initrd/networking: manually set networking

2024-02-04 01:05:28 +01:00 · 2024-02-04 01:05:28 +01:00 · 3e0f8438c1
parent 5fe27940b4
commit 3e0f8438c1
10 changed files with 76 additions and 65 deletions
--- a/hosts/biolimo/hardware-configuration.nix
+++ b/hosts/biolimo/hardware-configuration.nix
@ -22,7 +22,10 @@
    fsType = "ext4";
  };
-  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/aed21f8d-8e15-4f43-8710-460cb36d488b";
+  boot.initrd.luks.devices."cryptroot" = {
    device = "/dev/disk/by-uuid/aed21f8d-8e15-4f43-8710-460cb36d488b";
    allowDiscards = true;
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/3B67-0CAB";
--- a/hosts/droppie/configuration.nix
+++ b/hosts/droppie/configuration.nix
@ -14,25 +14,36 @@ in {
  services.openssh.openFirewall = true;
  pub-solar.core.disk-encryption-active = false;
  pub-solar.user.publicKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall"
  ];
  boot.kernelParams = [
    "boot.shell_on_fail=1"
-    "ip=dhcp"
+    # Hack so that network is considered up by boot.initrd.network and postCommands gets executed.
    "ip=127.0.0.1:::::lo:none"
  ];
-
+  boot.initrd.availableKernelModules = [ "tg3" ];
-  boot.initrd.network.enable = true;
+  boot.initrd.network = {
-  boot.initrd.network.ssh = {
+    enable = true;
    ssh = {
      enable = true;
      port = 2222;
      authorizedKeys = psCfg.user.publicKeys;
      hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"];
      shell = "/bin/cryptsetup-askpass";
    };
    postCommands = ''
      ip link set dev enp2s0f0 up
      ip addr add 192.168.178.3/32 dev enp2s0f0
      ip route add 192.168.178.1 dev enp2s0f0
      ip route add default via 192.168.178.1 dev enp2s0f0
      ip -6 addr add 2a02:908:5b1:e3c0:3::/128 dev enp2s0f0
      ip -6 addr add fe80:b12f:acab:1312:acab:3::/128 dev enp2s0f0
    '';
  };
  # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie
  age.secrets."droppie-ssh-root.key" = {
--- a/hosts/droppie/hardware-configuration.nix
+++ b/hosts/droppie/hardware-configuration.nix
@ -8,12 +8,15 @@
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usbhid" "usb_storage" "uas" "sd_mod" "tg3" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usbhid" "usb_storage" "uas" "sd_mod" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
-  boot.initrd.luks.devices."cryptroot".device = "/dev/sdb2";
+  boot.initrd.luks.devices."cryptroot" = {
    device = "/dev/sdb2";
    allowDiscards = true;
  };
  fileSystems."/" =
    { device = "none";
@ -50,14 +53,6 @@
    [ { device = "/dev/disk/by-uuid/0ef8dbbd-2832-4fb2-8a52-86682822f769"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  # networking.useDHCP = lib.mkDefault true;
  networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
  networking.interfaces.enp2s0f1.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/droppie/networking.nix
+++ b/hosts/droppie/networking.nix
@ -6,16 +6,9 @@
  ...
 }: {
  networking.hostName = "droppie";
  networking.interfaces.enp2s0f0.useDHCP = true;
  networking.interfaces.enp2s0f1.useDHCP = true;
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  #networking.useDHCP = true;
  #networking.interfaces.enp2s0f0.useDHCP = true;
  #networking.interfaces.enp2s0f1.useDHCP = true;
  networking.useDHCP = lib.mkDefault true;
  networking.interfaces.enp2s0f0 = {
    ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:3::"; prefixLength = 64; } ];
  };
--- a/hosts/frikandel/configuration.nix
+++ b/hosts/frikandel/configuration.nix
@ -15,7 +15,8 @@ in {
  boot.kernelParams = [
    "boot.shell_on_fail=1"
-    "ip=128.140.109.213::172.31.1.1:255.255.255.255:frikandel-initrd.b12f.io::off"
+    # Hack so that network is considered up by boot.initrd.network and postCommands gets executed.
    "ip=127.0.0.1:::::lo:none"
  ];
  boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_net" ];
  boot.initrd.network = {
@ -27,6 +28,18 @@ in {
      authorizedKeys = psCfg.user.publicKeys;
      shell = "/bin/cryptsetup-askpass";
    };
    postCommands = ''
      ip link set dev enp1s0 up
      ip addr add 128.140.109.213/32 dev enp1s0
      ip route add 172.31.1.1 dev enp1s0
      ip route add default via 172.31.1.1 dev enp1s0
      ip -6 addr add 128.140.109.213/128 dev enp1s0
      ip -6 addr add 2a01:4f8:c2c:b60::/64 dev enp1s0
      ip -6 route add fe80::1 dev enp1s0
      ip -6 route add default via fe80::1 dev enp1s0
    '';
  };
  boot.supportedFilesystems = [ "zfs" ];
--- a/hosts/iso/default.nix
+++ b/hosts/iso/default.nix
@ -3,7 +3,6 @@
  lib,
  ...
 }: {
  pub-solar.core.disk-encryption-active = false;
  isoImage.squashfsCompression = "gzip -Xcompression-level 1";
  systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
  networking.networkmanager.enable = false;
--- a/hosts/pie/configuration.nix
+++ b/hosts/pie/configuration.nix
@ -23,21 +23,31 @@ in {
  boot.kernelParams = [
    "boot.shell_on_fail=1"
-    "ip=192.168.178.2::192.168.178.1:255.255.255.255:pie-initrd.b12f.io::off"
+    # Hack so that network is considered up by boot.initrd.network and postCommands gets executed.
    "ip=127.0.0.1:::::lo:none"
  ];
-
+  # See https://discourse.nixos.org/t/ssh-and-network-in-initrd-on-raspberry-pi-4/6289/3
-  boot.initrd.network.enable = true;
+  boot.initrd.availableKernelModules = [ "genet" ];
-  boot.initrd.network.ssh = {
+  boot.initrd.network = {
    enable = true;
    ssh = {
      enable = true;
      port = 2222;
      authorizedKeys = psCfg.user.publicKeys;
      hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
      shell = "/bin/cryptsetup-askpass";
    };
-  # See https://discourse.nixos.org/t/ssh-and-network-in-initrd-on-raspberry-pi-4/6289/3
+    postCommands = ''
-  boot.initrd.availableKernelModules = [ "genet" ];
+      ip link set dev enabcm6e4ei0 up
-  pub-solar.core.disk-encryption-active = false;
+      ip addr add 192.168.178.2/32 dev enabcm6e4ei0
      ip route add 192.168.178.1 dev enabcm6e4ei0
      ip route add default via 192.168.178.1 dev enabcm6e4ei0
      ip -6 addr add 2a02:908:5b1:e3c0:2::/128 dev enabcm6e4ei0
      ip -6 addr add fe80:b12f:acab:1312:acab:2::/128 dev enabcm6e4ei0
    '';
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
--- a/hosts/stroopwafel/configuration.nix
+++ b/hosts/stroopwafel/configuration.nix
@ -21,7 +21,6 @@ DEVICE /dev/nvme0n1p2 /dev/nvme1n1p2
 ARRAY /dev/md/nixos:root metadata=1.2 name=nixos:root UUID=67d1aa81:1b348887:c17a75e8:f2edf2bd
  '';
  pub-solar.core.disk-encryption-active = false;
  pub-solar.core.hibernation.enable = true;
  pub-solar.core.hibernation.resumeDevice = "/dev/mapper/vg0-swap";
--- a/hosts/stroopwafel/hardware-configuration.nix
+++ b/hosts/stroopwafel/hardware-configuration.nix
@ -13,7 +13,10 @@
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
-  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-id/md-name-nixos:root";
+  boot.initrd.luks.devices."cryptroot" = {
    device = "/dev/disk/by-id/md-name-nixos:root";
    allowDiscards = true;
  };
  fileSystems."/" =
    { device = "none";
--- a/modules/core/boot.nix
+++ b/modules/core/boot.nix
@ -7,23 +7,8 @@
 with lib; let
  cfg = config.pub-solar.core;
 in {
  options.pub-solar.core.disk-encryption-active = mkOption {
    type = types.bool;
    default = true;
    description = "Whether it should be assumed that there is a cryptroot device";
  };
  config = {
    boot = {
      # Mount / luks device in initrd
      # Allow fstrim to work on it.
      # The ! makes this enabled by default
      initrd = mkIf cfg.disk-encryption-active {
        luks.devices."cryptroot" = {
          allowDiscards = true;
        };
      };
      loader.systemd-boot.enable = lib.mkDefault true;
      # Use latest LTS linux kernel by default