From 6672846d59f81a599801b6a20313364b1e66bfc4 Mon Sep 17 00:00:00 2001 From: oddlama Date: Wed, 31 May 2023 16:34:13 +0200 Subject: [PATCH] feat: modularize hetzner-cloud and odroid-n2plus hardware --- hosts/common/bios-boot.nix | 10 +++++++ hosts/common/core/system.nix | 13 +++++++--- hosts/common/hardware/hetzner-cloud.nix | 3 +++ hosts/common/hardware/odroid-n2plus.nix | 33 ++++++++++++++++++++++++ hosts/sentinel/default.nix | 10 +++---- hosts/sentinel/fs.nix | 2 +- hosts/sentinel/net.nix | 9 +++++++ hosts/sentinel/secrets/host.pub | 1 + hosts/sentinel/secrets/local.nix.age | Bin 816 -> 747 bytes hosts/zackbiene/default.nix | 26 +++---------------- modules/wireguard.nix | 7 ++++- 11 files changed, 79 insertions(+), 35 deletions(-) create mode 100644 hosts/common/bios-boot.nix create mode 100644 hosts/common/hardware/hetzner-cloud.nix create mode 100644 hosts/common/hardware/odroid-n2plus.nix create mode 100644 hosts/sentinel/secrets/host.pub diff --git a/hosts/common/bios-boot.nix b/hosts/common/bios-boot.nix new file mode 100644 index 0000000..e578418 --- /dev/null +++ b/hosts/common/bios-boot.nix @@ -0,0 +1,10 @@ +{lib, ...}: { + boot.loader = { + grub = { + enable = true; + efiSupport = false; + }; + timeout = lib.mkDefault 2; + }; + console.earlySetup = true; +} diff --git a/hosts/common/core/system.nix b/hosts/common/core/system.nix index 0149f93..a12bff1 100644 --- a/hosts/common/core/system.nix +++ b/hosts/common/core/system.nix @@ -1,10 +1,10 @@ { + config, extraLib, inputs, lib, - nodeName, nodePath, - options, + pkgs, ... }: { # IP address math library @@ -290,7 +290,14 @@ }; boot = { - initrd.systemd.enable = true; + initrd.systemd = { + enable = true; + emergencyAccess = config.repo.secrets.global.root.hashedPassword; + # TODO good idea? targets.emergency.wants = ["network.target" "sshd.service"]; + extraBin = with pkgs; { + ip = "${iproute2}/bin/ip"; + }; + }; # Add "rd.systemd.unit=rescue.target" to debug initrd kernelParams = ["log_buf_len=10M"]; diff --git a/hosts/common/hardware/hetzner-cloud.nix b/hosts/common/hardware/hetzner-cloud.nix new file mode 100644 index 0000000..7558c0c --- /dev/null +++ b/hosts/common/hardware/hetzner-cloud.nix @@ -0,0 +1,3 @@ +{ + boot.initrd.availableKernelModules = ["virtio_pci" "virtio_net" "virtio_scsi" "virtio_blk"]; +} diff --git a/hosts/common/hardware/odroid-n2plus.nix b/hosts/common/hardware/odroid-n2plus.nix new file mode 100644 index 0000000..ab73d1f --- /dev/null +++ b/hosts/common/hardware/odroid-n2plus.nix @@ -0,0 +1,33 @@ +{ + lib, + config, + nixos-hardware, + pkgs, + ... +}: { + imports = [ + nixos-hardware.common-pc-ssd + ./physical.nix + ]; + + boot.initrd.availableKernelModules = [ + "usbhid" + "usb_storage" + # Ethernet + "dwmac_generic" + "dwmac_meson8b" + "cfg80211" + # HDMI + "snd_soc_meson_g12a_tohdmitx" + "snd_soc_meson_g12a_toacodec" + "mdio_mux_meson_g12a" + "dw_hdmi" + "meson_vdec" + "meson_dw_hdmi" + "meson_drm" + "meson_rng" + "drm" + "display_connector" + ]; + boot.kernelParams = ["console=ttyAML0,115200n8" "console=tty0"]; +} diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix index 3ab2d0b..a96e2b7 100644 --- a/hosts/sentinel/default.nix +++ b/hosts/sentinel/default.nix @@ -5,6 +5,8 @@ }: { imports = [ ../common/core + ../common/hardware/hetzner-cloud.nix + ../common/bios-boot.nix ../common/initrd-ssh.nix ../common/zfs.nix @@ -13,11 +15,5 @@ ./nginx.nix ]; - boot.loader.timeout = lib.mkDefault 2; - boot.loader.grub = { - enable = true; - efiSupport = false; - devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.main}"]; - }; - console.earlySetup = true; + boot.loader.grub.devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.main}"]; } diff --git a/hosts/sentinel/fs.nix b/hosts/sentinel/fs.nix index 7d4038e..1714055 100644 --- a/hosts/sentinel/fs.nix +++ b/hosts/sentinel/fs.nix @@ -1,6 +1,5 @@ { config, - lib, extraLib, pkgs, ... @@ -40,6 +39,7 @@ }; }; + boot.initrd.luks.devices.enc-rpool.allowDiscards = true; fileSystems."/persist".neededForBoot = true; # After importing the rpool, rollback the root system to be empty. diff --git a/hosts/sentinel/net.nix b/hosts/sentinel/net.nix index c2369ca..cff7a1e 100644 --- a/hosts/sentinel/net.nix +++ b/hosts/sentinel/net.nix @@ -20,6 +20,15 @@ icfg.hostCidrv6 ]; gateway = ["fe80::1"]; + routes = [ + {routeConfig = {Destination = "172.31.1.1";};} + { + routeConfig = { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + }; + } + ]; matchConfig.MACAddress = icfg.mac; networkConfig.IPv6PrivacyExtensions = "yes"; linkConfig.RequiredForOnline = "routable"; diff --git a/hosts/sentinel/secrets/host.pub b/hosts/sentinel/secrets/host.pub new file mode 100644 index 0000000..c7bc451 --- /dev/null +++ b/hosts/sentinel/secrets/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHgdSxSAnqaIqpr7OhyaKXGfQLUWf2bkpyF2mSG01LVv diff --git a/hosts/sentinel/secrets/local.nix.age b/hosts/sentinel/secrets/local.nix.age index c5de8ef9ec062557f03a65914c4bcf58ec564582..acf8c42481b310f7ee2813d8cb4130da9970b0b9 100644 GIT binary patch delta 727 zcmV;|0x12k2I~coAb(U$b3{3CD|BsoM=w=bZ#7hJFhf}~Z%ILIV|a8~NOwy{Y;bI9 zQ)+22Q3_c_L3CAVWqB)5VMHrTL~J%|bx1fwLS|4+aBFZ>OEOMHR%K*KNlkV_YYHts zAaH4REpRe5HXwL$Q)M_&AVD`oS1?#{ZdWlYQ&Lq*V_G(COn+EwX?apmFi?1GSTRa@ zZbwFIGBI^IXmbizMqxHnM|pQwQdmZBa%N~|SSw<9H86NHXhm~2RdsY>S2RIQS2cE5 zPh$!#J|JUiRwqX-XL4m>b7dfEZBI&6AaN>rAY61sEedQ}GDLWBH)nETN_I$ecVtUz zOfg4rPHIGFO@BsWZA4CNaB)jkK}BImL@RVLX9_JXEg(*4bW(C+Filifc4#p#F*0Rh zGb=Q9F?mr=D>X%NVp?)UO=VU=F;GNUFbZdkwcI<3Q{GVc4r7hElnVf>wPcy|R0^Vx z(o+hq*q15eMcRw_G5fJPlG!6df_;Oy7f(Sc7j%YLv6pj5k-w%v38CK?;p=#_0u>d;pGbu(XfScq=7(`f z>DCboMSr!YXXv3@i#b?+y!xxLv33s?<>3&RC9^zff)^v0yEfX6zmI7A&2Cg<<4jI2 z9I=M&8EW$)4=tCrieNES|EUW39T8D{4y#^UxVsqF&N)y+*=<_6rgu8Fn)o>ZACAX1 z;5cmIuqm;G??4t*`ThcsL!Wbm7R`7jS$!2y{7?d$$9(*^UIW7|CiLi8&kIQ_zi^S5 z|Iqp_+frmB#gQPu^S)sW%9Y0i4_7vXAn>c!249eDOyVqhj6)~wxPv?D^=c9w;{yIn Jl`h06G5MhmENK7$ delta 797 zcmV+&1LFMa1+WH?Ab(;{Xhd~!aaBiIcy~5*cx_d4S~oB=LsKtHOgS($H)%mQb#pa% zW@2+iGzu$YXm4y`F=#PEXj5)TRcvi-MnghRLQhmlP&O-0N;pksF?UCIH%4++I0`L3 zAaH4REpRe5HXwL$Q)M_&AVGI(MpamHLSjf-Npo#zY->m{LVq$;Pf%8EP*rMEN=|2Q zNli90R(e=?VK53*b46G~dRH)VO?rATN@p)KWGi)eD@RXdLvS%OMMY9gdPj3wWimEc zGEoXGJ|JB$D=lYoWnpt=3P(|POH^emV?=dVZg*KQOhZ&RF;GuSYgTwjFh@*xT4!@) zYIu2XPcdVg_lT69J=6T4ql(Mo@D{T1Q1`dShr~Q8qRTOm_+`EiE8& zVNqmMXj5WMGeuNULrh~YZ^*P@l$xW!oiZ`IluZVh®XpdE%E@QX}`K+#|-|;3+)leYEW#bN8 z&hAn5*ZO&mzDG1_6`4e|YMly{FT20!L^)DbU+;%}%q+9<2Aahj>e zP<)CLz<(4u)d%9`k$)*N>mM>|J+utH;b_V4_e|&tzs-4_z_jtslH99?1^UNdHr!#& z3B5)-P9XZJ)nvsG9F=vB<5t@M##bWGbh?63qj(>@d`B>f+5lA1LkRWfsL5Q}@+N%2 zuWRsfDN+NXtYl78u5`IWu6rQ(=^dZ?N`O_{Sbu;bgMCm0r8p1OH8-o3K$ijW){qA8 zw7oZpIXZ^BD5)o?T>O33athf=m5RiY;eu4ODGzt)w>m`_3cp%3 b;})W#x$n07q+c>9uJ{L&E!DFlLpBm!Sbs>S diff --git a/hosts/zackbiene/default.nix b/hosts/zackbiene/default.nix index 54b21dd..9fb5c17 100644 --- a/hosts/zackbiene/default.nix +++ b/hosts/zackbiene/default.nix @@ -6,10 +6,8 @@ ... }: { imports = [ - nixos-hardware.common-pc-ssd - ../common/core - ../common/hardware/physical.nix + ../common/hardware/odroid-n2plus.nix #../common/initrd-ssh.nix ../common/zfs.nix @@ -25,28 +23,10 @@ ./zigbee2mqtt.nix ]; + # TODO replace by bios-boot.nix + # and grub.devices = ... once disko is in use. boot.loader.grub.enable = false; boot.loader.generic-extlinux-compatible.enable = true; - boot.initrd.availableKernelModules = [ - "usbhid" - "usb_storage" - # Ethernet - "dwmac_generic" - "dwmac_meson8b" - "cfg80211" - # HDMI - "snd_soc_meson_g12a_tohdmitx" - "snd_soc_meson_g12a_toacodec" - "mdio_mux_meson_g12a" - "dw_hdmi" - "meson_vdec" - "meson_dw_hdmi" - "meson_drm" - "meson_rng" - "drm" - "display_connector" - ]; - boot.kernelParams = ["console=ttyAML0,115200n8" "console=tty0"]; console.earlySetup = true; # Fails if there are no SMART devices diff --git a/modules/wireguard.nix b/modules/wireguard.nix index 2998167..f9b41dc 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -26,6 +26,7 @@ mkOption optionalAttrs optionals + stringLength types ; @@ -132,6 +133,10 @@ assertion = isClient -> ((wgCfgOf wgCfg.client.via).server.host != null); message = "${assertionPrefix}: The specified via node '${wgCfg.client.via}' must be a wireguard server."; } + { + assertion = stringLength wgCfg.linkName < 16; + message = "${assertionPrefix}: The specified linkName '${wgCfg.linkName}' is too long (must be max 15 characters)."; + } # TODO at least 3 network participants and (externalPeers != {} or someone has via set to us) -> ip forwarding ]; @@ -331,7 +336,7 @@ in { }; linkName = mkOption { - default = "wg-${name}"; + default = name; type = types.str; description = mdDoc "The name for the created network interface."; };