diff options
Diffstat (limited to 'hosts/vidhar')
| -rw-r--r-- | hosts/vidhar/dns/zones/yggdrasil.soa | 3 | ||||
| -rw-r--r-- | hosts/vidhar/network/default.nix | 26 | ||||
| -rw-r--r-- | hosts/vidhar/network/dhcp/default.nix | 70 | ||||
| -rw-r--r-- | hosts/vidhar/network/ruleset.nft | 19 | 
4 files changed, 78 insertions, 40 deletions
| diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa index ffa79ee1..3d9d4d83 100644 --- a/hosts/vidhar/dns/zones/yggdrasil.soa +++ b/hosts/vidhar/dns/zones/yggdrasil.soa | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | $ORIGIN yggdrasil. | 1 | $ORIGIN yggdrasil. | 
| 2 | $TTL 300 | 2 | $TTL 300 | 
| 3 | @ IN SOA vidhar.yggdrasil. root.yggdrasil.li. ( | 3 | @ IN SOA vidhar.yggdrasil. root.yggdrasil.li. ( | 
| 4 | 2022040802 ; serial | 4 | 2022101601 ; serial | 
| 5 | 300 ; refresh | 5 | 300 ; refresh | 
| 6 | 300 ; retry | 6 | 300 ; retry | 
| 7 | 300 ; expire | 7 | 300 ; expire | 
| @@ -16,6 +16,7 @@ sif IN AAAA 2a03:4000:52:ada:1:2:: | |||
| 16 | 16 | ||
| 17 | grafana.vidhar IN CNAME vidhar.yggdrasil. | 17 | grafana.vidhar IN CNAME vidhar.yggdrasil. | 
| 18 | prometheus.vidhar IN CNAME vidhar.yggdrasil. | 18 | prometheus.vidhar IN CNAME vidhar.yggdrasil. | 
| 19 | nfsroot.vidhar IN CNAME vidhar.lan.yggdrasil. | ||
| 19 | 20 | ||
| 20 | 21 | ||
| 21 | vidhar.lan IN A 10.141.0.1 | 22 | vidhar.lan IN A 10.141.0.1 | 
| diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index e69674f4..f19ea9cd 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix | |||
| @@ -1,4 +1,5 @@ | |||
| 1 | { pkgs, ... }: | 1 | { pkgs, ... }: | 
| 2 | |||
| 2 | { | 3 | { | 
| 3 | imports = [ ./dsl.nix ./bifrost ./dhcp ]; | 4 | imports = [ ./dsl.nix ./bifrost ./dhcp ]; | 
| 4 | 5 | ||
| @@ -69,5 +70,30 @@ | |||
| 69 | networkConfig.LinkLocalAddressing = "no"; | 70 | networkConfig.LinkLocalAddressing = "no"; | 
| 70 | }; | 71 | }; | 
| 71 | }; | 72 | }; | 
| 73 | |||
| 74 | services.nfs.server = { | ||
| 75 | enable = true; | ||
| 76 | createMountPoints = true; | ||
| 77 | |||
| 78 | statdPort = 4000; | ||
| 79 | lockdPort = 4001; | ||
| 80 | mountdPort = 4002; | ||
| 81 | |||
| 82 | extraNfsdConfig = '' | ||
| 83 | vers3=off | ||
| 84 | ''; | ||
| 85 | |||
| 86 | exports = '' | ||
| 87 | /srv/nfs 10.141.0.0/24(ro,async,root_squash,fsid=0) 2a03:4000:52:ada:1::/80(ro,async,root_squash,fsid=0) | ||
| 88 | /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash) | ||
| 89 | ''; | ||
| 90 | }; | ||
| 91 | |||
| 92 | fileSystems = { | ||
| 93 | "/srv/nfs/nix-store" = { | ||
| 94 | device = "/nix/store"; | ||
| 95 | options = [ "bind" ]; | ||
| 96 | }; | ||
| 97 | }; | ||
| 72 | }; | 98 | }; | 
| 73 | } | 99 | } | 
| diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix index e14b15ac..dfaa4c9f 100644 --- a/hosts/vidhar/network/dhcp/default.nix +++ b/hosts/vidhar/network/dhcp/default.nix | |||
| @@ -26,7 +26,7 @@ with lib; | |||
| 26 | { name = "ipxe"; | 26 | { name = "ipxe"; | 
| 27 | test = "option[77].hex == 'iPXE'"; | 27 | test = "option[77].hex == 'iPXE'"; | 
| 28 | next-server = "10.141.0.1"; | 28 | next-server = "10.141.0.1"; | 
| 29 | boot-file-name = "installer-x86_64-linux/netboot.ipxe"; | 29 | boot-file-name = "http://nfsroot.vidhar.yggdrasil/installer-x86_64-linux/netboot.ipxe"; | 
| 30 | only-if-required = true; | 30 | only-if-required = true; | 
| 31 | } | 31 | } | 
| 32 | { name = "uefi-64"; | 32 | { name = "uefi-64"; | 
| @@ -229,6 +229,40 @@ with lib; | |||
| 229 | sopsFile = ./knot-tsig.json.frag; | 229 | sopsFile = ./knot-tsig.json.frag; | 
| 230 | }; | 230 | }; | 
| 231 | 231 | ||
| 232 | services.nginx.virtualHosts."nfsroot.vidhar.yggdrasil" = { | ||
| 233 | addSSL = false; | ||
| 234 | forceSSL = false; | ||
| 235 | locations."/" = { | ||
| 236 | extraConfig = '' | ||
| 237 | autoindex on; | ||
| 238 | ''; | ||
| 239 | root = pkgs.symlinkJoin { | ||
| 240 | name = "nfsroot.vidhar.yggdrasil"; | ||
| 241 | paths = | ||
| 242 | (map (system: | ||
| 243 | let | ||
| 244 | installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules { | ||
| 245 | modules = [ | ||
| 246 | ({ ... }: { | ||
| 247 | config.nfsroot.storeDevice = "10.141.0.1:nix-store"; | ||
| 248 | config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/installer-${system}/registration"; | ||
| 249 | }) | ||
| 250 | ]; | ||
| 251 | }).config.system.build; | ||
| 252 | in builtins.toPath (pkgs.runCommandLocal "install-${system}" {} '' | ||
| 253 | mkdir -p $out/installer-${system} | ||
| 254 | install -m 0444 -t $out/installer-${system} \ | ||
| 255 | ${installerBuild.initialRamdisk}/initrd \ | ||
| 256 | ${installerBuild.kernel}/bzImage \ | ||
| 257 | ${installerBuild.netbootIpxeScript}/netboot.ipxe \ | ||
| 258 | ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration | ||
| 259 | '') | ||
| 260 | ) ["x86_64-linux"] | ||
| 261 | ); | ||
| 262 | }; | ||
| 263 | }; | ||
| 264 | }; | ||
| 265 | |||
| 232 | systemd.services."pxe-atftpd" = { | 266 | systemd.services."pxe-atftpd" = { | 
| 233 | description = "TFTP Server for PXE Booting"; | 267 | description = "TFTP Server for PXE Booting"; | 
| 234 | after = [ "network.target" ]; | 268 | after = [ "network.target" ]; | 
| @@ -238,44 +272,16 @@ with lib; | |||
| 238 | additionalTargets = { | 272 | additionalTargets = { | 
| 239 | "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi"; | 273 | "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi"; | 
| 240 | }; | 274 | }; | 
| 275 | additionalOptions = [ | ||
| 276 | "NSLOOKUP_CMD" | ||
| 277 | ]; | ||
| 241 | }; | 278 | }; | 
| 242 | tftpRoot = pkgs.runCommandLocal "netboot" {} '' | 279 | tftpRoot = pkgs.runCommandLocal "netboot" {} '' | 
| 243 | mkdir -p $out | 280 | mkdir -p $out | 
| 244 | install -m 0444 -t $out \ | 281 | install -m 0444 -t $out \ | 
| 245 | ${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe | 282 | ${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe | 
| 246 | |||
| 247 | ${concatMapStringsSep "\n" (system: | ||
| 248 | let | ||
| 249 | installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules { | ||
| 250 | modules = [ | ||
| 251 | ({ ... }: { config.nfsroot.storeDevice = "vidhar:nix-store"; }) | ||
| 252 | ]; | ||
| 253 | }).config.system.build; | ||
| 254 | in '' | ||
| 255 | mkdir -p $out/installer-${system} | ||
| 256 | install -m 0444 -t $out/installer-${system} \ | ||
| 257 | ${installerBuild.initialRamdisk}/initrd \ | ||
| 258 | ${installerBuild.kernel}/bzImage \ | ||
| 259 | ${installerBuild.netbootIpxeScript}/netboot.ipxe | ||
| 260 | '' | ||
| 261 | ) ["x86_64-linux"]} | ||
| 262 | ''; | 283 | ''; | 
| 263 | in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}"; | 284 | in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}"; | 
| 264 | }; | 285 | }; | 
| 265 | |||
| 266 | services.nfs.server = { | ||
| 267 | enable = true; | ||
| 268 | createMountPoints = true; | ||
| 269 | exports = '' | ||
| 270 | /export/nix-root 10.141.0.0/24(ro) | ||
| 271 | ''; | ||
| 272 | }; | ||
| 273 | |||
| 274 | fileSystems = { | ||
| 275 | "/export/nix-root" = { | ||
| 276 | device = "/nix/store"; | ||
| 277 | options = [ "bind" ]; | ||
| 278 | }; | ||
| 279 | }; | ||
| 280 | }; | 286 | }; | 
| 281 | } | 287 | } | 
| diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index c0da0fa6..473f8a20 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
| @@ -78,6 +78,7 @@ table inet filter { | |||
| 78 | counter ssh-rx {} | 78 | counter ssh-rx {} | 
| 79 | counter mosh-rx {} | 79 | counter mosh-rx {} | 
| 80 | counter dns-rx {} | 80 | counter dns-rx {} | 
| 81 | counter nfs-rx {} | ||
| 81 | counter wg-rx {} | 82 | counter wg-rx {} | 
| 82 | counter yggdrasil-gre-rx {} | 83 | counter yggdrasil-gre-rx {} | 
| 83 | counter ipv6-pd-rx {} | 84 | counter ipv6-pd-rx {} | 
| @@ -104,6 +105,7 @@ table inet filter { | |||
| 104 | counter ssh-tx {} | 105 | counter ssh-tx {} | 
| 105 | counter mosh-tx {} | 106 | counter mosh-tx {} | 
| 106 | counter dns-tx {} | 107 | counter dns-tx {} | 
| 108 | counter nfs-tx {} | ||
| 107 | counter wg-tx {} | 109 | counter wg-tx {} | 
| 108 | counter yggdrasil-gre-tx {} | 110 | counter yggdrasil-gre-tx {} | 
| 109 | counter ipv6-pd-tx {} | 111 | counter ipv6-pd-tx {} | 
| @@ -152,7 +154,7 @@ table inet filter { | |||
| 152 | 154 | ||
| 153 | 155 | ||
| 154 | ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop | 156 | ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop | 
| 155 | 157 | ||
| 156 | 158 | ||
| 157 | iifname lo counter name rx-lo accept | 159 | iifname lo counter name rx-lo accept | 
| 158 | iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject | 160 | iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject | 
| @@ -165,8 +167,9 @@ table inet filter { | |||
| 165 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept | 167 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept | 
| 166 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept | 168 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept | 
| 167 | 169 | ||
| 168 | iifname { lan, mgmt, dmz01, yggdrasil } tcp dport 53 counter name dns-rx accept | 170 | iifname { lan, mgmt, dmz01, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept | 
| 169 | iifname { lan, mgmt, dmz01, yggdrasil } udp dport 53 counter name dns-rx accept | 171 | |
| 172 | iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept | ||
| 170 | 173 | ||
| 171 | iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept | 174 | iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept | 
| 172 | iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept | 175 | iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept | 
| @@ -182,7 +185,8 @@ table inet filter { | |||
| 182 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept | 185 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept | 
| 183 | 186 | ||
| 184 | iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept | 187 | iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept | 
| 185 | 188 | iifname lan tcp dport 80 counter name http-rx accept | |
| 189 | |||
| 186 | iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept | 190 | iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept | 
| 187 | 191 | ||
| 188 | ct state {established, related} counter name established-rx accept | 192 | ct state {established, related} counter name established-rx accept | 
| @@ -209,8 +213,9 @@ table inet filter { | |||
| 209 | tcp sport 22 counter name ssh-tx | 213 | tcp sport 22 counter name ssh-tx | 
| 210 | udp sport 60000-61000 counter name mosh-tx | 214 | udp sport 60000-61000 counter name mosh-tx | 
| 211 | 215 | ||
| 212 | tcp sport 53 counter name dns-tx | 216 | meta l4proto {tcp, udp} th sport 53 counter name dns-tx | 
| 213 | udp sport 53 counter name dns-tx | 217 | |
| 218 | tcp sport 2049 counter name nfs-tx | ||
| 214 | 219 | ||
| 215 | meta protocol ip udp sport 51820 counter name wg-tx | 220 | meta protocol ip udp sport 51820 counter name wg-tx | 
| 216 | meta protocol ip6 udp sport {51821,51822} counter name wg-tx | 221 | meta protocol ip6 udp sport {51821,51822} counter name wg-tx | 
| @@ -225,7 +230,7 @@ table inet filter { | |||
| 225 | udp sport { 137, 138, 3702 } counter name samba-tx accept | 230 | udp sport { 137, 138, 3702 } counter name samba-tx accept | 
| 226 | tcp sport { 445, 139, 5357 } counter name samba-tx accept | 231 | tcp sport { 445, 139, 5357 } counter name samba-tx accept | 
| 227 | 232 | ||
| 228 | tcp sport {80,443} counter name http-tx accept | 233 | tcp sport { 80, 443 } counter name http-tx accept | 
| 229 | 234 | ||
| 230 | udp sport 69 counter name tftp-tx accept | 235 | udp sport 69 counter name tftp-tx accept | 
| 231 | udp dport 69 counter name tftp-tx accept | 236 | udp dport 69 counter name tftp-tx accept | 
