summaryrefslogtreecommitdiff
path: root/hosts/vidhar
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/vidhar')
-rw-r--r--hosts/vidhar/network/default.nix41
-rw-r--r--hosts/vidhar/network/ruleset.nft4
2 files changed, 42 insertions, 3 deletions
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 2444f537..ab79dd16 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -1,4 +1,4 @@
1{ config, lib, pkgs, ... }: 1{ flake, config, lib, pkgs, ... }:
2{ 2{
3 imports = [ ./dsl.nix ./bifrost ]; 3 imports = [ ./dsl.nix ./bifrost ];
4 4
@@ -71,6 +71,27 @@
71 type = "memfile"; 71 type = "memfile";
72 }; 72 };
73 73
74 client-classes = [
75 { name = "ipxe";
76 test = "option[77].hex == 'iPXE'";
77 next-server = "10.141.0.1";
78 boot-file-name = "netboot.ipxe";
79 only-if-required = true;
80 }
81 { name = "uefi-64";
82 test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009'";
83 only-if-required = true;
84 tftp-server-name = "10.141.0.1";
85 boot-file-name = "ipxe.efi";
86 }
87 { name = "legacy";
88 test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'";
89 only-if-required = true;
90 tftp-server-name = "10.141.0.1";
91 boot-file-name = "undionly.kpxe";
92 }
93 ];
94
74 subnet4 = [ 95 subnet4 = [
75 { subnet = "10.141.0.0/24"; 96 { subnet = "10.141.0.0/24";
76 option-data = [ 97 option-data = [
@@ -89,6 +110,7 @@
89 ]; 110 ];
90 pools = [ { pool = "10.141.0.128 - 10.141.0.254"; } ]; 111 pools = [ { pool = "10.141.0.128 - 10.141.0.254"; } ];
91 reservations = []; 112 reservations = [];
113 require-client-classes = ["ipxe" "uefi-64" "legacy"];
92 } 114 }
93 { subnet = "10.141.1.0/24"; 115 { subnet = "10.141.1.0/24";
94 option-data = [ 116 option-data = [
@@ -157,5 +179,22 @@
157 networkConfig.LinkLocalAddressing = "no"; 179 networkConfig.LinkLocalAddressing = "no";
158 }; 180 };
159 }; 181 };
182
183 systemd.services."installer-atftpd" = {
184 description = "TFTP Server for PXE Booting NixOS Installer";
185 after = [ "network.target" ];
186 wantedBy = [ "multi-user.target" ];
187 serviceConfig.ExecStart = let
188 installerBuild = flake.nixosConfigurations.installer-x86_64-linux-netboot.config.system.build;
189 tftpRoot = pkgs.runCommandLocal "installer-netboot" {} ''
190 mkdir -p $out
191 install -m 0444 -t $out \
192 ${installerBuild.netbootRamdisk}/initrd \
193 ${installerBuild.kernel}/bzImage \
194 ${installerBuild.netbootIpxeScript}/netboot.ipxe \
195 ${pkgs.ipxe}/ipxe.efi ${pkgs.ipxe}/undionly.kpxe
196 '';
197 in "${pkgs.atftp} --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}";
198 };
160 }; 199 };
161} 200}
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index f2b1eda0..0f591f24 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -183,7 +183,7 @@ table inet filter {
183 183
184 iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept 184 iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept
185 185
186 iifname mgmt udp dport 69 counter name tftp-rx accept 186 iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept
187 187
188 ct state {established, related} counter name established-rx accept 188 ct state {established, related} counter name established-rx accept
189 189
@@ -228,7 +228,7 @@ table inet filter {
228 tcp sport 80 counter name http-tx accept 228 tcp sport 80 counter name http-tx accept
229 229
230 udp sport 69 counter name tftp-tx accept 230 udp sport 69 counter name tftp-tx accept
231 iifname mgmt udp dport 69 counter name tftp-tx accept 231 udp dport 69 counter name tftp-tx accept
232 232
233 233
234 counter name tx 234 counter name tx