From b68021b3a4b03245728d8cca2e9e0257085ad14c Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 12 Feb 2023 03:40:24 +0100 Subject: [PATCH] chore: use agenix, enable initrd networking --- flake.lock | 88 ++++++++++++++-------------------------- flake.nix | 24 +++++++++-- hosts/nom/net.nix | 6 ++- hosts/ward/net.nix | 11 ++--- modules/core/default.nix | 3 +- modules/core/ssh.nix | 13 ++++++ nix/colmena.nix | 4 +- nix/overlay.nix | 13 +----- 8 files changed, 79 insertions(+), 83 deletions(-) diff --git a/flake.lock b/flake.lock index bac54ce..0605b02 100644 --- a/flake.lock +++ b/flake.lock @@ -2,17 +2,17 @@ "nodes": { "agenix": { "inputs": { + "darwin": "darwin", "nixpkgs": [ - "ragenix", "nixpkgs" ] }, "locked": { - "lastModified": 1673301561, - "narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=", + "lastModified": 1676134447, + "narHash": "sha256-PU+6hKp7wbxCCRF5RO5g//Q0G+Rhbj92VrprvXtTOlc=", "owner": "ryantm", "repo": "agenix", - "rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68", + "rev": "6053c559c59ca0ebd57330cd356964f85befaff8", "type": "github" }, "original": { @@ -26,11 +26,11 @@ "flake-utils": "flake-utils" }, "locked": { - "lastModified": 1675778630, - "narHash": "sha256-RS69eIBvUrH8wUYYQiwcc8TMOQH52xd6e5NaoDEr4zw=", + "lastModified": 1676148182, + "narHash": "sha256-oyZpFRBMluuD0TFPGE3FredFdXvbgvyUiX6nziPjX0k=", "owner": "oddlama", "repo": "agenix-rekey", - "rev": "8602e836b406af6e06ef2b3b78ff8eb7569e2e4d", + "rev": "100a27170a2943288ede749efde41e22d524370e", "type": "github" }, "original": { @@ -64,6 +64,28 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -257,33 +279,9 @@ "type": "github" } }, - "ragenix": { - "inputs": { - "agenix": "agenix", - "flake-utils": [ - "flake-utils" - ], - "nixpkgs": [ - "nixpkgs" - ], - "rust-overlay": "rust-overlay" - }, - "locked": { - "lastModified": 1675293936, - "narHash": "sha256-xaObOxlMiZ8noXbXWfoUJrCjVZ8oc9HBblc/MeCq7fc=", - "owner": "yaxitech", - "repo": "ragenix", - "rev": "325733b734aa4cc4d6b19f1169e6672cad4128ca", - "type": "github" - }, - "original": { - "owner": "yaxitech", - "repo": "ragenix", - "type": "github" - } - }, "root": { "inputs": { + "agenix": "agenix", "agenix-rekey": "agenix-rekey", "colmena": "colmena", "flake-utils": "flake-utils_2", @@ -292,35 +290,9 @@ "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "pre-commit-hooks": "pre-commit-hooks", - "ragenix": "ragenix", "templates": "templates" } }, - "rust-overlay": { - "inputs": { - "flake-utils": [ - "ragenix", - "flake-utils" - ], - "nixpkgs": [ - "ragenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1673662873, - "narHash": "sha256-/YOtiDKPUXKKpIhsAds11llfC42ScGW27bbHnNZebco=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "90163bbbadce526f8b248a5fe545b06c59597108", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, "stable": { "locked": { "lastModified": 1669735802, diff --git a/flake.nix b/flake.nix index 960af85..58215e9 100644 --- a/flake.nix +++ b/flake.nix @@ -25,9 +25,8 @@ }; agenix-rekey.url = "github:oddlama/agenix-rekey"; - ragenix = { - url = "github:yaxitech/ragenix"; - inputs.flake-utils.follows = "flake-utils"; + agenix = { + url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; }; @@ -60,7 +59,24 @@ config.allowUnfree = true; }; - apps = agenix-rekey.defineApps self pkgs self.nodes; + apps = + agenix-rekey.defineApps self pkgs self.nodes + // { + generate-initrd-keys = flake-utils.mkApp { + drv = let + generateHostKey = node: '' + if [[ ! -f ${node.config.rekey.secrets.initrd_host_ed25519_key.file} ]]; then + ssh-keygen -t ed25519 -N "" -f /tmp/1 + TODO + fi + ''; + in + pkgs.writeShellScript "generate-initrd-keys" '' + set -euo pipefail + ${pkgs.lib.concatStringsSep "\n" (pkgs.lib.mapAttrsToList generateHostKey self.nodes)} + ''; + }; + }; checks = import ./nix/checks.nix inputs system; devShells.default = import ./nix/dev-shell.nix inputs system; formatter = pkgs.alejandra; diff --git a/hosts/nom/net.nix b/hosts/nom/net.nix index 556516f..d7f37da 100644 --- a/hosts/nom/net.nix +++ b/hosts/nom/net.nix @@ -5,15 +5,17 @@ }; systemd.network.networks = { - wired = { + "10-lan0" = { DHCP = "yes"; matchConfig.MACAddress = "00:00:00:00:00:00"; + networkConfig.IPv6PrivacyExtensions = "kernel"; dhcpV4Config.RouteMetric = 10; dhcpV6Config.RouteMetric = 10; }; - wireless = { + "10-wlan0" = { DHCP = "yes"; matchConfig.MACAddress = "00:00:00:00:00:00"; + networkConfig.IPv6PrivacyExtensions = "kernel"; dhcpV4Config.RouteMetric = 40; dhcpV6Config.RouteMetric = 40; }; diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix index 7f82a24..e871ef6 100644 --- a/hosts/ward/net.nix +++ b/hosts/ward/net.nix @@ -1,21 +1,22 @@ { networking = { hostId = "49ce3b71"; - wireless.iwd.enable = true; }; systemd.network.networks = { - enp1s0 = { + "10-lan0" = { DHCP = "yes"; matchConfig.MACAddress = "00:00:00:00:00:00"; + networkConfig.IPv6PrivacyExtensions = "kernel"; dhcpV4Config.RouteMetric = 10; dhcpV6Config.RouteMetric = 10; }; - enp2s0 = { + "10-lan1" = { DHCP = "yes"; matchConfig.MACAddress = "00:00:00:00:00:00"; - dhcpV4Config.RouteMetric = 10; - dhcpV6Config.RouteMetric = 10; + networkConfig.IPv6PrivacyExtensions = "kernel"; + dhcpV4Config.RouteMetric = 20; + dhcpV6Config.RouteMetric = 20; }; }; } diff --git a/modules/core/default.nix b/modules/core/default.nix index cc34444..48fedbd 100644 --- a/modules/core/default.nix +++ b/modules/core/default.nix @@ -46,7 +46,8 @@ in { }; networking = { - useDHCP = lib.mkForce false; + # FIXME: would like to use mkForce false for useDHCP, but nixpkgs#215908 blocks that. + useDHCP = true; useNetworkd = true; wireguard.enable = true; dhcpcd.enable = false; diff --git a/modules/core/ssh.nix b/modules/core/ssh.nix index 9ac72ab..5f38355 100644 --- a/modules/core/ssh.nix +++ b/modules/core/ssh.nix @@ -1,4 +1,17 @@ { + config, + name, + ... +}: { + rekey.secrets.initrd_host_ed25519_key.file = ../../hosts/${name}/initrd_host_ed25519_key.age; + + boot.initrd.network.enable = true; + boot.initrd.network.ssh = { + enable = true; + port = 4; + hostKeys = [config.rekey.secrets.initrd_host_ed25519_key.path]; + }; + services.sshd.enable = true; services.openssh = { enable = true; diff --git a/nix/colmena.nix b/nix/colmena.nix index 92402f3..7445c59 100644 --- a/nix/colmena.nix +++ b/nix/colmena.nix @@ -5,7 +5,7 @@ #impermanence, nixos-hardware, nixpkgs, - ragenix, + agenix, agenix-rekey, templates, ... @@ -28,7 +28,7 @@ with nixpkgs.lib; let (../hosts + "/${hostName}") home-manager.nixosModules.default #impermanence.nixosModules.default - ragenix.nixosModules.age + agenix.nixosModules.default agenix-rekey.nixosModules.default ]; }; diff --git a/nix/overlay.nix b/nix/overlay.nix index 1044f44..9210fcc 100644 --- a/nix/overlay.nix +++ b/nix/overlay.nix @@ -1,17 +1,8 @@ -{ - nixpkgs, - ragenix, - ... -}: +{nixpkgs, ...}: with nixpkgs.lib; let localOverlays = mapAttrs' (f: _: nameValuePair (removeSuffix ".nix" f) (import (./overlays + "/${f}"))) (builtins.readDir ./overlays); in - localOverlays - // { - default = - composeManyExtensions ((attrValues localOverlays) - ++ [ragenix.overlays.default]); - } + localOverlays // {default = composeManyExtensions (attrValues localOverlays);}