diff --git a/hosts/common/bios-boot.nix b/hosts/common/bios-boot.nix new file mode 100644 index 0000000..e578418 --- /dev/null +++ b/hosts/common/bios-boot.nix @@ -0,0 +1,10 @@ +{lib, ...}: { + boot.loader = { + grub = { + enable = true; + efiSupport = false; + }; + timeout = lib.mkDefault 2; + }; + console.earlySetup = true; +} diff --git a/hosts/common/core/system.nix b/hosts/common/core/system.nix index 0149f93..a12bff1 100644 --- a/hosts/common/core/system.nix +++ b/hosts/common/core/system.nix @@ -1,10 +1,10 @@ { + config, extraLib, inputs, lib, - nodeName, nodePath, - options, + pkgs, ... }: { # IP address math library @@ -290,7 +290,14 @@ }; boot = { - initrd.systemd.enable = true; + initrd.systemd = { + enable = true; + emergencyAccess = config.repo.secrets.global.root.hashedPassword; + # TODO good idea? targets.emergency.wants = ["network.target" "sshd.service"]; + extraBin = with pkgs; { + ip = "${iproute2}/bin/ip"; + }; + }; # Add "rd.systemd.unit=rescue.target" to debug initrd kernelParams = ["log_buf_len=10M"]; diff --git a/hosts/common/hardware/hetzner-cloud.nix b/hosts/common/hardware/hetzner-cloud.nix new file mode 100644 index 0000000..7558c0c --- /dev/null +++ b/hosts/common/hardware/hetzner-cloud.nix @@ -0,0 +1,3 @@ +{ + boot.initrd.availableKernelModules = ["virtio_pci" "virtio_net" "virtio_scsi" "virtio_blk"]; +} diff --git a/hosts/common/hardware/odroid-n2plus.nix b/hosts/common/hardware/odroid-n2plus.nix new file mode 100644 index 0000000..ab73d1f --- /dev/null +++ b/hosts/common/hardware/odroid-n2plus.nix @@ -0,0 +1,33 @@ +{ + lib, + config, + nixos-hardware, + pkgs, + ... +}: { + imports = [ + nixos-hardware.common-pc-ssd + ./physical.nix + ]; + + boot.initrd.availableKernelModules = [ + "usbhid" + "usb_storage" + # Ethernet + "dwmac_generic" + "dwmac_meson8b" + "cfg80211" + # HDMI + "snd_soc_meson_g12a_tohdmitx" + "snd_soc_meson_g12a_toacodec" + "mdio_mux_meson_g12a" + "dw_hdmi" + "meson_vdec" + "meson_dw_hdmi" + "meson_drm" + "meson_rng" + "drm" + "display_connector" + ]; + boot.kernelParams = ["console=ttyAML0,115200n8" "console=tty0"]; +} diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix index 3ab2d0b..a96e2b7 100644 --- a/hosts/sentinel/default.nix +++ b/hosts/sentinel/default.nix @@ -5,6 +5,8 @@ }: { imports = [ ../common/core + ../common/hardware/hetzner-cloud.nix + ../common/bios-boot.nix ../common/initrd-ssh.nix ../common/zfs.nix @@ -13,11 +15,5 @@ ./nginx.nix ]; - boot.loader.timeout = lib.mkDefault 2; - boot.loader.grub = { - enable = true; - efiSupport = false; - devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.main}"]; - }; - console.earlySetup = true; + boot.loader.grub.devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.main}"]; } diff --git a/hosts/sentinel/fs.nix b/hosts/sentinel/fs.nix index 7d4038e..1714055 100644 --- a/hosts/sentinel/fs.nix +++ b/hosts/sentinel/fs.nix @@ -1,6 +1,5 @@ { config, - lib, extraLib, pkgs, ... @@ -40,6 +39,7 @@ }; }; + boot.initrd.luks.devices.enc-rpool.allowDiscards = true; fileSystems."/persist".neededForBoot = true; # After importing the rpool, rollback the root system to be empty. diff --git a/hosts/sentinel/net.nix b/hosts/sentinel/net.nix index c2369ca..cff7a1e 100644 --- a/hosts/sentinel/net.nix +++ b/hosts/sentinel/net.nix @@ -20,6 +20,15 @@ icfg.hostCidrv6 ]; gateway = ["fe80::1"]; + routes = [ + {routeConfig = {Destination = "172.31.1.1";};} + { + routeConfig = { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + }; + } + ]; matchConfig.MACAddress = icfg.mac; networkConfig.IPv6PrivacyExtensions = "yes"; linkConfig.RequiredForOnline = "routable"; diff --git a/hosts/sentinel/secrets/host.pub b/hosts/sentinel/secrets/host.pub new file mode 100644 index 0000000..c7bc451 --- /dev/null +++ b/hosts/sentinel/secrets/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHgdSxSAnqaIqpr7OhyaKXGfQLUWf2bkpyF2mSG01LVv diff --git a/hosts/sentinel/secrets/local.nix.age b/hosts/sentinel/secrets/local.nix.age index c5de8ef..acf8c42 100644 Binary files a/hosts/sentinel/secrets/local.nix.age and b/hosts/sentinel/secrets/local.nix.age differ diff --git a/hosts/zackbiene/default.nix b/hosts/zackbiene/default.nix index 54b21dd..9fb5c17 100644 --- a/hosts/zackbiene/default.nix +++ b/hosts/zackbiene/default.nix @@ -6,10 +6,8 @@ ... }: { imports = [ - nixos-hardware.common-pc-ssd - ../common/core - ../common/hardware/physical.nix + ../common/hardware/odroid-n2plus.nix #../common/initrd-ssh.nix ../common/zfs.nix @@ -25,28 +23,10 @@ ./zigbee2mqtt.nix ]; + # TODO replace by bios-boot.nix + # and grub.devices = ... once disko is in use. boot.loader.grub.enable = false; boot.loader.generic-extlinux-compatible.enable = true; - boot.initrd.availableKernelModules = [ - "usbhid" - "usb_storage" - # Ethernet - "dwmac_generic" - "dwmac_meson8b" - "cfg80211" - # HDMI - "snd_soc_meson_g12a_tohdmitx" - "snd_soc_meson_g12a_toacodec" - "mdio_mux_meson_g12a" - "dw_hdmi" - "meson_vdec" - "meson_dw_hdmi" - "meson_drm" - "meson_rng" - "drm" - "display_connector" - ]; - boot.kernelParams = ["console=ttyAML0,115200n8" "console=tty0"]; console.earlySetup = true; # Fails if there are no SMART devices diff --git a/modules/wireguard.nix b/modules/wireguard.nix index 2998167..f9b41dc 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -26,6 +26,7 @@ mkOption optionalAttrs optionals + stringLength types ; @@ -132,6 +133,10 @@ assertion = isClient -> ((wgCfgOf wgCfg.client.via).server.host != null); message = "${assertionPrefix}: The specified via node '${wgCfg.client.via}' must be a wireguard server."; } + { + assertion = stringLength wgCfg.linkName < 16; + message = "${assertionPrefix}: The specified linkName '${wgCfg.linkName}' is too long (must be max 15 characters)."; + } # TODO at least 3 network participants and (externalPeers != {} or someone has via set to us) -> ip forwarding ]; @@ -331,7 +336,7 @@ in { }; linkName = mkOption { - default = "wg-${name}"; + default = name; type = types.str; description = mdDoc "The name for the created network interface."; };