From 3e0f8438c1d3511ebe611cc976915d3306e0bd8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= Date: Sun, 4 Feb 2024 01:05:28 +0100 Subject: [PATCH] initrd/networking: manually set networking --- hosts/biolimo/hardware-configuration.nix | 5 ++- hosts/droppie/configuration.nix | 31 +++++++++++++------ hosts/droppie/hardware-configuration.nix | 15 +++------ hosts/droppie/networking.nix | 11 ++----- hosts/frikandel/configuration.nix | 25 +++++++++++---- hosts/iso/default.nix | 1 - hosts/pie/configuration.nix | 32 +++++++++++++------- hosts/stroopwafel/configuration.nix | 1 - hosts/stroopwafel/hardware-configuration.nix | 5 ++- modules/core/boot.nix | 15 --------- 10 files changed, 76 insertions(+), 65 deletions(-) diff --git a/hosts/biolimo/hardware-configuration.nix b/hosts/biolimo/hardware-configuration.nix index 229169b..cd6f6c0 100644 --- a/hosts/biolimo/hardware-configuration.nix +++ b/hosts/biolimo/hardware-configuration.nix @@ -22,7 +22,10 @@ fsType = "ext4"; }; - boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/aed21f8d-8e15-4f43-8710-460cb36d488b"; + boot.initrd.luks.devices."cryptroot" = { + device = "/dev/disk/by-uuid/aed21f8d-8e15-4f43-8710-460cb36d488b"; + allowDiscards = true; + }; fileSystems."/boot" = { device = "/dev/disk/by-uuid/3B67-0CAB"; diff --git a/hosts/droppie/configuration.nix b/hosts/droppie/configuration.nix index b4f1f98..20f08bd 100644 --- a/hosts/droppie/configuration.nix +++ b/hosts/droppie/configuration.nix @@ -14,24 +14,35 @@ in { services.openssh.openFirewall = true; - pub-solar.core.disk-encryption-active = false; - pub-solar.user.publicKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall" ]; boot.kernelParams = [ "boot.shell_on_fail=1" - "ip=dhcp" + # Hack so that network is considered up by boot.initrd.network and postCommands gets executed. + "ip=127.0.0.1:::::lo:none" ]; - - boot.initrd.network.enable = true; - boot.initrd.network.ssh = { + boot.initrd.availableKernelModules = [ "tg3" ]; + boot.initrd.network = { enable = true; - port = 2222; - authorizedKeys = psCfg.user.publicKeys; - hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"]; - shell = "/bin/cryptsetup-askpass"; + ssh = { + enable = true; + port = 2222; + authorizedKeys = psCfg.user.publicKeys; + hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"]; + shell = "/bin/cryptsetup-askpass"; + }; + postCommands = '' + ip link set dev enp2s0f0 up + + ip addr add 192.168.178.3/32 dev enp2s0f0 + ip route add 192.168.178.1 dev enp2s0f0 + ip route add default via 192.168.178.1 dev enp2s0f0 + + ip -6 addr add 2a02:908:5b1:e3c0:3::/128 dev enp2s0f0 + ip -6 addr add fe80:b12f:acab:1312:acab:3::/128 dev enp2s0f0 + ''; }; # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie diff --git a/hosts/droppie/hardware-configuration.nix b/hosts/droppie/hardware-configuration.nix index 2f30972..874c240 100644 --- a/hosts/droppie/hardware-configuration.nix +++ b/hosts/droppie/hardware-configuration.nix @@ -8,12 +8,15 @@ [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usbhid" "usb_storage" "uas" "sd_mod" "tg3" ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usbhid" "usb_storage" "uas" "sd_mod" ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - boot.initrd.luks.devices."cryptroot".device = "/dev/sdb2"; + boot.initrd.luks.devices."cryptroot" = { + device = "/dev/sdb2"; + allowDiscards = true; + }; fileSystems."/" = { device = "none"; @@ -50,14 +53,6 @@ [ { device = "/dev/disk/by-uuid/0ef8dbbd-2832-4fb2-8a52-86682822f769"; } ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - # networking.useDHCP = lib.mkDefault true; - networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true; - networking.interfaces.enp2s0f1.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/hosts/droppie/networking.nix b/hosts/droppie/networking.nix index 2be1e8a..fc0c371 100644 --- a/hosts/droppie/networking.nix +++ b/hosts/droppie/networking.nix @@ -6,16 +6,9 @@ ... }: { networking.hostName = "droppie"; + networking.interfaces.enp2s0f0.useDHCP = true; + networking.interfaces.enp2s0f1.useDHCP = true; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - #networking.useDHCP = true; - #networking.interfaces.enp2s0f0.useDHCP = true; - #networking.interfaces.enp2s0f1.useDHCP = true; - - networking.useDHCP = lib.mkDefault true; networking.interfaces.enp2s0f0 = { ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:3::"; prefixLength = 64; } ]; }; diff --git a/hosts/frikandel/configuration.nix b/hosts/frikandel/configuration.nix index b3a25a9..94c4a4d 100644 --- a/hosts/frikandel/configuration.nix +++ b/hosts/frikandel/configuration.nix @@ -15,18 +15,31 @@ in { boot.kernelParams = [ "boot.shell_on_fail=1" - "ip=128.140.109.213::172.31.1.1:255.255.255.255:frikandel-initrd.b12f.io::off" + # Hack so that network is considered up by boot.initrd.network and postCommands gets executed. + "ip=127.0.0.1:::::lo:none" ]; boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_net" ]; boot.initrd.network = { enable = true; ssh = { - enable = true; - port = 2222; - hostKeys = [ /boot/initrd-ssh-key ]; - authorizedKeys = psCfg.user.publicKeys; - shell = "/bin/cryptsetup-askpass"; + enable = true; + port = 2222; + hostKeys = [ /boot/initrd-ssh-key ]; + authorizedKeys = psCfg.user.publicKeys; + shell = "/bin/cryptsetup-askpass"; }; + postCommands = '' + ip link set dev enp1s0 up + + ip addr add 128.140.109.213/32 dev enp1s0 + ip route add 172.31.1.1 dev enp1s0 + ip route add default via 172.31.1.1 dev enp1s0 + + ip -6 addr add 128.140.109.213/128 dev enp1s0 + ip -6 addr add 2a01:4f8:c2c:b60::/64 dev enp1s0 + ip -6 route add fe80::1 dev enp1s0 + ip -6 route add default via fe80::1 dev enp1s0 + ''; }; boot.supportedFilesystems = [ "zfs" ]; diff --git a/hosts/iso/default.nix b/hosts/iso/default.nix index 6ccfabc..c36b4f1 100644 --- a/hosts/iso/default.nix +++ b/hosts/iso/default.nix @@ -3,7 +3,6 @@ lib, ... }: { - pub-solar.core.disk-encryption-active = false; isoImage.squashfsCompression = "gzip -Xcompression-level 1"; systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ]; networking.networkmanager.enable = false; diff --git a/hosts/pie/configuration.nix b/hosts/pie/configuration.nix index 8b7a4ee..d09c884 100644 --- a/hosts/pie/configuration.nix +++ b/hosts/pie/configuration.nix @@ -23,21 +23,31 @@ in { boot.kernelParams = [ "boot.shell_on_fail=1" - "ip=192.168.178.2::192.168.178.1:255.255.255.255:pie-initrd.b12f.io::off" + # Hack so that network is considered up by boot.initrd.network and postCommands gets executed. + "ip=127.0.0.1:::::lo:none" ]; - - boot.initrd.network.enable = true; - boot.initrd.network.ssh = { - enable = true; - port = 2222; - authorizedKeys = psCfg.user.publicKeys; - hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"]; - shell = "/bin/cryptsetup-askpass"; - }; # See https://discourse.nixos.org/t/ssh-and-network-in-initrd-on-raspberry-pi-4/6289/3 boot.initrd.availableKernelModules = [ "genet" ]; + boot.initrd.network = { + enable = true; + ssh = { + enable = true; + port = 2222; + authorizedKeys = psCfg.user.publicKeys; + hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"]; + shell = "/bin/cryptsetup-askpass"; + }; + postCommands = '' + ip link set dev enabcm6e4ei0 up - pub-solar.core.disk-encryption-active = false; + ip addr add 192.168.178.2/32 dev enabcm6e4ei0 + ip route add 192.168.178.1 dev enabcm6e4ei0 + ip route add default via 192.168.178.1 dev enabcm6e4ei0 + + ip -6 addr add 2a02:908:5b1:e3c0:2::/128 dev enabcm6e4ei0 + ip -6 addr add fe80:b12f:acab:1312:acab:2::/128 dev enabcm6e4ei0 + ''; + }; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/hosts/stroopwafel/configuration.nix b/hosts/stroopwafel/configuration.nix index 048fe84..5a0c4d0 100644 --- a/hosts/stroopwafel/configuration.nix +++ b/hosts/stroopwafel/configuration.nix @@ -21,7 +21,6 @@ DEVICE /dev/nvme0n1p2 /dev/nvme1n1p2 ARRAY /dev/md/nixos:root metadata=1.2 name=nixos:root UUID=67d1aa81:1b348887:c17a75e8:f2edf2bd ''; - pub-solar.core.disk-encryption-active = false; pub-solar.core.hibernation.enable = true; pub-solar.core.hibernation.resumeDevice = "/dev/mapper/vg0-swap"; diff --git a/hosts/stroopwafel/hardware-configuration.nix b/hosts/stroopwafel/hardware-configuration.nix index 40936cf..7a09048 100644 --- a/hosts/stroopwafel/hardware-configuration.nix +++ b/hosts/stroopwafel/hardware-configuration.nix @@ -13,7 +13,10 @@ boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-id/md-name-nixos:root"; + boot.initrd.luks.devices."cryptroot" = { + device = "/dev/disk/by-id/md-name-nixos:root"; + allowDiscards = true; + }; fileSystems."/" = { device = "none"; diff --git a/modules/core/boot.nix b/modules/core/boot.nix index 11c549c..00a843e 100644 --- a/modules/core/boot.nix +++ b/modules/core/boot.nix @@ -7,23 +7,8 @@ with lib; let cfg = config.pub-solar.core; in { - options.pub-solar.core.disk-encryption-active = mkOption { - type = types.bool; - default = true; - description = "Whether it should be assumed that there is a cryptroot device"; - }; - config = { boot = { - # Mount / luks device in initrd - # Allow fstrim to work on it. - # The ! makes this enabled by default - initrd = mkIf cfg.disk-encryption-active { - luks.devices."cryptroot" = { - allowDiscards = true; - }; - }; - loader.systemd-boot.enable = lib.mkDefault true; # Use latest LTS linux kernel by default