diff --git a/machines/gerd.nix b/machines/gerd.nix index d228511..1d24940 100644 --- a/machines/gerd.nix +++ b/machines/gerd.nix @@ -8,6 +8,7 @@ in { (modulesPath + "/profiles/qemu-guest.nix") (sources.disko + "/module.nix") ./../shared/modules + ./../shared/platforms/hetzner.nix ./gerd/disk-zfs.nix @@ -19,8 +20,6 @@ in { networking.hostName = "gerd"; networking.hostId = "e1166ac9"; - networking.interfaces.enp1s0.ipv6.addresses = [ { address = "2a01:4f9:c012:743e::1"; prefixLength = 64; }]; - networking.defaultGateway6 = { address = "fe80::1"; interface = "enp1s0"; }; boot.loader.grub = { # no need to set devices, disko will add all devices that have a EF02 partition to the list already # devices = [ ]; @@ -29,10 +28,18 @@ in { }; services.openssh.enable = true; - mine.state.enable = true; + mine = { + state.enable = true; + ssh-on-boot.enable = true; + + platforms.hetzner.network.address = [ + "65.108.221.240/32" + "2a01:4f9:c012:743e::1/64" + ]; + }; boot.initrd.postDeviceCommands = lib.mkAfter '' - zfs rollback -r rpool/local/root@blank + zfs rollback -r rpool/root@blank ''; environment.systemPackages = with pkgs; [ diff --git a/machines/gerd/disk-zfs.nix b/machines/gerd/disk-zfs.nix index 18512b5..843327c 100644 --- a/machines/gerd/disk-zfs.nix +++ b/machines/gerd/disk-zfs.nix @@ -78,4 +78,8 @@ in { }; }; }; + + fileSystems."/state/root".neededForBoot = true; + fileSystems."/state/home".neededForBoot = true; + fileSystems."/state/stash".neededForBoot = true; } diff --git a/shared/modules/default.nix b/shared/modules/default.nix index bead858..4736e64 100644 --- a/shared/modules/default.nix +++ b/shared/modules/default.nix @@ -1,6 +1,7 @@ { imports = [ ./state.nix + ./ssh-luks-zfs-on-boot.nix ./easy-zfs-mounts.nix ]; } diff --git a/shared/modules/ssh-luks-zfs-on-boot.nix b/shared/modules/ssh-luks-zfs-on-boot.nix new file mode 100644 index 0000000..0b05c4e --- /dev/null +++ b/shared/modules/ssh-luks-zfs-on-boot.nix @@ -0,0 +1,96 @@ +{ config, lib, ... }: + +with lib; + +let + cfg = config.mine.ssh-on-boot; +in { + options.mine.ssh-on-boot = { + enable = mkOption { + type = types.bool; + default = false; + }; + + network = { + address = mkOption { + type = types.str; + example = "192.168.1.11"; + }; + + gateway = mkOption { + type = types.str; + example = "192.168.1.1"; + }; + + netmask = mkOption { + type = types.str; + example = "255.255.255.0"; + }; + + hostname = mkOption { + type = types.str; + default = "${config.networking.hostName}-boot"; + }; + + interface = mkOption { + type = types.str; + example = "eno3"; + }; + }; + + kernelModules = mkOption { + type = types.listOf types.str; + default = [ + "ixgbe" + "igb" + ]; + }; + + sshPort = mkOption { + type = types.int; + default = 2222; + }; + + sshKeyLocation = mkOption { + type = types.str; + default = "/state/root/ssh-on-boot"; + }; + }; + + config = mkIf cfg.enable { + boot = { + kernelParams = [ + "ip=${cfg.network.address}::${cfg.network.gateway}:${cfg.network.netmask}:${cfg.network.hostname}:${cfg.network.interface}" + ]; + + initrd.availableKernelModules = cfg.kernelModules; + initrd.network = { + enable = true; + + ssh = { + enable = true; + port = cfg.sshPort; + hostKeys = [ + "${cfg.sshKeyLocation}/ssh_host_ed25519_key" + "${cfg.sshKeyLocation}/ssh_host_rsa_key" + ]; + + authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys; + }; + + postCommands = let + luksCmd = builtins.concatStringsSep "; " ( + lib.mapAttrsToList (n: v: + "echo Opening ${n}; cryptsetup-askpass open ${v.device} ${n}" + ) config.boot.initrd.luks.devices); + in '' + ip route add ${cfg.network.gateway} dev ${cfg.network.interface} + ip route add default via ${cfg.network.gateway} dev ${cfg.network.interface} + ip link set ${cfg.network.interface} up + + echo "${luksCmd}; zpool import -a; zfs load-key -a; killall zfs" >> /root/.profile + ''; + }; + }; + }; +} diff --git a/shared/platforms/hetzner.nix b/shared/platforms/hetzner.nix new file mode 100644 index 0000000..042893c --- /dev/null +++ b/shared/platforms/hetzner.nix @@ -0,0 +1,75 @@ +{ config, lib, modulesPath, ... }: + +with lib; + +let + cfg = config.mine.platforms.hetzner; + + mkIfOption = name: attrset: lib.optionalAttrs ( + builtins.hasAttr name config.mine + ) attrset; +in { + options.mine.platforms.hetzner= { + enable = mkOption { + type = types.bool; + default = true; + }; + + network = { + address = mkOption { + type = types.listOf types.str; + example = "[\"55.72.39.76/32\""; + }; + }; + }; + + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + config = mkIf cfg.enable ({ + boot = { + loader = { + grub.enable = true; + grub.device = "/dev/sda"; + }; + + initrd = { + availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sd_mod" "sr_mod" ]; + }; + }; + + networking.useDHCP = false; + systemd.network = { + enable = true; + + networks.hetzner = { + name = "enp1s0"; + + address = cfg.network.address; + + gateway = [ + "fe80::1" + "172.31.1.1" + ]; + + routes = [ + {routeConfig = {Destination = "172.31.1.1";};} + {routeConfig = {Destination = "fe80::1";};} + ]; + + }; + }; + + # ssh on boot + mine.ssh-on-boot.network = let + netmaskAddressList = (lib.take 3 (lib.splitString "." "135.181.98.1")) ++ ["255"]; + netmaskAddress = lib.concatStringsSep "." netmaskAddressList; + in { + address = lib.mkDefault (lib.elemAt cfg.network.address 0); + gateway = lib.mkDefault "172.31.1.1"; + netmask = lib.mkDefault netmaskAddress; + interface = lib.mkDefault "enp1s0"; + }; + }); +}