feat(zackbiene): start clean; add kea instead of dhcpcd

chore: switch to hosts.toml

README.md

@@ -79,7 +79,7 @@ but here's a quick breakdown of the what you will find where.
 Afterwards:
 
 - Run `install-system` in the live environment and reboot
-- Retrieve the new host identity by using `ssh-keyscan <host/ip> | grep -o 'ed25519.*' > host/<host>/secrets/host.pub`
+- Retrieve the new host identity by using `ssh-keyscan <host/ip> | grep -o 'ssh-ed25519.*' > hosts/<host>/secrets/host.pub`
 - (If the host has microvms, also retrieve their identities!)
 - Rekey the secrets for the new identity `nix run .#rekey`
 - Deploy again remotely via colmena

flake.lock

@@ -27,11 +27,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1689334118,
-        "narHash": "sha256-djk5AZv1yU84xlKFaVHqFWvH73U7kIRstXwUAnDJPsk=",
+        "lastModified": 1690228878,
+        "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "0d8c5325fc81daf00532e3e26c6752f7bcde1143",
+        "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792",
         "type": "github"
       },
       "original": {
@@ -159,11 +159,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1690148072,
-        "narHash": "sha256-R7bk2ij1b06Wc8S3L/guz6Mape5HtKp/YZUyJaxSFa8=",
+        "lastModified": 1690278259,
+        "narHash": "sha256-0Ujy0ZD1Yg5+QDaEnk4TeYhIZ6AckRORrXLGsAEhFKE=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "713eb78002e69bd77f5a69595756fd2e564233f3",
+        "rev": "5b19fb2e74df312751cecbf0f668217eb59d9170",
         "type": "github"
       },
       "original": {
@@ -364,11 +364,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1690208251,
-        "narHash": "sha256-eb/KANeuQADVl5j4wVid4jyPCOMTorSI2+gqoXp3LME=",
+        "lastModified": 1690269402,
+        "narHash": "sha256-SybA24IOGigiHfcTB5eBge4UZQI6a0z8Ah+EzD17tdk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d309a62ee81faec56dd31a263a0184b0e3227e36",
+        "rev": "0306d5ed7e9d1662b55ec0d08afc73d4cb5eadca",
         "type": "github"
       },
       "original": {
@@ -499,11 +499,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1690031011,
-        "narHash": "sha256-kzK0P4Smt7CL53YCdZCBbt9uBFFhE0iNvCki20etAf4=",
+        "lastModified": 1690179384,
+        "narHash": "sha256-+arbgqFTAtoeKtepW9wCnA0njCOyoiDFyl0Q0SBSOtE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "12303c652b881435065a98729eb7278313041e49",
+        "rev": "b12803b6d90e2e583429bb79b859ca53c348b39a",
         "type": "github"
       },
       "original": {

flake.nix

@@ -92,19 +92,10 @@
         extraEncryptionPubkeys = [./secrets/backup.pub];
       };
 
-      # This is the list of hosts that this flake defines, plus the minimum
-      # amount of metadata that is necessary to instanciate it correctly.
-      hosts = let
-        nixos = system: {
-          type = "nixos";
-          inherit system;
-        };
-      in {
-        nom = nixos "x86_64-linux";
-        sentinel = nixos "x86_64-linux";
-        ward = nixos "x86_64-linux";
-        zackbiene = nixos "aarch64-linux";
-      };
+      # Load the list of hosts that this flake defines, which
+      # associates the minimum amount of metadata that is necessary
+      # to instanciate hosts correctly.
+      hosts = builtins.fromTOML (builtins.readFile ./hosts.toml);
 
       # This will process all defined hosts of type "nixos" and
       # generate the required colmena definition for each host.

hosts.toml

@@ -0,0 +1,15 @@
+[nom]
+type = "nixos"
+system = "x86_64-linux"
+
+[sentinel]
+type = "nixos"
+system = "x86_64-linux"
+
+[ward]
+type = "nixos"
+system = "x86_64-linux"
+
+[zackbiene]
+type = "nixos"
+system = "aarch64-linux"

hosts/ward/kea.nix

@@ -1,77 +1,60 @@
 {
-  config,
   lib,
   utils,
   nodes,
   ...
 }: let
-  inherit
-    (lib)
-    flip
-    mapAttrsToList
-    mkOption
-    net
-    types
-    ;
-
+  inherit (lib) net;
   lanCidrv4 = "192.168.100.0/24";
   dnsIp = net.cidr.host 2 lanCidrv4;
 in {
   # TODO make meta.kea module?
   # TODO reserve by default using assignIps algo?
-  options.networking.dhcp4Reservations = mkOption {
-    default = {};
-    type = types.attrsOf (types.net.ipv4-in lanCidrv4);
-    description = "Maps MAC addresses to their reserved ipv4 address.";
-  };
-
-  config = {
-    services.kea.dhcp4 = {
-      enable = true;
-      settings = {
-        lease-database = {
-          name = "/var/lib/kea/dhcp4.leases";
-          persist = true;
-          type = "memfile";
-        };
-        valid-lifetime = 4000;
-        renew-timer = 1000;
-        rebind-timer = 2000;
-        interfaces-config = {
-          # XXX: why does this bind other macvtaps?
-          interfaces = ["lan-self"];
-          service-sockets-max-retries = -1;
-        };
-        option-data = [
-          {
-            name = "domain-name-servers";
-            data = dnsIp;
-          }
-        ];
-        subnet4 = [
-          {
-            interface = "lan-self";
-            subnet = lanCidrv4;
-            pools = [
-              {pool = "${net.cidr.host 20 lanCidrv4} - ${net.cidr.host (-6) lanCidrv4}";}
-            ];
-            option-data = [
-              {
-                name = "routers";
-                data = net.cidr.host 1 lanCidrv4;
-              }
-            ];
-            reservations = [
-              {
-                hw-address = nodes.ward-adguardhome.config.lib.microvm.mac;
-                ip-address = dnsIp;
-              }
-            ];
-          }
-        ];
+  services.kea.dhcp4 = {
+    enable = true;
+    settings = {
+      lease-database = {
+        name = "/var/lib/kea/dhcp4.leases";
+        persist = true;
+        type = "memfile";
       };
+      valid-lifetime = 4000;
+      renew-timer = 1000;
+      rebind-timer = 2000;
+      interfaces-config = {
+        # XXX: why does this bind other macvtaps?
+        interfaces = ["lan-self"];
+        service-sockets-max-retries = -1;
+      };
+      option-data = [
+        {
+          name = "domain-name-servers";
+          data = dnsIp;
+        }
+      ];
+      subnet4 = [
+        {
+          interface = "lan-self";
+          subnet = lanCidrv4;
+          pools = [
+            {pool = "${net.cidr.host 20 lanCidrv4} - ${net.cidr.host (-6) lanCidrv4}";}
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = net.cidr.host 1 lanCidrv4;
+            }
+          ];
+          reservations = [
+            {
+              hw-address = nodes.ward-adguardhome.config.lib.microvm.mac;
+              ip-address = dnsIp;
+            }
+          ];
+        }
+      ];
     };
-
-    systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"];
   };
+
+  systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"];
 }

hosts/ward/microvms/common.nix

@@ -7,7 +7,7 @@ in {
     proxy = "sentinel";
   };
 
-  # Connect safely via wireguard to skip authentication
+  # Connect safely via wireguard to skip http authentication
   networking.hosts.${sentinelCfg.meta.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
   meta.telegraf = {
     enable = true;

hosts/zackbiene/default.nix

@@ -1,4 +1,10 @@
-{lib, ...}: {
+{
+  lib,
+  nodes,
+  ...
+}: let
+  sentinelCfg = nodes.sentinel.config;
+in {
   imports = [
     ../../modules/optional/hardware/odroid-n2plus.nix
 
@@ -7,17 +13,32 @@
     ../../modules/optional/initrd-ssh.nix
     ../../modules/optional/zfs.nix
 
-    #./dnsmasq.nix
     #./esphome.nix
     ./fs.nix
     #./home-assistant.nix
-    #./hostapd.nix
+    ./hostapd.nix
     #./mosquitto.nix
+    ./kea.nix
     ./net.nix
     #./nginx.nix
     #./zigbee2mqtt.nix
   ];
 
+  meta.wireguard-proxy.sentinel = {};
+  meta.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
+  # Connect safely via wireguard to skip http authentication
+  networking.hosts.${sentinelCfg.meta.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
+  meta.telegraf = {
+    enable = true;
+    influxdb2.domain = sentinelCfg.networking.providedDomains.influxdb;
+    influxdb2.organization = "servers";
+    influxdb2.bucket = "telegraf";
+  };
+
   # Fails if there are no SMART devices
   services.smartd.enable = lib.mkForce false;
 }

hosts/zackbiene/dnsmasq.nix

@@ -1,21 +0,0 @@
-{
-  services.dnsmasq = {
-    enable = true;
-    resolveLocalQueries = false;
-    settings = {
-      interface = "wlan1";
-      dhcp-authoritative = true;
-      dhcp-range = [
-        "10.0.90.10,10.0.90.240,24h"
-        "fd90::10,fd90::ff0,24h"
-      ];
-
-      # Enable ipv6 router advertisements
-      enable-ra = true;
-      # Don't use anything from /etc/resolv.conf
-      no-resolv = true;
-      # Never forward addresses in the non-routed address spaces.
-      bogus-priv = true;
-    };
-  };
-}

hosts/zackbiene/hostapd.nix

@@ -1,9 +1,4 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}: {
+{config, ...}: {
   # Associates each known client to a unique password
   age.secrets.wifi-clients.rekeyFile = ./secrets/wifi-clients.age;
 
@@ -12,7 +7,7 @@
   services.hostapd = {
     enable = true;
     radios.wlan1 = {
-      hwMode = "g";
+      band = "2g";
       countryCode = "DE";
       channel = 13; # Automatic Channel Selection (ACS) is unfortunately not implemented for mt7612u.
       wifi4.capabilities = ["LDPC" "HT40+" "HT40-" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1"];
@@ -22,7 +17,8 @@
         apIsolate = true;
         authentication = {
           saePasswordsFile = config.age.secrets.wifi-clients.path;
-          saeAddToMacAllow = true;
+          # TODO reenable when nixpkgs#245413 is merged
+          # saeAddToMacAllow = true;
           enableRecommendedPairwiseCiphers = true;
         };
         bssid = "00:c0:ca:b1:4f:9f";

hosts/zackbiene/kea.nix

@@ -0,0 +1,43 @@
+{
+  lib,
+  utils,
+  ...
+}: let
+  inherit (lib) net;
+  iotCidrv4 = "10.0.90.0/24";
+in {
+  services.kea.dhcp4 = {
+    enable = true;
+    settings = {
+      lease-database = {
+        name = "/var/lib/kea/dhcp4.leases";
+        persist = true;
+        type = "memfile";
+      };
+      valid-lifetime = 4000;
+      renew-timer = 1000;
+      rebind-timer = 2000;
+      interfaces-config = {
+        interfaces = ["wlan1"];
+        service-sockets-max-retries = -1;
+      };
+      subnet4 = [
+        {
+          interface = "wlan1";
+          subnet = iotCidrv4;
+          pools = [
+            {pool = "${net.cidr.host 20 iotCidrv4} - ${net.cidr.host (-6) iotCidrv4}";}
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = net.cidr.host 1 iotCidrv4;
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "wlan1"}.device"];
+}

hosts/zackbiene/net.nix

@@ -32,6 +32,16 @@ in {
         (lib.net.cidr.hostCidr 1 iotCidrv6)
       ];
       matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wlan1.mac;
+      networkConfig = {
+        IPForward = "yes";
+        IPv6PrivacyExtensions = "yes";
+        IPv6SendRA = true;
+        MulticastDNS = true;
+      };
+      # Announce a static prefix
+      ipv6Prefixes = [
+        {ipv6PrefixConfig.Prefix = iotCidrv6;}
+      ];
       linkConfig.RequiredForOnline = "no";
     };
   };

hosts/zackbiene/nginx.nix

@@ -1,20 +0,0 @@
-{
-  lib,
-  config,
-  ...
-}: {
-  age.secrets."selfcert.crt" = {
-    rekeyFile = ./secrets/selfcert.crt.age;
-    mode = "440";
-    group = "nginx";
-  };
-  age.secrets."selfcert.key" = {
-    rekeyFile = ./secrets/selfcert.key.age;
-    mode = "440";
-    group = "nginx";
-  };
-
-  #security.acme.acceptTerms = true;
-  #security.acme.defaults.email = "admin+acme@example.com";
-  services.nginx.enable = true;
-}

hosts/zackbiene/secrets/host.pub

@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJVBhqJKfIBWOwXHGNjlskKMIpCuL3qjOjKiXyF8hkGT
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILaKQa+gcGMvtm9d1LM11lvsXRtE3Tvo+o40nG+eXYgo

hosts/zackbiene/secrets/promtail-loki-basic-auth-password.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 GORopMcTgwBFuvljV/6TrebfoW4aL13meWOk0tjX2Fg
+A9OOzSPEqT8dPNYeKHcvVVdZOfYMnEzaSdudKzyals4
+-> piv-p256 xqSe8Q As7KMtJM+NWObNYdVxTjfePy8MThyA6PkOv32lvMNbth
+LkC4vtpHWjizzs3qEyJF+L5yBniMH9XdMH6Y/H5RfTc
+-> WQ0T*-grease ;xyW-]= 5tB %=C(B9M jM<jH1
+OVWNxQR0ExMSLB9+AM/jq5I1df7Dvcs/JBAlp1m3WCir+qbwc+CJSV1Hbphyw+7a
+h3uw+bd8lhGqa7Ig8JPRpRuDUWA92d/RKzGWGjXEIreeUXPuU6ssHAg5yDnWINDU
+L3M
+--- /zsULNtPqVAFPr8wPDODnlkWK5sITH30ZJ7BK11Sius
+ÆP�_'Ü7Å€Á£+B½©ëÊHFi9|@Èg
(ß;DÛ Ž~ÊÕ	zlòJk³»_�wfž¦¦ÒEftY\‘)‰:Âرa+4

hosts/zackbiene/secrets/telegraf-influxdb-token.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> X25519 DCVhASEENA4z7QkZIAz+7shz69B3UGfuR4QwV28e3w4
+KcvcVb5PxsRMlA5n35c/4nRLdv7WoIL2bqJn6Ry0tBU
+-> piv-p256 xqSe8Q ArDV5TYzLEFhnRxXIY1OMPe4nPE7rtNhsUhU+7J2La3o
+SoqSbbPvxlF4uaGSRNKSumajM9aEr2EoHE8PyPr3sMk
+-> e\9`z-grease
+PtN7lO2jjyBoMojXSiPLmWGgv23uUbzd9TxrAwwDiCcBbW5RL5vvR2HFzc+k+ZVa
+RA3xLg5UeIzjsZdkWBezPHX1p7OALN49ZxtJ21fzfDhdUCTfVIKK4mi++At2hEJF
+6g
+--- FdR7X/jFWv+BhzuO8kpGr8xC3SKgmrwHg4YaHRxnwHE
+¶ßÌÚÝp 6SD´…˜W(¶YRÜ3ƒs_Ûª/2g}Äܶ§W?ub
+)‘¯/û,{÷&ƒFÿ-ŒØ5£ß/u.�p¬	\%ÊÉŸæ—üï4qÓ‰�ðÛ˜yKQk4W™3÷ËŒ
+
§Óˆ[Áþ°t‡__4y× ±q�¬^/Fש*

secrets/wireguard/proxy-sentinel/keys/zackbiene.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 yiNmRDhm4J2Kbdl23JqK806GwpAyxxhyPD7UzwQOd14
+YdtV6fwtI8Hi/Fl3viJa6Kdlg6jipWX8qY9yZ7AvCYk
+-> piv-p256 xqSe8Q AxvoyuMwR6SeHcqsLOLFxaXHJnjGePz+ROnwlWDiUSgP
+B4lYcmboqDpr747GYCFAGWXfOvpHK04uyM5UbEeNORI
+-> x4pfd28-grease f+4S \
+BuQCPPOZhXqwnKl74fCB4eF5LYtULBuGiYX4BCOrS+sNP5svpj2pnGFvA5/VAJqv
+9NE3mc0a9B41xJMSISdomiU
+--- 3bUnrQO3LUeKPFet5T2s9XAe455gONeBR6TiIN0nf0Q
+÷�«è{¨j­DÃË–IØä]ð'ñ7ÕK‹—™–EÞ
¸mU"\¬^Õ'}`K4º†A‘†%®ïŒ÷
­ÖP¢%Mý+¤Óå�GòÃ'Œ¹ù

secrets/wireguard/proxy-sentinel/keys/zackbiene.pub

@@ -0,0 +1 @@
+m92MMTe8d8vtfKcRxel+8ptDcFFILyvzOThTt2rdiWU=