From ae278d745dd8eca94374b27c1fa9a977e54c23c2 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 12 Mar 2022 18:40:38 +0100 Subject: vidhar: netboot installer --- hosts/sif/default.nix | 17 +------ hosts/vidhar/network/default.nix | 41 +++++++++++++++- hosts/vidhar/network/ruleset.nft | 4 +- installer.nix | 26 ---------- installer/default.nix | 32 ++++++++++++ installer/ruleset.nft | 98 +++++++++++++++++++++++++++++++++++++ system-profiles/networkmanager.nix | 26 ++++++++++ system-profiles/openssh/default.nix | 50 ++++++++++++------- system-profiles/zfs.nix | 4 +- 9 files changed, 232 insertions(+), 66 deletions(-) delete mode 100644 installer.nix create mode 100644 installer/default.nix create mode 100644 installer/ruleset.nft create mode 100644 system-profiles/networkmanager.nix diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 24cc86ac..647021ca 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -14,6 +14,7 @@ in { ./hw.nix ./mail initrd-all-crypto-modules default-locale openssh rebuild-machines + networkmanager ]; config = { @@ -71,16 +72,6 @@ in { ]; }; - networkmanager = { - enable = true; - dhcp = "internal"; - dns = lib.mkForce "dnsmasq"; - extraConfig = '' - [connectivity] - uri=https://online.yggdrasil.li - ''; - }; - # wlanInterfaces = { # wlan0 = { # device = "wlp82s0"; @@ -98,7 +89,6 @@ in { # }; # }; - dhcpcd.enable = false; useDHCP = false; useNetworkd = true; @@ -109,9 +99,6 @@ in { # }; }; - systemd.services."NetworkManager-wait-online".enable = false; - systemd.services."systemd-networkd-wait-online".enable = false; - environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = { text = '' server=/sif.libvirt/192.168.122.1 @@ -205,8 +192,6 @@ in { }; networking.networkmanager.unmanaged = ["wgrz"]; - services.resolved.enable = false; - services.openssh.enable = true; powerManagement = { diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index 2444f537..ab79dd16 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ flake, config, lib, pkgs, ... }: { imports = [ ./dsl.nix ./bifrost ]; @@ -71,6 +71,27 @@ type = "memfile"; }; + client-classes = [ + { name = "ipxe"; + test = "option[77].hex == 'iPXE'"; + next-server = "10.141.0.1"; + boot-file-name = "netboot.ipxe"; + only-if-required = true; + } + { name = "uefi-64"; + test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009'"; + only-if-required = true; + tftp-server-name = "10.141.0.1"; + boot-file-name = "ipxe.efi"; + } + { name = "legacy"; + test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'"; + only-if-required = true; + tftp-server-name = "10.141.0.1"; + boot-file-name = "undionly.kpxe"; + } + ]; + subnet4 = [ { subnet = "10.141.0.0/24"; option-data = [ @@ -89,6 +110,7 @@ ]; pools = [ { pool = "10.141.0.128 - 10.141.0.254"; } ]; reservations = []; + require-client-classes = ["ipxe" "uefi-64" "legacy"]; } { subnet = "10.141.1.0/24"; option-data = [ @@ -157,5 +179,22 @@ networkConfig.LinkLocalAddressing = "no"; }; }; + + systemd.services."installer-atftpd" = { + description = "TFTP Server for PXE Booting NixOS Installer"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = let + installerBuild = flake.nixosConfigurations.installer-x86_64-linux-netboot.config.system.build; + tftpRoot = pkgs.runCommandLocal "installer-netboot" {} '' + mkdir -p $out + install -m 0444 -t $out \ + ${installerBuild.netbootRamdisk}/initrd \ + ${installerBuild.kernel}/bzImage \ + ${installerBuild.netbootIpxeScript}/netboot.ipxe \ + ${pkgs.ipxe}/ipxe.efi ${pkgs.ipxe}/undionly.kpxe + ''; + in "${pkgs.atftp} --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}"; + }; }; } diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index f2b1eda0..0f591f24 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -183,7 +183,7 @@ table inet filter { iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept - iifname mgmt udp dport 69 counter name tftp-rx accept + iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept ct state {established, related} counter name established-rx accept @@ -228,7 +228,7 @@ table inet filter { tcp sport 80 counter name http-tx accept udp sport 69 counter name tftp-tx accept - iifname mgmt udp dport 69 counter name tftp-tx accept + udp dport 69 counter name tftp-tx accept counter name tx diff --git a/installer.nix b/installer.nix deleted file mode 100644 index 310105b8..00000000 --- a/installer.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ flake, pkgs, ... }: { - imports = with flake.nixosModules.systemProfiles; [ - default-locale zfs - ]; - - config = { - networking.wireless.enable = false; - - networking.firewall = { - enable = true; - allowedTCPPorts = [ 22 # ssh - ]; - allowedUDPPortRanges = [ - { from = 60000; to = 61000; } # mosh - ]; - }; - - systemd.services."sshd".wantedBy = ["multi-user.target"]; - - services.qemuGuest.enable = true; - - environment.systemPackages = with pkgs; [ - nvme-cli iotop mosh - ]; - }; -} diff --git a/installer/default.nix b/installer/default.nix new file mode 100644 index 00000000..bf09c8d8 --- /dev/null +++ b/installer/default.nix @@ -0,0 +1,32 @@ +{ flake, pkgs, ... }: { + imports = with flake.nixosModules.systemProfiles; [ + default-locale zfs networkmanager openssh + ]; + + config = { + networking = { + firewall.enable = false; + nftables = { + enable = true; + rulesetFile = ./ruleset.nft; + }; + }; + + services.openssh = { + enable = true; + staticHostKeys = false; + }; + + services.qemuGuest.enable = true; + + services.resolved = { + llmnr = "false"; + }; + + environment.systemPackages = with pkgs; [ + nvme-cli iotop mosh + ]; + + zramSwap.enable = true; + }; +} diff --git a/installer/ruleset.nft b/installer/ruleset.nft new file mode 100644 index 00000000..4de54dd7 --- /dev/null +++ b/installer/ruleset.nft @@ -0,0 +1,98 @@ +define icmp_protos = {ipv6-icmp, icmp, igmp} + +table arp filter { + limit lim_arp { + rate over 50 mbytes/second burst 50 mbytes + } + + chain input { + type filter hook input priority filter + policy accept + + limit name lim_arp counter drop + + counter + } + + chain output { + type filter hook output priority filter + policy accept + + limit name lim_arp counter drop + + counter + } +} + +table inet filter { + limit lim_reject { + rate over 1000/second burst 1000 packets + } + + limit lim_icmp { + rate over 50 mbytes/second burst 50 mbytes + } + + + chain forward { + type filter hook forward priority filter + policy drop + + + ct state invalid log level debug prefix "drop invalid forward: " counter drop + + + iifname lo counter accept + + + limit name lim_reject log level debug prefix "drop forward: " counter drop + log level debug prefix "reject forward: " counter + meta l4proto tcp ct state new counter reject with tcp reset + ct state new counter reject + + + counter + } + + chain input { + type filter hook input priority filter + policy drop + + + ct state invalid log level debug prefix "drop invalid input: " counter drop + + + iifname lo counter accept + iif != lo ip daddr 127.0.0.1/8 counter reject + iif != lo ip6 daddr ::1/128 counter reject + + meta l4proto $icmp_protos limit name lim_icmp counter drop + meta l4proto $icmp_protos counter accept + + tcp dport 22 counter accept + udp dport 60000-61000 counter accept + + + limit name lim_reject log level debug prefix "drop input: " counter drop + log level debug prefix "reject input: " counter + meta l4proto tcp ct state new counter reject with tcp reset + ct state new counter reject + + + counter + } + + chain output { + type filter hook output priority filter + policy accept + + + oifname lo counter accept + + meta l4proto $icmp_protos limit name lim_icmp counter drop + meta l4proto $icmp_protos counter accept + + + counter + } +} \ No newline at end of file diff --git a/system-profiles/networkmanager.nix b/system-profiles/networkmanager.nix new file mode 100644 index 00000000..d1eb9cd1 --- /dev/null +++ b/system-profiles/networkmanager.nix @@ -0,0 +1,26 @@ +{ lib, ... }: + +with lib; + +{ + config = { + networking = { + networkmanager = { + enable = true; + dhcp = "internal"; + dns = mkForce "dnsmasq"; + extraConfig = '' + [connectivity] + uri=https://online.yggdrasil.li + ''; + }; + + dhcpcd.enable = false; + }; + + systemd.services."NetworkManager-wait-online".enable = false; + systemd.services."systemd-networkd-wait-online".enable = false; + + services.resolved.enable = false; + }; +} diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 048a948f..19bc46b7 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix @@ -1,22 +1,34 @@ { customUtils, lib, config, hostName, pkgs, ... }: -{ + +with lib; + +let + cfg = config.services.openssh; +in { + options = { + services.openssh.staticHostKeys = mkOption { + type = types.bool; + default = true; + }; + }; + config = { - systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager + systemd.user.services."ssh-agent".enable = mkForce false; # ssh-agent should be done via home-manager - services.openssh = lib.mkIf config.services.openssh.enable { - hostKeys = lib.mkForce []; # done manually + services.openssh = mkIf cfg.enable { + hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ]; macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ]; kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; - moduliFile = config.sops.secrets.ssh_moduli.path; + moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path; extraConfig = '' HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 - HostKey /etc/ssh/ssh_host_ed25519_key - HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub - HostKey /etc/ssh/ssh_host_rsa_key - HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub + ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_ed25519_key"} + ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"} + ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_rsa_key"} + ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"} RevokedKeys /etc/ssh/krl.bin ''; logLevel = "VERBOSE"; @@ -45,35 +57,35 @@ ''; }; - sops.secrets = lib.mkIf config.services.openssh.enable { - ssh_host_rsa_key = { + sops.secrets = mkIf cfg.enable { + ssh_host_rsa_key = mkIf cfg.staticHostKeys { key = "rsa"; path = "/etc/ssh/ssh_host_rsa_key"; sopsFile = ./host-keys + "/${hostName}.yaml"; }; - ssh_host_ed25519_key = { + ssh_host_ed25519_key = mkIf cfg.staticHostKeys { key = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; sopsFile = ./host-keys + "/${hostName}.yaml"; }; - ssh_moduli = { + ssh_moduli = mkIf (pathExists (./host-moduli + "/${hostName}")) { format = "binary"; path = "/etc/ssh/moduli"; sopsFile = ./host-moduli + "/${hostName}"; }; }; - environment.etc = lib.mkIf config.services.openssh.enable { - "ssh/ssh_host_rsa_key.pub".source = ./known-hosts + "/${hostName}/rsa.pub"; - "ssh/ssh_host_ed25519_key.pub".source = ./known-hosts + "/${hostName}/ed25519.pub"; + environment.etc = mkIf cfg.enable { + "ssh/ssh_host_rsa_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa.pub"; }; + "ssh/ssh_host_ed25519_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519.pub"; }; - "ssh/ssh_host_rsa_key-cert.pub".source = ./known-hosts + "/${hostName}/rsa-cert.pub"; - "ssh/ssh_host_ed25519_key-cert.pub".source = ./known-hosts + "/${hostName}/ed25519-cert.pub"; + "ssh/ssh_host_rsa_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa-cert.pub"; }; + "ssh/ssh_host_ed25519_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519-cert.pub"; }; "ssh/krl.bin".source = ./ca/krl.bin; }; - environment.systemPackages = lib.mkIf config.services.openssh.enable (with pkgs; [ + environment.systemPackages = mkIf cfg.enable (with pkgs; [ rxvt_unicode.terminfo alacritty.terminfo ]); }; diff --git a/system-profiles/zfs.nix b/system-profiles/zfs.nix index 5703f7ed..85e5ad03 100644 --- a/system-profiles/zfs.nix +++ b/system-profiles/zfs.nix @@ -1,6 +1,6 @@ -{ pkgs, ... } : { +{ config, pkgs, ... } : { config.boot = { - kernelPackages = pkgs.linuxPackages_5_15; + kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; supportedFilesystems = [ "zfs" ]; zfs.enableUnstable = true; }; -- cgit v1.2.3