summaryrefslogtreecommitdiff
path: root/hosts/vidhar/network
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/vidhar/network')
-rw-r--r--hosts/vidhar/network/default.nix9
-rw-r--r--hosts/vidhar/network/dhcp/default.nix93
-rw-r--r--hosts/vidhar/network/ruleset.nft16
3 files changed, 67 insertions, 51 deletions
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 0643f0bb..92d755f3 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -103,7 +103,14 @@ with lib;
103 /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash) 103 /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash)
104 ''; 104 '';
105 }; 105 };
106 settings.nfsd.vers3 = false; 106 settings.nfsd = {
107 rdma = true;
108 vers3 = false;
109 vers4 = true;
110 "vers4.0" = false;
111 "vers4.1" = false;
112 "vers4.2" = true;
113 };
107 }; 114 };
108 115
109 fileSystems = { 116 fileSystems = {
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix
index f36d0c7f..11460393 100644
--- a/hosts/vidhar/network/dhcp/default.nix
+++ b/hosts/vidhar/network/dhcp/default.nix
@@ -5,6 +5,7 @@ with lib;
5let 5let
6 nfsrootBaseUrl = "http://nfsroot.vidhar.yggdrasil"; 6 nfsrootBaseUrl = "http://nfsroot.vidhar.yggdrasil";
7 tftpIp = "10.141.0.1"; 7 tftpIp = "10.141.0.1";
8 nfsIp = tftpIp;
8 ipxe = pkgs.ipxe.override { 9 ipxe = pkgs.ipxe.override {
9 additionalTargets = { 10 additionalTargets = {
10 "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi"; 11 "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
@@ -305,32 +306,30 @@ in {
305 pkgs.symlinkJoin { 306 pkgs.symlinkJoin {
306 name = "installer-${system}"; 307 name = "installer-${system}";
307 paths = [ 308 paths = [
308 (let 309 (builtins.addErrorContext "while evaluating installer-${system}-nfsroot" (let
309 installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules { 310 installerBuild' = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
310 modules = [ 311 modules = [
311 ({ ... }: { 312 ({ ... }: {
312 config.nfsroot.storeDevice = "${tftpIp}:nix-store"; 313 config.nfsroot.storeDevice = "${nfsIp}:nix-store";
313 config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/installer-${system}/registration"; 314 config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/installer-${system}/registration";
315 config.system.nixos.label = "installer-${system}";
314 }) 316 })
315 ]; 317 ];
316 }).config.system.build; 318 });
317 in builtins.toPath (pkgs.runCommandLocal "install-${system}" {} '' 319 installerBuild = installerBuild'.config.system.build;
320 in builtins.toPath (pkgs.runCommandLocal "installer-${system}" {} ''
318 mkdir -p $out/installer-${system} 321 mkdir -p $out/installer-${system}
319 install -m 0444 -t $out/installer-${system} \ 322 install -m 0444 -t $out/installer-${system} \
320 ${installerBuild.initialRamdisk}/initrd \ 323 ${installerBuild.initialRamdisk}/initrd \
321 ${installerBuild.kernel}/bzImage \ 324 ${installerBuild.kernel}/bzImage \
322 ${installerBuild.netbootIpxeScript}/netboot.ipxe \ 325 ${installerBuild.netbootIpxeScript}/netboot.ipxe \
323 ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration 326 ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration
324 '')) 327 install -m 0444 ${pkgs.writeText "installer-${system}.menu.ipxe" ''
325 (pkgs.writeTextFile {
326 name = "installer-${system}.menu.ipxe";
327 destination = "/installer-${system}.menu.ipxe";
328 text = ''
329 #!ipxe 328 #!ipxe
330 329
331 :start 330 :start
332 menu iPXE boot menu for installer-${system} 331 menu iPXE boot menu for installer-${system}
333 item installer installer-${system} 332 item installer ${with installerBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"}
334 item memtest memtest86plus 333 item memtest memtest86plus
335 item netboot netboot.xyz 334 item netboot netboot.xyz
336 item shell iPXE shell 335 item shell iPXE shell
@@ -352,8 +351,8 @@ in {
352 :memtest 351 :memtest
353 iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin 352 iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin
354 goto start 353 goto start
355 ''; 354 ''} $out/installer-${system}.menu.ipxe
356 }) 355 '')))
357 ]; 356 ];
358 }) ["x86_64-linux"] 357 }) ["x86_64-linux"]
359 ) ++ [ 358 ) ++ [
@@ -365,15 +364,17 @@ in {
365 install -m 0444 ${sources.netbootxyz-efi.src} $out/netboot.xyz.efi 364 install -m 0444 ${sources.netbootxyz-efi.src} $out/netboot.xyz.efi
366 install -m 0444 ${sources.netbootxyz-lkrn.src} $out/netboot.xyz.lkrn 365 install -m 0444 ${sources.netbootxyz-lkrn.src} $out/netboot.xyz.lkrn
367 '') 366 '')
368 (let 367 (builtins.addErrorContext "while evaluating eostre" (let
369 eostreBuild = (flake.nixosConfigurations.eostre.extendModules { 368 eostreBuild' = (flake.nixosConfigurations.eostre.extendModules {
370 modules = [ 369 modules = [
371 ({ ... }: { 370 ({ ... }: {
372 config.nfsroot.storeDevice = "${tftpIp}:nix-store"; 371 config.nfsroot.storeDevice = "${nfsIp}:nix-store";
373 config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/eostre/registration"; 372 config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/eostre/registration";
373 config.system.nixos.label = "eostre";
374 }) 374 })
375 ]; 375 ];
376 }).config.system.build; 376 });
377 eostreBuild = eostreBuild'.config.system.build;
377 in builtins.toPath (pkgs.runCommandLocal "eostre" {} '' 378 in builtins.toPath (pkgs.runCommandLocal "eostre" {} ''
378 mkdir -p $out/eostre 379 mkdir -p $out/eostre
379 install -m 0444 -t $out/eostre \ 380 install -m 0444 -t $out/eostre \
@@ -381,43 +382,39 @@ in {
381 ${eostreBuild.kernel}/bzImage \ 382 ${eostreBuild.kernel}/bzImage \
382 ${eostreBuild.netbootIpxeScript}/netboot.ipxe \ 383 ${eostreBuild.netbootIpxeScript}/netboot.ipxe \
383 ${pkgs.closureInfo { rootPaths = eostreBuild.storeContents; }}/registration 384 ${pkgs.closureInfo { rootPaths = eostreBuild.storeContents; }}/registration
384 '')) 385 install -m 0444 ${pkgs.writeText "eostre.menu.ipxe" ''
385 (pkgs.writeTextFile { 386 #!ipxe
386 name = "eostre.menu.ipxe";
387 destination = "/eostre.menu.ipxe";
388 text = ''
389 #!ipxe
390 387
391 set menu-timeout 5000 388 set menu-timeout 5000
392 389
393 :start 390 :start
394 menu iPXE boot menu for eostre 391 menu iPXE boot menu for eostre
395 item eostre eostre 392 item eostre ${with eostreBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"}
396 item memtest memtest86plus 393 item memtest memtest86plus
397 item netboot netboot.xyz 394 item netboot netboot.xyz
398 item shell iPXE shell 395 item shell iPXE shell
399 choose --timeout ''${menu-timeout} --default eostre selected || goto shell 396 choose --timeout ''${menu-timeout} --default eostre selected || goto shell
400 set menu-timeout 0 397 set menu-timeout 0
401 goto ''${selected} 398 goto ''${selected}
402 399
403 :shell 400 :shell
404 set menu-timeout 0 401 set menu-timeout 0
405 shell 402 shell
406 goto start 403 goto start
407 404
408 :eostre 405 :eostre
409 chain eostre/netboot.ipxe 406 chain eostre/netboot.ipxe
410 goto start 407 goto start
411 408
412 :netboot 409 :netboot
413 iseq ''${platform} efi && chain --autofree netboot.xyz.efi || chain --autofree netboot.xyz.lkrn 410 iseq ''${platform} efi && chain --autofree netboot.xyz.efi || chain --autofree netboot.xyz.lkrn
414 goto start 411 goto start
415 412
416 :memtest 413 :memtest
417 iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin 414 iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin
418 goto start 415 goto start
419 ''; 416 ''} $out/eostre.menu.ipxe
420 }) 417 '')))
421 ]; 418 ];
422 }; 419 };
423 }; 420 };
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 1edae167..7897fb3d 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -60,6 +60,7 @@ table inet filter {
60 counter fw-lo {} 60 counter fw-lo {}
61 counter fw-lan {} 61 counter fw-lan {}
62 counter fw-gpon {} 62 counter fw-gpon {}
63 counter fw-kimai {}
63 64
64 counter fw-cups {} 65 counter fw-cups {}
65 66
@@ -94,6 +95,8 @@ table inet filter {
94 counter immich-rx {} 95 counter immich-rx {}
95 counter paperless-rx {} 96 counter paperless-rx {}
96 counter hledger-rx {} 97 counter hledger-rx {}
98 counter audiobookshelf-rx {}
99 counter kimai-rx {}
97 100
98 counter established-rx {} 101 counter established-rx {}
99 102
@@ -125,6 +128,8 @@ table inet filter {
125 counter immich-tx {} 128 counter immich-tx {}
126 counter paperless-tx {} 129 counter paperless-tx {}
127 counter hledger-tx {} 130 counter hledger-tx {}
131 counter audiobookshelf-tx {}
132 counter kimai-tx {}
128 133
129 counter tx {} 134 counter tx {}
130 135
@@ -148,8 +153,13 @@ table inet filter {
148 153
149 oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept 154 oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
150 iifname lan oifname { gpon, bifrost } counter name fw-lan accept 155 iifname lan oifname { gpon, bifrost } counter name fw-lan accept
156 iifname ve-kimai oifname gpon counter name fw-kimai accept
151 157
152 iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept 158 iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept
159 iifname gpon oifname ve-kimai ct state { established, related } counter name fw-kimai accept
160
161 iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
162 iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
153 163
154 164
155 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop 165 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -203,6 +213,7 @@ table inet filter {
203 iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept 213 iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept
204 iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept 214 iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
205 iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept 215 iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
216 iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept
206 217
207 ct state { established, related } counter name established-rx accept 218 ct state { established, related } counter name established-rx accept
208 219
@@ -254,6 +265,7 @@ table inet filter {
254 iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept 265 iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept
255 iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept 266 iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
256 iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept 267 iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
268 iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept
257 269
258 270
259 counter name tx 271 counter name tx
@@ -262,7 +274,7 @@ table inet filter {
262 274
263table inet nat { 275table inet nat {
264 counter gpon-nat {} 276 counter gpon-nat {}
265 # counter container-nat {} 277 counter kimai-nat {}
266 278
267 chain postrouting { 279 chain postrouting {
268 type nat hook postrouting priority srcnat 280 type nat hook postrouting priority srcnat
@@ -270,7 +282,7 @@ table inet nat {
270 282
271 283
272 meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade 284 meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade
273 # iifname ve-* oifname gpon counter name container-nat masquerade 285 iifname ve-kimai oifname gpon counter name kimai-nat masquerade
274 } 286 }
275} 287}
276 288
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-03 12:58:30 +0000