3 files changed, 150 insertions, 74 deletions
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 0643f0bb..92d755f3 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -103,7 +103,14 @@ with lib;
          /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash)
        '';
      };
-      settings.nfsd.vers3 = false;
+      settings.nfsd = {
+        rdma = true;
+        vers3 = false;
+        vers4 = true;
+        "vers4.0" = false;
+        "vers4.1" = false;
+        "vers4.2" = true;
+      };
    };
    fileSystems = {
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix
index 4151111d..11460393 100644
--- a/hosts/vidhar/network/dhcp/default.nix
+++ b/hosts/vidhar/network/dhcp/default.nix
@@ -1,9 +1,32 @@
-{ flake, config, pkgs, lib, ... }:
+{ flake, config, pkgs, lib, sources, ... }:
 with lib;
 let
  nfsrootBaseUrl = "http://nfsroot.vidhar.yggdrasil";
+  tftpIp = "10.141.0.1";
+  nfsIp = tftpIp;
+  ipxe = pkgs.ipxe.override {
+    additionalTargets = {
+      "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
+    };
+    additionalOptions = [
+      "NSLOOKUP_CMD"
+      "PING_CMD"
+      "CONSOLE_CMD"
+    ];
+    embedScript = pkgs.writeText "yggdrasil.ipxe" ''
+      #!ipxe
+      cpair --background 9 1
+      cpair --background 9 3
+      cpair --background 9 6
+      set user-class iPXE-yggdrasil
+      autoboot
+    '';
+  };
 in {
  config = {
    services.kea = {
@@ -25,41 +48,67 @@ in {
          };
          client-classes = [
-            { name = "eostre-ipxe";
+            { name = "ipxe-eostre";
-              test = "hexstring(pkt4.mac, ':') == '00:d8:61:79:c5:40' and option[77].hex == 'iPXE'";
+              test = "hexstring(pkt4.mac, ':') == '00:d8:61:79:c5:40' and option[77].hex == 'iPXE-yggdrasil'";
-              next-server = "10.141.0.1";
+              next-server = tftpIp;
              boot-file-name = "${nfsrootBaseUrl}/eostre.menu.ipxe";
              only-if-required = true;
            }
-            { name = "ipxe";
+            { name = "ipxe-yggdrasil";
-              test = "option[77].hex == 'iPXE'";
+              test = "option[77].hex == 'iPXE-yggdrasil'";
-              next-server = "10.141.0.1";
+              next-server = tftpIp;
              boot-file-name = "${nfsrootBaseUrl}/installer-x86_64-linux.menu.ipxe";
              only-if-required = true;
            }
+            { name = "uefi-http";
+              test = "option[client-system].hex == 0x0010";
+              option-data = [
+                { name = "vendor-class-identifier"; data = "HTTPClient"; }
+              ];
+              boot-file-name = "${nfsrootBaseUrl}/ipxe.efi";
+              only-if-required = true;
+            }
+            { name = "ipxe-uefi-64";
+              test = "option[77].hex == 'iPXE' and (substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009')";
+              boot-file-name = "${nfsrootBaseUrl}/ipxe.efi";
+              only-if-required = true;
+            }
+            { name = "ipxe-uefi-32";
+              test = "option[77].hex == 'iPXE' and (substring(option[60].hex,0,20) == 'PXEClient:Arch:00002' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00006')";
+              boot-file-name = "${nfsrootBaseUrl}/i386-ipxe.efi";
+              only-if-required = true;
+            }
+            { name = "ipxe-legacy";
+              test = "option[77].hex == 'iPXE' and substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'";
+              boot-file-name = "${nfsrootBaseUrl}/ipxe.lkrn";
+              only-if-required = true;
+            }
            { name = "uefi-64";
              test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009'";
-              only-if-required = true;
              option-data = [
-                { name = "tftp-server-name"; data = "10.141.0.1"; }
+                { name = "tftp-server-name"; data = tftpIp; }
              ];
              boot-file-name = "ipxe.efi";
+              only-if-required = true;
            }
            { name = "uefi-32";
              test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00002' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00006'";
-              only-if-required = true;
              option-data = [
-                { name = "tftp-server-name"; data = "10.141.0.1"; }
+                { name = "tftp-server-name"; data = tftpIp; }
              ];
              boot-file-name = "i386-ipxe.efi";
+              only-if-required = true;
            }
            { name = "legacy";
              test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'";
-              only-if-required = true;
              option-data = [
-                { name = "tftp-server-name"; data = "10.141.0.1"; }
+                { name = "tftp-server-name"; data = tftpIp; }
              ];
-              boot-file-name = "undionly.kpxe";
+              boot-file-name = "ipxe.lkrn";
+              only-if-required = true;
            }
          ];
@@ -257,30 +306,31 @@ in {
              pkgs.symlinkJoin {
                name = "installer-${system}";
                paths = [
-                  (let
+                  (builtins.addErrorContext "while evaluating installer-${system}-nfsroot" (let
-                    installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
+                    installerBuild' = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
                      modules = [
                        ({ ... }: {
-                          config.nfsroot.storeDevice = "10.141.0.1:nix-store";
+                          config.nfsroot.storeDevice = "${nfsIp}:nix-store";
                          config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/installer-${system}/registration";
+                          config.system.nixos.label = "installer-${system}";
                        })
                      ];
-                    }).config.system.build;
+                    });
-                  in builtins.toPath (pkgs.runCommandLocal "install-${system}" {} ''
+                    installerBuild = installerBuild'.config.system.build;
+                  in builtins.toPath (pkgs.runCommandLocal "installer-${system}" {} ''
                    mkdir -p $out/installer-${system}
                    install -m 0444 -t $out/installer-${system} \
                      ${installerBuild.initialRamdisk}/initrd \
                      ${installerBuild.kernel}/bzImage \
                      ${installerBuild.netbootIpxeScript}/netboot.ipxe \
                      ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration
-                  ''))
+                    install -m 0444 ${pkgs.writeText "installer-${system}.menu.ipxe" ''
-                  (pkgs.writeTextFile {
+                      #!ipxe
-                    name = "installer-${system}.menu.ipxe";
-                    destination = "/installer-${system}.menu.ipxe";
-                    text = ''
                      :start
                      menu iPXE boot menu for installer-${system}
-                      item installer Boot installer-${system}
+                      item installer ${with installerBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"}
+                      item memtest memtest86plus
                      item netboot netboot.xyz
                      item shell iPXE shell
                      choose --timeout 0 --default installer selected || goto shell
@@ -291,29 +341,40 @@ in {
                      goto start
                      :installer
-                      chain ${nfsrootBaseUrl}/installer-${system}/netboot.ipxe
+                      chain installer-${system}/netboot.ipxe
                      goto start
                      :netboot
-                      chain --autofree ${nfsrootBaseUrl}/netboot.xyz.efi
+                      iseq ''${platform} efi && chain --autofree netboot.xyz.efi || chain --autofree netboot.xyz.lkrn
                      goto start
-                    '';
-                  })
+                      :memtest
+                      iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin
+                      goto start
+                    ''} $out/installer-${system}.menu.ipxe
+                  '')))
                ];
              }) ["x86_64-linux"]
            ) ++ [
-              (pkgs.linkFarm "netbootxyz-efi" [
+              (pkgs.runCommandLocal "utils" {} ''
-                { name = "netboot.xyz.efi"; path = pkgs.netbootxyz-efi; }
+                mkdir $out
-              ])
+                install -m 0444 -t $out \
-              (let
+                  ${ipxe}/{ipxe.efi,i386-ipxe.efi,ipxe.lkrn} \
-                 eostreBuild = (flake.nixosConfigurations.eostre.extendModules {
+                  ${pkgs.memtest86plus}/{memtest.efi,memtest.bin}
+                install -m 0444 ${sources.netbootxyz-efi.src} $out/netboot.xyz.efi
+                install -m 0444 ${sources.netbootxyz-lkrn.src} $out/netboot.xyz.lkrn
+              '')
+              (builtins.addErrorContext "while evaluating eostre" (let
+                 eostreBuild' = (flake.nixosConfigurations.eostre.extendModules {
                   modules = [
                     ({ ... }: {
-                       config.nfsroot.storeDevice = "10.141.0.1:nix-store";
+                       config.nfsroot.storeDevice = "${nfsIp}:nix-store";
                       config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/eostre/registration";
+                       config.system.nixos.label = "eostre";
                     })
                   ];
-                 }).config.system.build;
+                 });
+                 eostreBuild = eostreBuild'.config.system.build;
               in builtins.toPath (pkgs.runCommandLocal "eostre" {} ''
                    mkdir -p $out/eostre
                    install -m 0444 -t $out/eostre \
@@ -321,35 +382,39 @@ in {
                      ${eostreBuild.kernel}/bzImage \
                      ${eostreBuild.netbootIpxeScript}/netboot.ipxe \
                      ${pkgs.closureInfo { rootPaths = eostreBuild.storeContents; }}/registration
-                  ''))
+                    install -m 0444 ${pkgs.writeText "eostre.menu.ipxe" ''
-              (pkgs.writeTextFile {
+                      #!ipxe
-                name = "eostre.menu.ipxe";
-                destination = "/eostre.menu.ipxe";
-                text = ''
-                  set menu-timeout 5000
-                  :start
+                      set menu-timeout 5000
-                  menu iPXE boot menu for eostre
-                  item eostre Boot eostre
-                  item netboot netboot.xyz
-                  item shell iPXE shell
-                  choose --timeout ''${menu-timeout} --default eostre selected || goto shell
-                  goto ''${selected}
-                  :shell
+                      :start
-                  shell
+                      menu iPXE boot menu for eostre
-                  set menu-timeout 0
+                      item eostre ${with eostreBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"}
-                  goto start
+                      item memtest memtest86plus
+                      item netboot netboot.xyz
+                      item shell iPXE shell
+                      choose --timeout ''${menu-timeout} --default eostre selected || goto shell
+                      set menu-timeout 0
+                      goto ''${selected}
-                  :eostre
+                      :shell
-                  chain ${nfsrootBaseUrl}/eostre/netboot.ipxe
+                      set menu-timeout 0
-                  goto start
+                      shell
+                      goto start
+                      :eostre
+                      chain eostre/netboot.ipxe
+                      goto start
+                      :netboot
+                      iseq ''${platform} efi && chain --autofree netboot.xyz.efi || chain --autofree netboot.xyz.lkrn
+                      goto start
-                  :netboot
+                      :memtest
-                  chain --autofree ${nfsrootBaseUrl}/netboot.xyz.efi
+                      iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin
-                  goto start
+                      goto start
-                '';
+                    ''} $out/eostre.menu.ipxe
-              })
+                  '')))
            ];
        };
      };
@@ -360,20 +425,12 @@ in {
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig.ExecStart = let
-        ipxe = pkgs.ipxe.override {
-          additionalTargets = {
-            "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
-          };
-          additionalOptions = [
-            "NSLOOKUP_CMD"
-          ];
-        };
        tftpRoot = pkgs.runCommandLocal "netboot" {} ''
          mkdir -p $out
          install -m 0444 -t $out \
-            ${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe
+            ${ipxe}/{ipxe.efi,i386-ipxe.efi,ipxe.lkrn}
        '';
-      in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}";
+      in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=${tftpIp} ${tftpRoot}";
    };
  };
 }
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 1edae167..7897fb3d 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -60,6 +60,7 @@ table inet filter {
  counter fw-lo {}
  counter fw-lan {}
  counter fw-gpon {}
+  counter fw-kimai {}
  counter fw-cups {}
@@ -94,6 +95,8 @@ table inet filter {
  counter immich-rx {}
  counter paperless-rx {}
  counter hledger-rx {}
+  counter audiobookshelf-rx {}
+  counter kimai-rx {}
  counter established-rx {}
@@ -125,6 +128,8 @@ table inet filter {
  counter immich-tx {}
  counter paperless-tx {}
  counter hledger-tx {}
+  counter audiobookshelf-tx {}
+  counter kimai-tx {}
  counter tx {}
@@ -148,8 +153,13 @@ table inet filter {
    oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
    iifname lan oifname { gpon, bifrost } counter name fw-lan accept
+    iifname ve-kimai oifname gpon counter name fw-kimai accept
    iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept
+    iifname gpon oifname ve-kimai ct state { established, related } counter name fw-kimai accept
+    iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
+    iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
    limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -203,6 +213,7 @@ table inet filter {
    iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept
    iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
    iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
+    iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept
    ct state { established, related } counter name established-rx accept
@@ -254,6 +265,7 @@ table inet filter {
    iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept
    iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
    iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
+    iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept
    counter name tx
@@ -262,7 +274,7 @@ table inet filter {
 table inet nat {
  counter gpon-nat {}
-  # counter container-nat {}
+  counter kimai-nat {}
  chain postrouting {
    type nat hook postrouting priority srcnat
@@ -270,7 +282,7 @@ table inet nat {
    meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade
-    # iifname ve-* oifname gpon counter name container-nat masquerade
+    iifname ve-kimai oifname gpon counter name kimai-nat masquerade
  }
 }

diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index 0643f0bb..92d755f3 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix
@@ -103,7 +103,14 @@ with lib;
103	/srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash)	103	/srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash)
104	'';	104	'';
105	};	105	};
106	settings.nfsd.vers3 = false;	106	settings.nfsd = {
		107	rdma = true;
		108	vers3 = false;
		109	vers4 = true;
		110	"vers4.0" = false;
		111	"vers4.1" = false;
		112	"vers4.2" = true;
		113	};
107	};	114	};
108		115
109	fileSystems = {	116	fileSystems = {


diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix index 4151111d..11460393 100644 --- a/hosts/vidhar/network/dhcp/default.nix +++ b/hosts/vidhar/network/dhcp/default.nix
@@ -1,9 +1,32 @@
1	{ flake, config, pkgs, lib, ... }:	1	{ flake, config, pkgs, lib, sources, ... }:
2		2
3	with lib;	3	with lib;
4		4
5	let	5	let
6	nfsrootBaseUrl = "http://nfsroot.vidhar.yggdrasil";	6	nfsrootBaseUrl = "http://nfsroot.vidhar.yggdrasil";
		7	tftpIp = "10.141.0.1";
		8	nfsIp = tftpIp;
		9	ipxe = pkgs.ipxe.override {
		10	additionalTargets = {
		11	"bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
		12	};
		13	additionalOptions = [
		14	"NSLOOKUP_CMD"
		15	"PING_CMD"
		16	"CONSOLE_CMD"
		17	];
		18	embedScript = pkgs.writeText "yggdrasil.ipxe" ''
		19	#!ipxe
		20
		21	cpair --background 9 1
		22	cpair --background 9 3
		23	cpair --background 9 6
		24
		25	set user-class iPXE-yggdrasil
		26
		27	autoboot
		28	'';
		29	};
7	in {	30	in {
8	config = {	31	config = {
9	services.kea = {	32	services.kea = {
@@ -25,41 +48,67 @@ in {
25	};	48	};
26		49
27	client-classes = [	50	client-classes = [
28	{ name = "eostre-ipxe";	51	{ name = "ipxe-eostre";
29	test = "hexstring(pkt4.mac, ':') == '00:d8:61:79:c5:40' and option[77].hex == 'iPXE'";	52	test = "hexstring(pkt4.mac, ':') == '00:d8:61:79:c5:40' and option[77].hex == 'iPXE-yggdrasil'";
30	next-server = "10.141.0.1";	53	next-server = tftpIp;
31	boot-file-name = "${nfsrootBaseUrl}/eostre.menu.ipxe";	54	boot-file-name = "${nfsrootBaseUrl}/eostre.menu.ipxe";
32	only-if-required = true;	55	only-if-required = true;
33	}	56	}
34	{ name = "ipxe";	57	{ name = "ipxe-yggdrasil";
35	test = "option[77].hex == 'iPXE'";	58	test = "option[77].hex == 'iPXE-yggdrasil'";
36	next-server = "10.141.0.1";	59	next-server = tftpIp;
37	boot-file-name = "${nfsrootBaseUrl}/installer-x86_64-linux.menu.ipxe";	60	boot-file-name = "${nfsrootBaseUrl}/installer-x86_64-linux.menu.ipxe";
38	only-if-required = true;	61	only-if-required = true;
39	}	62	}
		63
		64	{ name = "uefi-http";
		65	test = "option[client-system].hex == 0x0010";
		66	option-data = [
		67	{ name = "vendor-class-identifier"; data = "HTTPClient"; }
		68	];
		69	boot-file-name = "${nfsrootBaseUrl}/ipxe.efi";
		70	only-if-required = true;
		71	}
		72
		73	{ name = "ipxe-uefi-64";
		74	test = "option[77].hex == 'iPXE' and (substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009')";
		75	boot-file-name = "${nfsrootBaseUrl}/ipxe.efi";
		76	only-if-required = true;
		77	}
		78	{ name = "ipxe-uefi-32";
		79	test = "option[77].hex == 'iPXE' and (substring(option[60].hex,0,20) == 'PXEClient:Arch:00002' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00006')";
		80	boot-file-name = "${nfsrootBaseUrl}/i386-ipxe.efi";
		81	only-if-required = true;
		82	}
		83	{ name = "ipxe-legacy";
		84	test = "option[77].hex == 'iPXE' and substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'";
		85	boot-file-name = "${nfsrootBaseUrl}/ipxe.lkrn";
		86	only-if-required = true;
		87	}
		88
40	{ name = "uefi-64";	89	{ name = "uefi-64";
41	test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009'";	90	test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009'";
42	only-if-required = true;
43	option-data = [	91	option-data = [
44	{ name = "tftp-server-name"; data = "10.141.0.1"; }	92	{ name = "tftp-server-name"; data = tftpIp; }
45	];	93	];
46	boot-file-name = "ipxe.efi";	94	boot-file-name = "ipxe.efi";
		95	only-if-required = true;
47	}	96	}
48	{ name = "uefi-32";	97	{ name = "uefi-32";
49	test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00002' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00006'";	98	test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00002' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00006'";
50	only-if-required = true;
51	option-data = [	99	option-data = [
52	{ name = "tftp-server-name"; data = "10.141.0.1"; }	100	{ name = "tftp-server-name"; data = tftpIp; }
53	];	101	];
54	boot-file-name = "i386-ipxe.efi";	102	boot-file-name = "i386-ipxe.efi";
		103	only-if-required = true;
55	}	104	}
56	{ name = "legacy";	105	{ name = "legacy";
57	test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'";	106	test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'";
58	only-if-required = true;
59	option-data = [	107	option-data = [
60	{ name = "tftp-server-name"; data = "10.141.0.1"; }	108	{ name = "tftp-server-name"; data = tftpIp; }
61	];	109	];
62	boot-file-name = "undionly.kpxe";	110	boot-file-name = "ipxe.lkrn";
		111	only-if-required = true;
63	}	112	}
64	];	113	];
65		114
@@ -257,30 +306,31 @@ in {
257	pkgs.symlinkJoin {	306	pkgs.symlinkJoin {
258	name = "installer-${system}";	307	name = "installer-${system}";
259	paths = [	308	paths = [
260	(let	309	(builtins.addErrorContext "while evaluating installer-${system}-nfsroot" (let
261	installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {	310	installerBuild' = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
262	modules = [	311	modules = [
263	({ ... }: {	312	({ ... }: {
264	config.nfsroot.storeDevice = "10.141.0.1:nix-store";	313	config.nfsroot.storeDevice = "${nfsIp}:nix-store";
265	config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/installer-${system}/registration";	314	config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/installer-${system}/registration";
		315	config.system.nixos.label = "installer-${system}";
266	})	316	})
267	];	317	];
268	}).config.system.build;	318	});
269	in builtins.toPath (pkgs.runCommandLocal "install-${system}" {} ''	319	installerBuild = installerBuild'.config.system.build;
		320	in builtins.toPath (pkgs.runCommandLocal "installer-${system}" {} ''
270	mkdir -p $out/installer-${system}	321	mkdir -p $out/installer-${system}
271	install -m 0444 -t $out/installer-${system} \	322	install -m 0444 -t $out/installer-${system} \
272	${installerBuild.initialRamdisk}/initrd \	323	${installerBuild.initialRamdisk}/initrd \
273	${installerBuild.kernel}/bzImage \	324	${installerBuild.kernel}/bzImage \
274	${installerBuild.netbootIpxeScript}/netboot.ipxe \	325	${installerBuild.netbootIpxeScript}/netboot.ipxe \
275	${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration	326	${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration
276	''))	327	install -m 0444 ${pkgs.writeText "installer-${system}.menu.ipxe" ''
277	(pkgs.writeTextFile {	328	#!ipxe
278	name = "installer-${system}.menu.ipxe";	329
279	destination = "/installer-${system}.menu.ipxe";
280	text = ''
281	:start	330	:start
282	menu iPXE boot menu for installer-${system}	331	menu iPXE boot menu for installer-${system}
283	item installer Boot installer-${system}	332	item installer ${with installerBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"}
		333	item memtest memtest86plus
284	item netboot netboot.xyz	334	item netboot netboot.xyz
285	item shell iPXE shell	335	item shell iPXE shell
286	choose --timeout 0 --default installer selected \|\| goto shell	336	choose --timeout 0 --default installer selected \|\| goto shell
@@ -291,29 +341,40 @@ in {
291	goto start	341	goto start
292		342
293	:installer	343	:installer
294	chain ${nfsrootBaseUrl}/installer-${system}/netboot.ipxe	344	chain installer-${system}/netboot.ipxe
295	goto start	345	goto start
296		346
297	:netboot	347	:netboot
298	chain --autofree ${nfsrootBaseUrl}/netboot.xyz.efi	348	iseq ''${platform} efi && chain --autofree netboot.xyz.efi \|\| chain --autofree netboot.xyz.lkrn
299	goto start	349	goto start
300	'';	350
301	})	351	:memtest
		352	iseq ''${platform} efi && chain --autofree memtest.efi \|\| chain --autofree memtest.bin
		353	goto start
		354	''} $out/installer-${system}.menu.ipxe
		355	'')))
302	];	356	];
303	}) ["x86_64-linux"]	357	}) ["x86_64-linux"]
304	) ++ [	358	) ++ [
305	(pkgs.linkFarm "netbootxyz-efi" [	359	(pkgs.runCommandLocal "utils" {} ''
306	{ name = "netboot.xyz.efi"; path = pkgs.netbootxyz-efi; }	360	mkdir $out
307	])	361	install -m 0444 -t $out \
308	(let	362	${ipxe}/{ipxe.efi,i386-ipxe.efi,ipxe.lkrn} \
309	eostreBuild = (flake.nixosConfigurations.eostre.extendModules {	363	${pkgs.memtest86plus}/{memtest.efi,memtest.bin}
		364	install -m 0444 ${sources.netbootxyz-efi.src} $out/netboot.xyz.efi
		365	install -m 0444 ${sources.netbootxyz-lkrn.src} $out/netboot.xyz.lkrn
		366	'')
		367	(builtins.addErrorContext "while evaluating eostre" (let
		368	eostreBuild' = (flake.nixosConfigurations.eostre.extendModules {
310	modules = [	369	modules = [
311	({ ... }: {	370	({ ... }: {
312	config.nfsroot.storeDevice = "10.141.0.1:nix-store";	371	config.nfsroot.storeDevice = "${nfsIp}:nix-store";
313	config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/eostre/registration";	372	config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/eostre/registration";
		373	config.system.nixos.label = "eostre";
314	})	374	})
315	];	375	];
316	}).config.system.build;	376	});
		377	eostreBuild = eostreBuild'.config.system.build;
317	in builtins.toPath (pkgs.runCommandLocal "eostre" {} ''	378	in builtins.toPath (pkgs.runCommandLocal "eostre" {} ''
318	mkdir -p $out/eostre	379	mkdir -p $out/eostre
319	install -m 0444 -t $out/eostre \	380	install -m 0444 -t $out/eostre \
@@ -321,35 +382,39 @@ in {
321	${eostreBuild.kernel}/bzImage \	382	${eostreBuild.kernel}/bzImage \
322	${eostreBuild.netbootIpxeScript}/netboot.ipxe \	383	${eostreBuild.netbootIpxeScript}/netboot.ipxe \
323	${pkgs.closureInfo { rootPaths = eostreBuild.storeContents; }}/registration	384	${pkgs.closureInfo { rootPaths = eostreBuild.storeContents; }}/registration
324	''))	385	install -m 0444 ${pkgs.writeText "eostre.menu.ipxe" ''
325	(pkgs.writeTextFile {	386	#!ipxe
326	name = "eostre.menu.ipxe";
327	destination = "/eostre.menu.ipxe";
328	text = ''
329	set menu-timeout 5000
330		387
331	:start	388	set menu-timeout 5000
332	menu iPXE boot menu for eostre
333	item eostre Boot eostre
334	item netboot netboot.xyz
335	item shell iPXE shell
336	choose --timeout ''${menu-timeout} --default eostre selected \|\| goto shell
337	goto ''${selected}
338		389
339	:shell	390	:start
340	shell	391	menu iPXE boot menu for eostre
341	set menu-timeout 0	392	item eostre ${with eostreBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"}
342	goto start	393	item memtest memtest86plus
		394	item netboot netboot.xyz
		395	item shell iPXE shell
		396	choose --timeout ''${menu-timeout} --default eostre selected \|\| goto shell
		397	set menu-timeout 0
		398	goto ''${selected}
343		399
344	:eostre	400	:shell
345	chain ${nfsrootBaseUrl}/eostre/netboot.ipxe	401	set menu-timeout 0
346	goto start	402	shell
		403	goto start
		404
		405	:eostre
		406	chain eostre/netboot.ipxe
		407	goto start
		408
		409	:netboot
		410	iseq ''${platform} efi && chain --autofree netboot.xyz.efi \|\| chain --autofree netboot.xyz.lkrn
		411	goto start
347		412
348	:netboot	413	:memtest
349	chain --autofree ${nfsrootBaseUrl}/netboot.xyz.efi	414	iseq ''${platform} efi && chain --autofree memtest.efi \|\| chain --autofree memtest.bin
350	goto start	415	goto start
351	'';	416	''} $out/eostre.menu.ipxe
352	})	417	'')))
353	];	418	];
354	};	419	};
355	};	420	};
@@ -360,20 +425,12 @@ in {
360	after = [ "network.target" ];	425	after = [ "network.target" ];
361	wantedBy = [ "multi-user.target" ];	426	wantedBy = [ "multi-user.target" ];
362	serviceConfig.ExecStart = let	427	serviceConfig.ExecStart = let
363	ipxe = pkgs.ipxe.override {
364	additionalTargets = {
365	"bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
366	};
367	additionalOptions = [
368	"NSLOOKUP_CMD"
369	];
370	};
371	tftpRoot = pkgs.runCommandLocal "netboot" {} ''	428	tftpRoot = pkgs.runCommandLocal "netboot" {} ''
372	mkdir -p $out	429	mkdir -p $out
373	install -m 0444 -t $out \	430	install -m 0444 -t $out \
374	${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe	431	${ipxe}/{ipxe.efi,i386-ipxe.efi,ipxe.lkrn}
375	'';	432	'';
376	in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}";	433	in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=${tftpIp} ${tftpRoot}";
377	};	434	};
378	};	435	};
379	}	436	}


diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 1edae167..7897fb3d 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft
@@ -60,6 +60,7 @@ table inet filter {
60	counter fw-lo {}	60	counter fw-lo {}
61	counter fw-lan {}	61	counter fw-lan {}
62	counter fw-gpon {}	62	counter fw-gpon {}
		63	counter fw-kimai {}
63		64
64	counter fw-cups {}	65	counter fw-cups {}
65		66
@@ -94,6 +95,8 @@ table inet filter {
94	counter immich-rx {}	95	counter immich-rx {}
95	counter paperless-rx {}	96	counter paperless-rx {}
96	counter hledger-rx {}	97	counter hledger-rx {}
		98	counter audiobookshelf-rx {}
		99	counter kimai-rx {}
97		100
98	counter established-rx {}	101	counter established-rx {}
99		102
@@ -125,6 +128,8 @@ table inet filter {
125	counter immich-tx {}	128	counter immich-tx {}
126	counter paperless-tx {}	129	counter paperless-tx {}
127	counter hledger-tx {}	130	counter hledger-tx {}
		131	counter audiobookshelf-tx {}
		132	counter kimai-tx {}
128		133
129	counter tx {}	134	counter tx {}
130		135
@@ -148,8 +153,13 @@ table inet filter {
148		153
149	oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept	154	oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
150	iifname lan oifname { gpon, bifrost } counter name fw-lan accept	155	iifname lan oifname { gpon, bifrost } counter name fw-lan accept
		156	iifname ve-kimai oifname gpon counter name fw-kimai accept
151		157
152	iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept	158	iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept
		159	iifname gpon oifname ve-kimai ct state { established, related } counter name fw-kimai accept
		160
		161	iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
		162	iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
153		163
154		164
155	limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop	165	limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -203,6 +213,7 @@ table inet filter {
203	iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept	213	iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept
204	iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept	214	iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
205	iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept	215	iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
		216	iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept
206		217
207	ct state { established, related } counter name established-rx accept	218	ct state { established, related } counter name established-rx accept
208		219
@@ -254,6 +265,7 @@ table inet filter {
254	iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept	265	iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept
255	iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept	266	iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
256	iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept	267	iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
		268	iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept
257		269
258		270
259	counter name tx	271	counter name tx
@@ -262,7 +274,7 @@ table inet filter {
262		274
263	table inet nat {	275	table inet nat {
264	counter gpon-nat {}	276	counter gpon-nat {}
265	# counter container-nat {}	277	counter kimai-nat {}
266		278
267	chain postrouting {	279	chain postrouting {
268	type nat hook postrouting priority srcnat	280	type nat hook postrouting priority srcnat
@@ -270,7 +282,7 @@ table inet nat {
270		282
271		283
272	meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade	284	meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade
273	# iifname ve-* oifname gpon counter name container-nat masquerade	285	iifname ve-kimai oifname gpon counter name kimai-nat masquerade
274	}	286	}
275	}	287	}
276		288