From 366cf64e848eebea98f9d9bb95e623597af74669 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 15 Mar 2022 16:37:42 +0100 Subject: vidhar: ddns --- hosts/vidhar/default.nix | 2 +- hosts/vidhar/dns.nix | 47 ---- hosts/vidhar/dns/Gupfile | 2 + hosts/vidhar/dns/default.nix | 127 ++++++++++ hosts/vidhar/dns/key.gup | 6 + hosts/vidhar/dns/keys/local.yaml | 26 ++ hosts/vidhar/dns/zones/arpa.in-addr.10.141.0.soa | 12 + hosts/vidhar/dns/zones/arpa.in-addr.10.141.1.soa | 14 ++ hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa | 11 + hosts/vidhar/dns/zones/yggdrasil.lan.soa | 13 + hosts/vidhar/dns/zones/yggdrasil.mgmt.soa | 15 ++ hosts/vidhar/dns/zones/yggdrasil.soa | 21 ++ hosts/vidhar/network/default.nix | 152 +----------- hosts/vidhar/network/dhcp/default.nix | 264 +++++++++++++++++++++ hosts/vidhar/network/dhcp/knot-tsig.json.frag | 26 ++ system-profiles/openssh/known-hosts/Gupfile | 4 +- .../openssh/known-hosts/ca-resign-dir.gup | 6 + .../openssh/known-hosts/sif/ed25519-cert.pub | 2 +- .../openssh/known-hosts/sif/host-principals | 2 +- .../openssh/known-hosts/sif/rsa-cert.pub | 2 +- 20 files changed, 552 insertions(+), 202 deletions(-) delete mode 100644 hosts/vidhar/dns.nix create mode 100644 hosts/vidhar/dns/Gupfile create mode 100644 hosts/vidhar/dns/default.nix create mode 100644 hosts/vidhar/dns/key.gup create mode 100644 hosts/vidhar/dns/keys/local.yaml create mode 100644 hosts/vidhar/dns/zones/arpa.in-addr.10.141.0.soa create mode 100644 hosts/vidhar/dns/zones/arpa.in-addr.10.141.1.soa create mode 100644 hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa create mode 100644 hosts/vidhar/dns/zones/yggdrasil.lan.soa create mode 100644 hosts/vidhar/dns/zones/yggdrasil.mgmt.soa create mode 100644 hosts/vidhar/dns/zones/yggdrasil.soa create mode 100644 hosts/vidhar/network/dhcp/default.nix create mode 100644 hosts/vidhar/network/dhcp/knot-tsig.json.frag create mode 100644 system-profiles/openssh/known-hosts/ca-resign-dir.gup diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 3d81b221..f9b021d3 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -1,7 +1,7 @@ { hostName, flake, config, pkgs, lib, ... }: { imports = with flake.nixosModules.systemProfiles; [ - ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus ./borg + ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg initrd-all-crypto-modules default-locale openssh rebuild-machines build-server initrd-ssh diff --git a/hosts/vidhar/dns.nix b/hosts/vidhar/dns.nix deleted file mode 100644 index 72e707e7..00000000 --- a/hosts/vidhar/dns.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - config = { - services.unbound = { - enable = true; - resolveLocalQueries = false; - stateDir = "/var/lib/unbound"; - localControlSocketPath = "/run/unbound/unbound.ctl"; - settings = { - server = { - interface = ["127.0.0.1" "10.141.0.1" "::0"]; - access-control = ["0.0.0.0/0 allow" "::/0 allow"]; - root-hints = "${pkgs.dns-root-data}/root.hints"; - - num-threads = 12; - so-reuseport = true; - msg-cache-slabs = 16; - rrset-cache-slabs = 16; - infra-cache-slabs = 16; - key-cache-slabs = 16; - - rrset-cache-size = "100m"; - msg-cache-size = "50m"; - outgoing-range = 8192; - num-queries-per-thread = 4096; - - so-rcvbuf = "4m"; - so-sndbuf = "4m"; - - # serve-expired = true; - # serve-expired-ttl = 86400; - # serve-expired-reply-ttl = 0; - - prefetch = true; - prefetch-key = true; - - minimal-responses = false; - - extended-statistics = true; - - rrset-roundrobin = true; - use-caps-for-id = true; - }; - }; - }; - }; -} diff --git a/hosts/vidhar/dns/Gupfile b/hosts/vidhar/dns/Gupfile new file mode 100644 index 00000000..ac96f620 --- /dev/null +++ b/hosts/vidhar/dns/Gupfile @@ -0,0 +1,2 @@ +key.gup: + keys/*.yaml \ No newline at end of file diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix new file mode 100644 index 00000000..19a121f6 --- /dev/null +++ b/hosts/vidhar/dns/default.nix @@ -0,0 +1,127 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + knotKeys = let + dir = ./keys; + toKeyInfo = name: v: + if v == "regular" || v == "symlink" + then { path = dir + "/${name}"; inherit name; } + else null; + in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir)); +in { + config = { + services.unbound = { + enable = true; + resolveLocalQueries = false; + stateDir = "/var/lib/unbound"; + localControlSocketPath = "/run/unbound/unbound.ctl"; + settings = { + server = { + interface = ["127.0.0.1" "10.141.0.1" "::0"]; + prefer-ip6 = true; + access-control = ["0.0.0.0/0 allow" "::/0 allow"]; + root-hints = "${pkgs.dns-root-data}/root.hints"; + + num-threads = 12; + so-reuseport = true; + msg-cache-slabs = 16; + rrset-cache-slabs = 16; + infra-cache-slabs = 16; + key-cache-slabs = 16; + + rrset-cache-size = "100m"; + msg-cache-size = "50m"; + outgoing-range = 8192; + num-queries-per-thread = 4096; + + so-rcvbuf = "4m"; + so-sndbuf = "4m"; + + # serve-expired = true; + # serve-expired-ttl = 86400; + # serve-expired-reply-ttl = 0; + + prefetch = true; + prefetch-key = true; + + minimal-responses = false; + + extended-statistics = true; + + rrset-roundrobin = true; + use-caps-for-id = true; + + local-zone = [ + "141.10.in-addr.arpa transparent" + "yggdrasil transparent" + ]; + domain-insecure = [ + "141.10.in-addr.arpa" + "yggdrasil" + ]; + }; + + stub-zone = map (name: { + inherit name; + stub-addr = "127.0.0.1@5353"; + stub-first = true; + stub-no-cache = true; + stub-prime = false; + }) ["yggdrasil" "lan.yggdrasil" "mgmt.yggdrasil" "arpa.in-addr.10.141" "arpa.in-addr.10.141.0" "arpa.in-addr.10.141.1"]; + }; + }; + + services.knot = { + enable = true; + keyFiles = map ({name, ...}: config.sops.secrets.${name}.path) knotKeys; + extraConfig = '' + server: + listen: 127.0.0.1@5353 + listen: ::1@5353 + + acl: + - id: local_acl + key: local_key + action: update + + template: + - id: local_zone + storage: /var/lib/knot + zonefile-sync: -1 + zonefile-load: difference-no-serial + serial-policy: dateserial + journal-content: all + semantic-checks: on + acl: [local_acl] + + zone: + - domain: yggdrasil + template: local_zone + file: ${./zones/yggdrasil.soa} + - domain: lan.yggdrasil + template: local_zone + file: ${./zones/yggdrasil.lan.soa} + - domain: mgmt.yggdrasil + template: local_zone + file: ${./zones/yggdrasil.mgmt.soa} + - domain: 141.10.in-addr.arpa + template: local_zone + file: ${./zones/arpa.in-addr.10.141.soa} + - domain: 0.141.10.in-addr.arpa + template: local_zone + file: ${./zones/arpa.in-addr.10.141.0.soa} + - domain: 1.141.10.in-addr.arpa + template: local_zone + file: ${./zones/arpa.in-addr.10.141.1.soa} + ''; + }; + + sops.secrets = listToAttrs (map ({name, path}: nameValuePair name { + format = "binary"; + owner = "knot"; + sopsFile = path; + }) knotKeys); + }; +} diff --git a/hosts/vidhar/dns/key.gup b/hosts/vidhar/dns/key.gup new file mode 100644 index 00000000..83c36b0e --- /dev/null +++ b/hosts/vidhar/dns/key.gup @@ -0,0 +1,6 @@ +#!/usr/bin/env zsh + +keyName=${${2:t}%.yaml}_key + +keymgr -t ${keyName} > $1 +sops -p 'A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362,30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51' --input-type=binary --output-type=binary -e -i $1 diff --git a/hosts/vidhar/dns/keys/local.yaml b/hosts/vidhar/dns/keys/local.yaml new file mode 100644 index 00000000..e66f4b61 --- /dev/null +++ b/hosts/vidhar/dns/keys/local.yaml @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:hpWdnmsmBmO01PkTlmRLHdmXrPX6POuU/PWrOUMgH6glThzsFdk84tskUExnsl3N39ryCmgZwotIZ8zCWduPBn+nN3VTEP5Z4xltC8I82C6F283gWC3gxpTXFSwF7JetRM5uBQV0FFd9iXHUySEHdzoRqsGuZTMYdT44Bm6gGQHyt7N3/EeLHyJKa7MH+SLLznjlaTnmrAxEyGP8Talda0s/mkh4nRqQnbxX6aOTQpQ=,iv:eRQuxRNQGU2Zwudaqjr+QvLLpJ5QqrjvAN/uL6x8hUs=,tag:CYEt1K+gOGiOX9qQR/Q9jw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-03-15T13:30:32Z", + "mac": "ENC[AES256_GCM,data:PG4ywF/U6ITmdRB4OU5uXu54YabYt9Yyy2oYEMx0XpMlpKWH5bmg2qQNFakxBD6wCy2H6e3LmwcUl2N692crm3n/qQRNPQ0ETHVlaPlRFG85tiz/Ngi6tasoKG+ciLAXMy05c+yY6oENN7grm1TTMZRGSIyxo27ZU+k4kmz4eVM=,iv:fluwCnXHAJ/z2oGWCLXbjooymXbViPrZdVJOnoSrn1g=,tag:QtNGIKMBDtKnb3JPuRqmiA==,type:str]", + "pgp": [ + { + "created_at": "2022-03-15T13:30:31Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAQAK54tXtgsLn6MmWQC/4irGRJd160lpAxCIT+nt/MBUw\nznjpLnbZXSft1RQI6/B95udkm0U/MBKt7wSMe9I/Po44qJrqHqb4jofz6NCeqxD3\n0l4Bl/DpnWfam9knZFQ9NIEaKYWXSmVuxVduhpYYGopXUrKol8BVTdXU6qHaPKgV\nQc72FvezgyHngZwXNEggvS1IWPq4m6pamLi77e8hNGiQx5CiaFXWwCP4gY6A80pS\n=FNi5\n-----END PGP MESSAGE-----\n", + "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362" + }, + { + "created_at": "2022-03-15T13:30:31Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA+/lLWPxgadpnWQlbAVbdzpbevoVKuaGrQmp79m4wKycw\nBeErMZugDNzHWXkTHXez5SpS94RYlGzhLcVLGfMg7C0h3wN192QaMrcH01udnjhK\n0l4BRYt9+9CCZL+Nb/ss+BIyOAFCZi2RkwzvXl9wVk+mb1As9/UYml9zqh/juU5F\nBZXqwNPA5RSNCoB0wy3A5yIB3uniMuYczTs67VHJ5cw2VVSQvXF5zue90i2F4mC4\n=IsU1\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/hosts/vidhar/dns/zones/arpa.in-addr.10.141.0.soa b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.0.soa new file mode 100644 index 00000000..75e6b3a8 --- /dev/null +++ b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.0.soa @@ -0,0 +1,12 @@ +$ORIGIN 0.141.10.in-addr.arpa. +$TTL 300 +@ IN SOA vidhar.lan.yggdrasil. root.yggdrasil.li. ( + 2022031504 ; serial + 300 ; refresh + 300 ; retry + 300 ; expire + 300 ; min TTL +) + + IN NS vidhar.lan.yggdrasil. +1 IN PTR vidhar.lan.yggdrasil. diff --git a/hosts/vidhar/dns/zones/arpa.in-addr.10.141.1.soa b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.1.soa new file mode 100644 index 00000000..2d535d56 --- /dev/null +++ b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.1.soa @@ -0,0 +1,14 @@ +$ORIGIN 1.141.10.in-addr.arpa. +$TTL 300 +@ IN SOA vidhar.mgmt.yggdrasil. root.yggdrasil.li. ( + 2022031505 ; serial + 300 ; refresh + 300 ; retry + 300 ; expire + 300 ; min TTL +) + + IN NS vidhar.mgmt.yggdrasil. +1 IN PTR vidhar.mgmt.yggdrasil. +2 IN PTR switch01.mgmt.yggdrasil. +4 IN PTR ap01.mgmt.yggdrasil. diff --git a/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa new file mode 100644 index 00000000..ea5a35f3 --- /dev/null +++ b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa @@ -0,0 +1,11 @@ +$ORIGIN 141.10.in-addr.arpa. +$TTL 300 +@ IN SOA vidhar.lan.yggdrasil. root.yggdrasil.li. ( + 2022031505 ; serial + 300 ; refresh + 300 ; retry + 300 ; expire + 300 ; min TTL +) + + IN NS vidhar.lan.yggdrasil. diff --git a/hosts/vidhar/dns/zones/yggdrasil.lan.soa b/hosts/vidhar/dns/zones/yggdrasil.lan.soa new file mode 100644 index 00000000..c58b9a13 --- /dev/null +++ b/hosts/vidhar/dns/zones/yggdrasil.lan.soa @@ -0,0 +1,13 @@ +$ORIGIN lan.yggdrasil. +$TTL 300 +@ IN SOA vidhar.lan.yggdrasil. root.yggdrasil.li. ( + 2022031504 ; serial + 300 ; refresh + 300 ; retry + 300 ; expire + 300 ; min TTL +) + + IN NS vidhar.lan.yggdrasil. + +vidhar IN A 10.141.0.1 diff --git a/hosts/vidhar/dns/zones/yggdrasil.mgmt.soa b/hosts/vidhar/dns/zones/yggdrasil.mgmt.soa new file mode 100644 index 00000000..8a630a9a --- /dev/null +++ b/hosts/vidhar/dns/zones/yggdrasil.mgmt.soa @@ -0,0 +1,15 @@ +$ORIGIN mgmt.yggdrasil. +$TTL 300 +@ IN SOA vidhar.mgmt.yggdrasil. root.yggdrasil.li. ( + 2022031505 ; serial + 300 ; refresh + 300 ; retry + 300 ; expire + 300 ; min TTL +) + + IN NS vidhar.mgmt.yggdrasil. + +vidhar IN A 10.141.1.1 +switch01 IN A 10.141.1.2 +ap01 IN A 10.141.1.4 diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa new file mode 100644 index 00000000..6e66a063 --- /dev/null +++ b/hosts/vidhar/dns/zones/yggdrasil.soa @@ -0,0 +1,21 @@ +$ORIGIN yggdrasil. +$TTL 300 +@ IN SOA vidhar.yggdrasil. root.yggdrasil.li. ( + 2022031504 ; serial + 300 ; refresh + 300 ; retry + 300 ; expire + 300 ; min TTL +) + + IN NS vidhar.yggdrasil. + +surtr IN AAAA 2a03:4000:52:ada:1:: +vidhar IN AAAA 2a03:4000:52:ada:1:1:: +sif IN AAAA 2a03:4000:52:ada:1:2:: + +grafana.vidhar IN CNAME vidhar.yggdrasil. + + +vidhar.lan IN A 10.141.0.1 +vidhar.mgmt IN A 10.141.1.1 diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index 2d9a7b8f..85ddd4ef 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix @@ -1,6 +1,6 @@ -{ flake, config, lib, pkgs, ... }: +{ ... }: { - imports = [ ./dsl.nix ./bifrost ]; + imports = [ ./dsl.nix ./bifrost ./dhcp ]; config = { networking = { @@ -53,132 +53,6 @@ llmnr = "false"; }; - services.kea = { - dhcp4 = { - enable = true; - settings = { - valid-lifetime = 4000; - rebind-timer = 2000; - renew-timer = 1000; - - interfaces-config = { - interfaces = [ "lan" "mgmt" ]; - }; - - lease-database = { - name = "/var/lib/kea/dhcp4.leases"; - persist = true; - type = "memfile"; - }; - - client-classes = [ - { name = "ipxe"; - test = "option[77].hex == 'iPXE'"; - next-server = "10.141.0.1"; - boot-file-name = "netboot.ipxe"; - only-if-required = true; - } - { name = "uefi-64"; - test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009'"; - only-if-required = true; - option-data = [ - { name = "tftp-server-name"; data = "10.141.0.1"; } - ]; - boot-file-name = "ipxe.efi"; - } - { name = "uefi-32"; - test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00002' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00006'"; - only-if-required = true; - option-data = [ - { name = "tftp-server-name"; data = "10.141.0.1"; } - ]; - boot-file-name = "i386-ipxe.efi"; - } - { name = "legacy"; - test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'"; - only-if-required = true; - option-data = [ - { name = "tftp-server-name"; data = "10.141.0.1"; } - ]; - boot-file-name = "undionly.kpxe"; - } - ]; - - subnet4 = [ - { subnet = "10.141.0.0/24"; - option-data = [ - { name = "domain-name-servers"; - data = "10.141.0.1"; - } - { name = "broadcast-address"; - data = "10.141.0.255"; - } - { name = "routers"; - data = "10.141.0.1"; - } - { name = "domain-name"; - data = "yggdrasil"; - } - ]; - pools = [ { pool = "10.141.0.128 - 10.141.0.254"; } ]; - reservations = []; - require-client-classes = ["ipxe" "uefi-64" "uefi-32" "legacy"]; - } - { subnet = "10.141.1.0/24"; - option-data = [ - { name = "domain-name-servers"; - data = "10.141.1.1"; - } - { name = "broadcast-address"; - data = "10.141.1.255"; - } - ]; - pools = [ { pool = "10.141.1.128 - 10.141.1.254"; } ]; - reservations = [ - { hostname = "switch01"; - hw-address = "60:a4:b7:53:94:b5"; - ip-address = "10.141.1.2"; - } - { hostname = "ap01"; - hw-address = "74:ac:b9:29:ad:9a"; - ip-address = "10.141.1.4"; - } - ]; - } - { subnet = "10.141.2.0/24"; - option-data = [ - { name = "domain-name-servers"; - data = "10.141.2.1"; - } - { name = "broadcast-address"; - data = "10.141.2.255"; - } - { name = "routers"; - data = "10.141.2.1"; - } - ]; - pools = [ { pool = "10.141.2.128 - 10.141.2.254"; } ]; - reservations = []; - } - ]; - }; - }; - dhcp6 = { - enable = true; - settings = { - interfaces-config = { - interfaces = [ "lan" ]; - }; - - lease-database = { - name = "/var/lib/kea/dhcp6.leases"; - persist = true; - type = "memfile"; - }; - }; - }; - }; - systemd.network.networks = { "eno1" = { matchConfig.Name = "eno1"; @@ -191,27 +65,5 @@ networkConfig.LinkLocalAddressing = "no"; }; }; - - systemd.services."installer-atftpd" = { - description = "TFTP Server for PXE Booting NixOS Installer"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = let - installerBuild = flake.nixosConfigurations.installer-x86_64-linux-netboot.config.system.build; - ipxe = pkgs.ipxe.override { - additionalTargets = { - "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi"; - }; - }; - tftpRoot = pkgs.runCommandLocal "installer-netboot" {} '' - mkdir -p $out - install -m 0444 -t $out \ - ${installerBuild.netbootRamdisk}/initrd \ - ${installerBuild.kernel}/bzImage \ - ${installerBuild.netbootIpxeScript}/netboot.ipxe \ - ${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe - ''; - in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}"; - }; }; } diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix new file mode 100644 index 00000000..ccc22c7f --- /dev/null +++ b/hosts/vidhar/network/dhcp/default.nix @@ -0,0 +1,264 @@ +{ flake, config, pkgs, lib, ... }: +{ + config = { + services.kea = { + dhcp4 = { + enable = true; + settings = { + valid-lifetime = 4000; + rebind-timer = 2000; + renew-timer = 1000; + + interfaces-config = { + interfaces = [ "lan" "mgmt" ]; + }; + + lease-database = { + name = "/var/lib/kea/dhcp4.leases"; + persist = true; + type = "memfile"; + }; + + client-classes = [ + { name = "ipxe"; + test = "option[77].hex == 'iPXE'"; + next-server = "10.141.0.1"; + boot-file-name = "netboot.ipxe"; + only-if-required = true; + } + { name = "uefi-64"; + test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009'"; + only-if-required = true; + option-data = [ + { name = "tftp-server-name"; data = "10.141.0.1"; } + ]; + boot-file-name = "ipxe.efi"; + } + { name = "uefi-32"; + test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00002' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00006'"; + only-if-required = true; + option-data = [ + { name = "tftp-server-name"; data = "10.141.0.1"; } + ]; + boot-file-name = "i386-ipxe.efi"; + } + { name = "legacy"; + test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'"; + only-if-required = true; + option-data = [ + { name = "tftp-server-name"; data = "10.141.0.1"; } + ]; + boot-file-name = "undionly.kpxe"; + } + ]; + + dhcp-ddns.enable-updates = true; + ddns-send-updates = false; + ddns-override-client-update = true; + ddns-override-no-update = true; + ddns-replace-client-name = "when-not-present"; + ddns-generated-prefix = "noname"; + ddns-update-on-renew = true; + + subnet4 = [ + { subnet = "10.141.0.0/24"; + option-data = [ + { name = "domain-name-servers"; + data = "10.141.0.1"; + } + { name = "broadcast-address"; + data = "10.141.0.255"; + } + { name = "routers"; + data = "10.141.0.1"; + } + { name = "domain-name"; + data = "yggdrasil"; + } + { name = "domain-search"; + data = "lan.yggdrasil, yggdrasil"; + } + ]; + ddns-send-updates = true; + ddns-qualifying-suffix = "lan.yggdrasil"; + pools = [ { pool = "10.141.0.128 - 10.141.0.254"; } ]; + require-client-classes = ["ipxe" "uefi-64" "uefi-32" "legacy"]; + reservations = [ + { hostname = "sif"; + hw-address = "3c:e1:a1:52:24:35"; + } + { hostname = "sif"; + hw-address = "ee:32:68:76:83:ac"; + } + { hostname = "sif"; + hw-address = "48:2a:e3:64:62:97"; + } + { hostname = "eos"; + hw-address = "00:d8:61:79:c5:40"; + } + ]; + } + { subnet = "10.141.1.0/24"; + option-data = [ + { name = "domain-name-servers"; + data = "10.141.1.1"; + } + { name = "broadcast-address"; + data = "10.141.1.255"; + } + { name = "domain-name"; + data = "yggdrasil"; + } + { name = "domain-search"; + data = "mgmt.yggdrasil, yggdrasil"; + } + ]; + ddns-send-updates = true; + ddns-qualifying-suffix = "mgmt.yggdrasil"; + pools = [ { pool = "10.141.1.128 - 10.141.1.254"; } ]; + reservations = [ + { hostname = "switch01"; + hw-address = "60:a4:b7:53:94:b5"; + ip-address = "10.141.1.2"; + } + { hostname = "ap01"; + hw-address = "74:ac:b9:29:ad:9a"; + ip-address = "10.141.1.4"; + } + ]; + } + { subnet = "10.141.2.0/24"; + option-data = [ + { name = "domain-name-servers"; + data = "10.141.2.1"; + } + { name = "broadcast-address"; + data = "10.141.2.255"; + } + { name = "routers"; + data = "10.141.2.1"; + } + ]; + ddns-send-updates = false; + pools = [ { pool = "10.141.2.128 - 10.141.2.254"; } ]; + reservations = []; + } + ]; + }; + }; + dhcp6 = { + enable = true; + settings = { + interfaces-config = { + interfaces = [ "lan" ]; + }; + + lease-database = { + name = "/var/lib/kea/dhcp6.leases"; + persist = true; + type = "memfile"; + }; + }; + }; + dhcp-ddns = { + enable = true; + settings = { + forward-ddns = { + ddns-domains = [ + { name = "lan.yggdrasil."; + dns-servers = [ + { ip-address = "127.0.0.1"; + port = 5353; + key-name = "local_key"; + } + ]; + } + { name = "mgmt.yggdrasil."; + dns-servers = [ + { ip-address = "127.0.0.1"; + port = 5353; + key-name = "local_key"; + } + ]; + } + ]; + }; + reverse-ddns = { + ddns-domains = [ + { name = "0.141.10.in-addr.arpa."; + dns-servers = [ + { ip-address = "127.0.0.1"; + port = 5353; + key-name = "local_key"; + } + ]; + } + { name = "1.141.10.in-addr.arpa."; + dns-servers = [ + { ip-address = "127.0.0.1"; + port = 5353; + key-name = "local_key"; + } + ]; + } + ]; + }; + }; + }; + }; + + systemd.services.kea-dhcp-ddns-server = { + preStart = let + configLines = [ + "" + ] ++ lib.mapAttrsToList (k: v: + "\"${k}\": ${builtins.toJSON v}" + ) config.services.kea.dhcp-ddns.settings; + + config-template = pkgs.writeText "dhcp-ddns.conf" '' + {"DhcpDdns": { + ${lib.concatStringsSep ",\n " configLines} + }} + ''; + in '' + ${pkgs.envsubst}/bin/envsubst -i "${config-template}" -o "''${RUNTIME_DIRECTORY}/dhcp-ddns.conf" + ''; + + serviceConfig = { + ExecStart = lib.mkForce '' + ${pkgs.kea}/bin/kea-dhcp-ddns -c "''${RUNTIME_DIRECTORY}/dhcp-ddns.conf" ${lib.escapeShellArgs config.services.kea.dhcp-ddns.extraArgs} + ''; + LoadCredential = [ + "knot-tsig.json.frag:${config.sops.secrets."kea-knot-tsig.json.frag".path}" + ]; + }; + }; + + sops.secrets."kea-knot-tsig.json.frag" = { + format = "binary"; + sopsFile = ./knot-tsig.json.frag; + }; + + systemd.services."installer-atftpd" = { + description = "TFTP Server for PXE Booting NixOS Installer"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = let + installerBuild = flake.nixosConfigurations.installer-x86_64-linux-netboot.config.system.build; + ipxe = pkgs.ipxe.override { + additionalTargets = { + "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi"; + }; + }; + tftpRoot = pkgs.runCommandLocal "installer-netboot" {} '' + mkdir -p $out + install -m 0444 -t $out \ + ${installerBuild.netbootRamdisk}/initrd \ + ${installerBuild.kernel}/bzImage \ + ${installerBuild.netbootIpxeScript}/netboot.ipxe \ + ${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe + ''; + in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}"; + }; + }; +} diff --git a/hosts/vidhar/network/dhcp/knot-tsig.json.frag b/hosts/vidhar/network/dhcp/knot-tsig.json.frag new file mode 100644 index 00000000..75deb41c --- /dev/null +++ b/hosts/vidhar/network/dhcp/knot-tsig.json.frag @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:cGcoqYZ341xQOFukDm4J5KDfG6+NaNbk2U2k4YGneRsAoPJZe/8KDmVr8TBWFCXXbuzeCGbiuXRVBmtYSEIqbqTN4u00RdQgpeL72cB3ZFd2c7cideEQV5z802pqFfXSlmLBC01OPG3TwAgk6xhQYSn5IcBTIL6fRF235Y9Q8k/X96rhfwPRVq84,iv:UoweWBcVuQIXeWFFl/WNUHLXG8nEri1UuTskC2I26hU=,tag:TJldVr2LDTmKA3ozZoX+cQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-03-15T13:52:17Z", + "mac": "ENC[AES256_GCM,data:rTelaGx5S2E2oYPNGfctFbgDKdyRX8tpVTqLtpcCAJ8MS5ppFTjnSwYi4yQHvTicfAPNz7hGJYAnTdyC2QDTciJgkS6KC3CCXWCimkTybBdVW4Azwz9iBZCpWu+rB1vcQhSLlLCaKmKskkqDZZ5+mfuaXc+TT2uwTA0SDtZWvnM=,iv:ANCZ1fHy6w/svEE53o7rWsp5qU15qoriqyVMzClH6J0=,tag:H92RM5GuLIl9/kslq4tzkQ==,type:str]", + "pgp": [ + { + "created_at": "2022-03-15T13:50:52Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdANAtB0un04iI+foGRefRK249LhT6Mz+yzdhkWa0UYoxcw\nUGDSh6la4ijiaqdeVfJ3vckXfAqee7dLseNQ64dafdlk2hVI0ZNv6mjfwgWk698v\n0l4B4EOHfDrmFNhZFcj1/sCRnukgx7PSeybZn3miTLQgMGOydrfYuisA3we/4EUo\nU55PGINdtAu268OUHQjj3yF1S72Yeh1MXEdvajRQdqorQJ4TpsPUtJolM25Df/kK\n=etIn\n-----END PGP MESSAGE-----\n", + "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362" + }, + { + "created_at": "2022-03-15T13:50:52Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdABm/Qf3pX4SxvTzq6sJKWc5o3Fzu/nH3XAH1WE2L/BUMw\nMFFmYmq3399ZcZ6JvaHdbJFUdavo/+wOg3ecWok039wbsr9qwn8YA4cR7VBsUPLa\n0l4BxuaiT3M+mTVvr5WpGFc3Xj7Mp4/z6hBUS+qTFIFZI2U5JsmZgC7VGTm+dlSJ\nexN6yr9mlQXvDIkx8w5/eaiYGViZ90SxN9BPYDqfGGigAw+xdXaafcOx8uBldAL1\n=HLRI\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/system-profiles/openssh/known-hosts/Gupfile b/system-profiles/openssh/known-hosts/Gupfile index 9217f43f..7aead812 100644 --- a/system-profiles/openssh/known-hosts/Gupfile +++ b/system-profiles/openssh/known-hosts/Gupfile @@ -1,2 +1,4 @@ ca-sign.gup: - **/*-cert.pub \ No newline at end of file + **/*-cert.pub +ca-resign-dir.gup: + * \ No newline at end of file diff --git a/system-profiles/openssh/known-hosts/ca-resign-dir.gup b/system-profiles/openssh/known-hosts/ca-resign-dir.gup new file mode 100644 index 00000000..ca1d08fd --- /dev/null +++ b/system-profiles/openssh/known-hosts/ca-resign-dir.gup @@ -0,0 +1,6 @@ +#!/usr/bin/env zsh +set -eu + +gup --always +gup -u ${2}/*-cert.pub +touch $2 \ No newline at end of file diff --git a/system-profiles/openssh/known-hosts/sif/ed25519-cert.pub b/system-profiles/openssh/known-hosts/sif/ed25519-cert.pub index ccc8118d..3ead53f4 100644 --- a/system-profiles/openssh/known-hosts/sif/ed25519-cert.pub +++ b/system-profiles/openssh/known-hosts/sif/ed25519-cert.pub @@ -1 +1 @@ -ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIMrGeBKnPV6ns7yb1/GEI44htBzL8vJMD9vGIOQi9FQFAAAAIOfiwlzGcNQjamtIwv7fmXnddjajraeovaM6gRNui1+vQAAAAGIHseIAAAACAAAAJGM1OWZlN2ZmLWRkZDUtNDMyMC1iYjA4LWIzYWJkZDM1NWE1MgAAABEAAAANc2lmLnlnZ2RyYXNpbAAAAABiBmBYAAAAAGOwzQAAAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIC1t7HamptQ49VXtSZyRsaOuja5In1N0U9Ybdiu6ztziAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEBiwiSUhTAo3abyR6Vj6my+N/aLb/zazhB9mXSkXMC3YMkLuuwEk3yqVDZYaBD1pcaH03PQvj6haHaHLZdiK+sC sif/ed25519.pub +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIJbwfRloLc7IkLWJEjleSrcc62G4Sw+XtW6+nVH5M/0yAAAAIOfiwlzGcNQjamtIwv7fmXnddjajraeovaM6gRNui1+vQAAAAGIwrR4AAAACAAAAJDgwMGU0MjRlLTIwZmMtNDM0OS1iYThjLTk4MWRkOWE5MDkzOAAAACYAAAANc2lmLnlnZ2RyYXNpbAAAABFzaWYubGFuLnlnZ2RyYXNpbAAAAABiL1uUAAAAAGOwzQAAAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIC1t7HamptQ49VXtSZyRsaOuja5In1N0U9Ybdiu6ztziAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEB147Dt1TPNzWXf2orbcvh/VQwCik7ogRKBTvLwpCvwODyc51vbjbpV96yuOs9jEnGS7ukJMSeKtdpHzD8rKrUM sif/ed25519.pub diff --git a/system-profiles/openssh/known-hosts/sif/host-principals b/system-profiles/openssh/known-hosts/sif/host-principals index 7f9156b4..d8de4a87 100644 --- a/system-profiles/openssh/known-hosts/sif/host-principals +++ b/system-profiles/openssh/known-hosts/sif/host-principals @@ -1 +1 @@ -sif.yggdrasil \ No newline at end of file +sif.yggdrasil,sif.lan.yggdrasil \ No newline at end of file diff --git a/system-profiles/openssh/known-hosts/sif/rsa-cert.pub b/system-profiles/openssh/known-hosts/sif/rsa-cert.pub index 5d591209..8120d8f3 100644 --- a/system-profiles/openssh/known-hosts/sif/rsa-cert.pub +++ b/system-profiles/openssh/known-hosts/sif/rsa-cert.pub @@ -1 +1 @@ -ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgdlvyraQkUAx9hKBCtObbfNB85CHxTKya7FOzJa2XQUYAAAADAQABAAACAQCeFqJep1CuWakcoiAkz4bSaHbAIwM89Er46o3KUpjCWGTmDmhJyBiG38pupcctH0awwElkX09GsNx230mTtjT6qcxN+vGsGMJIqFD+/7ZobSLJDHYCo6Jx23jZUjg1SqxYjwB5ooWGI61Vh6SaOy8WRrUn0q8rJyd9SEC+3tJlKO5QqRi/Vnwzj47m+YjGz2UlqJ9a4GeRh1O5SiGx5jd4a/VoeK1XJcW94XeWpPQdUGnVYUXZn9cwYVrogmXdr18ImnPxghsQg4xwS2A6KMjUw9m56XkqIq7vTslmL9JaYcjlSCHbsSVq9+Wu1oKxoyndN7Sim7SkAZwHFUEMBNlontBitgYl6z10VdKX739os6h07uXjGEs+mPk4/CkGZhvhnErV2T9FO+65jnU3mZkeX5tfJHqJ8PnDch2JD6O7+Mjpce4zs/x3mwH36peER6iiIBYGlSF0AlUDShdqj+fPWFu6gZ9piOAZ2L3YXDA0ulM6pL69SbulrUNOwtTy6LkBfKDwpaQK1KO1VOYBaKa7s+krOJXW18k+tpfo4aKSeTuwvykMPndKMKvxcsxNymkGo2AzLw017Qgshzv9rRbLNMBFd85S3krakGyBVL0HAVrAdkjvsWqj5FnHAjgBc1AZnZPbJu3g9/wm7k8rPMV0jxKMpW+zxjVFYDhFUWYp90AAAABiB7HpAAAAAgAAACRlYzcyNzM0My05ZmJkLTRhYjYtODRhZS00ODI1NTU3YjI5YTQAAAARAAAADXNpZi55Z2dkcmFzaWwAAAAAYgZgXwAAAABjsM0AAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAtbex2pqbUOPVV7UmckbGjro2uSJ9TdFPWG3Yrus7c4gAAAFMAAAALc3NoLWVkMjU1MTkAAABAremJjy9AVSoFcDjxOGnLSGJaNhZmref8a1pXJNeqarVrjIy7lkUxv/MSXfbg/Bf9/O4k+fCKalsZ1K8NVUTvCQ== sif/rsa.pub +ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgcMQpd317uQNOua7KSZOBFXItFNKFTNrDE0276zIMmkIAAAADAQABAAACAQCeFqJep1CuWakcoiAkz4bSaHbAIwM89Er46o3KUpjCWGTmDmhJyBiG38pupcctH0awwElkX09GsNx230mTtjT6qcxN+vGsGMJIqFD+/7ZobSLJDHYCo6Jx23jZUjg1SqxYjwB5ooWGI61Vh6SaOy8WRrUn0q8rJyd9SEC+3tJlKO5QqRi/Vnwzj47m+YjGz2UlqJ9a4GeRh1O5SiGx5jd4a/VoeK1XJcW94XeWpPQdUGnVYUXZn9cwYVrogmXdr18ImnPxghsQg4xwS2A6KMjUw9m56XkqIq7vTslmL9JaYcjlSCHbsSVq9+Wu1oKxoyndN7Sim7SkAZwHFUEMBNlontBitgYl6z10VdKX739os6h07uXjGEs+mPk4/CkGZhvhnErV2T9FO+65jnU3mZkeX5tfJHqJ8PnDch2JD6O7+Mjpce4zs/x3mwH36peER6iiIBYGlSF0AlUDShdqj+fPWFu6gZ9piOAZ2L3YXDA0ulM6pL69SbulrUNOwtTy6LkBfKDwpaQK1KO1VOYBaKa7s+krOJXW18k+tpfo4aKSeTuwvykMPndKMKvxcsxNymkGo2AzLw017Qgshzv9rRbLNMBFd85S3krakGyBVL0HAVrAdkjvsWqj5FnHAjgBc1AZnZPbJu3g9/wm7k8rPMV0jxKMpW+zxjVFYDhFUWYp90AAAABiMK0fAAAAAgAAACQ2MGE0ZGNhNS0yZmU1LTRjMzgtODg2NS1iMjg3MTE5ODY5MGEAAAAmAAAADXNpZi55Z2dkcmFzaWwAAAARc2lmLmxhbi55Z2dkcmFzaWwAAAAAYi9blQAAAABjsM0AAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAtbex2pqbUOPVV7UmckbGjro2uSJ9TdFPWG3Yrus7c4gAAAFMAAAALc3NoLWVkMjU1MTkAAABAmX44QPnSlaAmqRYOArvsJMeTgqCuHKA8xNGxiL3P2WG4neENHWZn7A31ZH/wYTjxD+sg49olEMFhg9ouUa0VDQ== sif/rsa.pub -- cgit v1.2.3