initrd/networking: manually set networking

2024-02-04 01:05:28 +01:00 · 2024-02-04 01:05:28 +01:00 · 3e0f8438c1
parent 5fe27940b4
commit 3e0f8438c1
10 changed files with 76 additions and 65 deletions
--- a/hosts/biolimo/hardware-configuration.nix
+++ b/hosts/biolimo/hardware-configuration.nix
@ -22,7 +22,10 @@
    fsType = "ext4";
  };

-  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/aed21f8d-8e15-4f43-8710-460cb36d488b";
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/aed21f8d-8e15-4f43-8710-460cb36d488b";
+    allowDiscards = true;
+  };

  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/3B67-0CAB";
--- a/hosts/droppie/configuration.nix
+++ b/hosts/droppie/configuration.nix
@ -14,24 +14,35 @@ in {

  services.openssh.openFirewall = true;

-  pub-solar.core.disk-encryption-active = false;
-
  pub-solar.user.publicKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall"
  ];

  boot.kernelParams = [
    "boot.shell_on_fail=1"
-    "ip=dhcp"
+    # Hack so that network is considered up by boot.initrd.network and postCommands gets executed.
+    "ip=127.0.0.1:::::lo:none"
  ];
-
-  boot.initrd.network.enable = true;
-  boot.initrd.network.ssh = {
+  boot.initrd.availableKernelModules = [ "tg3" ];
+  boot.initrd.network = {
    enable = true;
-    port = 2222;
-    authorizedKeys = psCfg.user.publicKeys;
-    hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"];
-    shell = "/bin/cryptsetup-askpass";
+    ssh = {
+      enable = true;
+      port = 2222;
+      authorizedKeys = psCfg.user.publicKeys;
+      hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"];
+      shell = "/bin/cryptsetup-askpass";
+    };
+    postCommands = ''
+      ip link set dev enp2s0f0 up
+
+      ip addr add 192.168.178.3/32 dev enp2s0f0
+      ip route add 192.168.178.1 dev enp2s0f0
+      ip route add default via 192.168.178.1 dev enp2s0f0
+
+      ip -6 addr add 2a02:908:5b1:e3c0:3::/128 dev enp2s0f0
+      ip -6 addr add fe80:b12f:acab:1312:acab:3::/128 dev enp2s0f0
+    '';
  };

  # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie
--- a/hosts/droppie/hardware-configuration.nix
+++ b/hosts/droppie/hardware-configuration.nix
@ -8,12 +8,15 @@
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];

-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usbhid" "usb_storage" "uas" "sd_mod" "tg3" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usbhid" "usb_storage" "uas" "sd_mod" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];

-  boot.initrd.luks.devices."cryptroot".device = "/dev/sdb2";
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/sdb2";
+    allowDiscards = true;
+  };

  fileSystems."/" =
    { device = "none";
@ -50,14 +53,6 @@
    [ { device = "/dev/disk/by-uuid/0ef8dbbd-2832-4fb2-8a52-86682822f769"; }
    ];

-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  # networking.useDHCP = lib.mkDefault true;
-  networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
-  networking.interfaces.enp2s0f1.useDHCP = lib.mkDefault true;
-
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/droppie/networking.nix
+++ b/hosts/droppie/networking.nix
@ -6,16 +6,9 @@
  ...
 }: {
  networking.hostName = "droppie";
+  networking.interfaces.enp2s0f0.useDHCP = true;
+  networking.interfaces.enp2s0f1.useDHCP = true;

-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  #networking.useDHCP = true;
-  #networking.interfaces.enp2s0f0.useDHCP = true;
-  #networking.interfaces.enp2s0f1.useDHCP = true;
-
-  networking.useDHCP = lib.mkDefault true;
  networking.interfaces.enp2s0f0 = {
    ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:3::"; prefixLength = 64; } ];
  };
--- a/hosts/frikandel/configuration.nix
+++ b/hosts/frikandel/configuration.nix
@ -15,18 +15,31 @@ in {

  boot.kernelParams = [
    "boot.shell_on_fail=1"
-    "ip=128.140.109.213::172.31.1.1:255.255.255.255:frikandel-initrd.b12f.io::off"
+    # Hack so that network is considered up by boot.initrd.network and postCommands gets executed.
+    "ip=127.0.0.1:::::lo:none"
  ];
  boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_net" ];
  boot.initrd.network = {
    enable = true;
    ssh = {
-       enable = true;
-       port = 2222;
-       hostKeys = [ /boot/initrd-ssh-key ];
-       authorizedKeys = psCfg.user.publicKeys;
-       shell = "/bin/cryptsetup-askpass";
+      enable = true;
+      port = 2222;
+      hostKeys = [ /boot/initrd-ssh-key ];
+      authorizedKeys = psCfg.user.publicKeys;
+      shell = "/bin/cryptsetup-askpass";
    };
+    postCommands = ''
+      ip link set dev enp1s0 up
+
+      ip addr add 128.140.109.213/32 dev enp1s0
+      ip route add 172.31.1.1 dev enp1s0
+      ip route add default via 172.31.1.1 dev enp1s0
+
+      ip -6 addr add 128.140.109.213/128 dev enp1s0
+      ip -6 addr add 2a01:4f8:c2c:b60::/64 dev enp1s0
+      ip -6 route add fe80::1 dev enp1s0
+      ip -6 route add default via fe80::1 dev enp1s0
+    '';
  };

  boot.supportedFilesystems = [ "zfs" ];
--- a/hosts/iso/default.nix
+++ b/hosts/iso/default.nix
@ -3,7 +3,6 @@
  lib,
  ...
 }: {
-  pub-solar.core.disk-encryption-active = false;
  isoImage.squashfsCompression = "gzip -Xcompression-level 1";
  systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
  networking.networkmanager.enable = false;
--- a/hosts/pie/configuration.nix
+++ b/hosts/pie/configuration.nix
@ -23,21 +23,31 @@ in {

  boot.kernelParams = [
    "boot.shell_on_fail=1"
-    "ip=192.168.178.2::192.168.178.1:255.255.255.255:pie-initrd.b12f.io::off"
+    # Hack so that network is considered up by boot.initrd.network and postCommands gets executed.
+    "ip=127.0.0.1:::::lo:none"
  ];
-
-  boot.initrd.network.enable = true;
-  boot.initrd.network.ssh = {
-    enable = true;
-    port = 2222;
-    authorizedKeys = psCfg.user.publicKeys;
-    hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
-    shell = "/bin/cryptsetup-askpass";
-  };
  # See https://discourse.nixos.org/t/ssh-and-network-in-initrd-on-raspberry-pi-4/6289/3
  boot.initrd.availableKernelModules = [ "genet" ];
+  boot.initrd.network = {
+    enable = true;
+    ssh = {
+      enable = true;
+      port = 2222;
+      authorizedKeys = psCfg.user.publicKeys;
+      hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
+      shell = "/bin/cryptsetup-askpass";
+    };
+    postCommands = ''
+      ip link set dev enabcm6e4ei0 up

-  pub-solar.core.disk-encryption-active = false;
+      ip addr add 192.168.178.2/32 dev enabcm6e4ei0
+      ip route add 192.168.178.1 dev enabcm6e4ei0
+      ip route add default via 192.168.178.1 dev enabcm6e4ei0
+
+      ip -6 addr add 2a02:908:5b1:e3c0:2::/128 dev enabcm6e4ei0
+      ip -6 addr add fe80:b12f:acab:1312:acab:2::/128 dev enabcm6e4ei0
+    '';
+  };

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
--- a/hosts/stroopwafel/configuration.nix
+++ b/hosts/stroopwafel/configuration.nix
@ -21,7 +21,6 @@ DEVICE /dev/nvme0n1p2 /dev/nvme1n1p2
 ARRAY /dev/md/nixos:root metadata=1.2 name=nixos:root UUID=67d1aa81:1b348887:c17a75e8:f2edf2bd
  '';

-  pub-solar.core.disk-encryption-active = false;
  pub-solar.core.hibernation.enable = true;
  pub-solar.core.hibernation.resumeDevice = "/dev/mapper/vg0-swap";

--- a/hosts/stroopwafel/hardware-configuration.nix
+++ b/hosts/stroopwafel/hardware-configuration.nix
@ -13,7 +13,10 @@
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];

-  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-id/md-name-nixos:root";
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-id/md-name-nixos:root";
+    allowDiscards = true;
+  };

  fileSystems."/" =
    { device = "none";
--- a/modules/core/boot.nix
+++ b/modules/core/boot.nix
@ -7,23 +7,8 @@
 with lib; let
  cfg = config.pub-solar.core;
 in {
-  options.pub-solar.core.disk-encryption-active = mkOption {
-    type = types.bool;
-    default = true;
-    description = "Whether it should be assumed that there is a cryptroot device";
-  };
-
  config = {
    boot = {
-      # Mount / luks device in initrd
-      # Allow fstrim to work on it.
-      # The ! makes this enabled by default
-      initrd = mkIf cfg.disk-encryption-active {
-        luks.devices."cryptroot" = {
-          allowDiscards = true;
-        };
-      };
-
      loader.systemd-boot.enable = lib.mkDefault true;

      # Use latest LTS linux kernel by default