cleartext key and is built on the host, # hence this key needs to be cleartext on the host. # Moreover building the initrd means that the key will go into the Nix store, # of the host, then of the target on deployment, # because GRUB does not support boot.initrd.secrets # (only systemd-boot does, but sticking to GRUB is more reassuring). # In any case, the initrd is sent to a non-encrypted /boot partition # to be able to start unattended, hence the key will be available # to anyone who has physically access to the disk where /boot is. # NOTE: dropbearkey -t ecdsa -f /tmp/dropbear-ecdsa.key #hostECDSAKey = "../../../sec/tmp/dropbear-ecdsa.key"; hostECDSAKey = pass-to-file "servers/mermet/dropbear/ecdsa.key" (../../../sec + "/tmp/dropbear-ecdsa.key"); # WARNING: dropbear does not support (and will ignore) ssh-ed25519 keys authorizedKeys = users.users.root.openssh.authorizedKeys.keys; }; # This will automatically load the zfs password prompt on login # and kill the other prompt so boot can continue # The pkill zfs kills the zfs load-key from the console # allowing the boot to continue. postCommands = '' echo >>/root/.profile "zfs load-key -a && pkill zfs" ''; }; /* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE: a 91.216.110.35/32 becomes a 91.216.110.35/8 boot.kernelParams = map (ip: "ip=${ip.clientIP}:${ip.serverIP}:${ip.gatewayIP}:${ip.netmask}:${ip.hostname}:${ip.device}:${ip.autoconf}") [ { clientIP = netIPv4; serverIP = ""; gatewayIP = networking.defaultGateway.address; netmask = "255.255.255.255"; hostname = ""; device = networking.defaultGateway.interface; autoconf = "off"; } { clientIP = lanIPv4; serverIP = ""; gatewayIP = ""; netmask = "255.255.255.0"; hostname = ""; device = "enp2s0"; autoconf = "off"; } ]; */ /* DIY network config, but a right one */ boot.initrd.preLVMCommands = '' set -x # IPv4 net ip link set enp1s0 up ip address add ${netIPv4}/32 dev enp1s0 ip route add ${netIPv4Gateway} dev enp1s0 ip route add default via ${netIPv4Gateway} dev enp1s0 # IPv4 lan ip link set enp2s0 up ip address add ${lanIPv4}/32 dev enp2s0 ip route add ${lanIPv4Gateway} dev enp2s0 ip route add ${lanNet} dev enp2s0 src ${lanIPv4} proto kernel # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet} # IPv6 net ip -6 address add ${netIPv6} dev enp1s0 ip -6 route add ${netIPv6Gateway} dev enp1s0 ip -6 route add default via ${netIPv6Gateway} dev enp1s0 ip -4 address ip -4 route ip -6 address ip -6 route set +x # Since boot.initrd.network's preLVMCommands won't set hasNetwork=1 # we have to run the postCommands ourselves. ${config.boot.initrd.network.postCommands} ''; # Workaround https://github.com/NixOS/nixpkgs/issues/56822 boot.initrd.kernelModules = [ "ipv6" ]; # This is a remote headless server: always try to start all the units (default.target) # systemd's emergency shell does not try to start sshd, hence is no help. # https://wiki.archlinux.org/index.php/systemd#Disable_emergency_mode_on_remote_machine systemd.enableEmergencyMode = false; # This is a remote headless server: always reboot on a kernel panic, # to not have to physically go power cycle the apu2e4. # Which happens if the wrong ZFS password is used # but the boot is manually forced to continue. # Using kernelParams instead of kernel.sysctl # sets this up as soon as the initrd. boot.kernelParams = [ "panic=10" ]; # Useless without an out-of-band access, and unsecure # (though / may still be encrypted at this point). # boot.kernelParams = [ "boot.shell_on_fail" ]; networking = { useDHCP = false; defaultGateway = { address = netIPv4Gateway; interface = "enp1s0"; }; defaultGateway6 = { address = netIPv6Gateway; interface = "enp1s0"; }; #nameservers = [ ]; interfaces.enp1s0 = { useDHCP = false; ipv4.addresses = [ { address = netIPv4; prefixLength = 32; } ]; ipv4.routes = [ { address = networking.defaultGateway.address; prefixLength = 32; } ]; ipv6.addresses = [ { address = netIPv6; prefixLength = 64; } { address = "fe80::1"; prefixLength = 10; } ]; ipv6.routes = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ]; }; interfaces.enp2s0 = { useDHCP = false; ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ]; # FIXME: remove this /1 hack when the machine will be racked at PTT ipv4.routes = [ { address = "0.0.0.0"; prefixLength = 1; via = "192.168.1.1"; } { address = "128.0.0.0"; prefixLength = 1; via = "192.168.1.1"; } ]; ipv6.addresses = [ { address = "fe80::1"; prefixLength = 10; } ]; ipv6.routes = [ ]; }; interfaces.enp3s0 = { useDHCP = false; }; }; deployment = { targetHost = (elemAt networking.interfaces.enp2s0.ipv4.addresses 0).address; }; }