From ddcc8c65e30a9ca3b56e25466e749cb100b28510 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 22 Oct 2022 19:33:45 +0200 Subject: ... --- hosts/vidhar/network/default.nix | 26 +++++++++++++ hosts/vidhar/network/dhcp/default.nix | 70 +++++++++++++++++++---------------- hosts/vidhar/network/ruleset.nft | 19 ++++++---- 3 files changed, 76 insertions(+), 39 deletions(-) (limited to 'hosts/vidhar/network') diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index e69674f4..f19ea9cd 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix @@ -1,4 +1,5 @@ { pkgs, ... }: + { imports = [ ./dsl.nix ./bifrost ./dhcp ]; @@ -69,5 +70,30 @@ networkConfig.LinkLocalAddressing = "no"; }; }; + + services.nfs.server = { + enable = true; + createMountPoints = true; + + statdPort = 4000; + lockdPort = 4001; + mountdPort = 4002; + + extraNfsdConfig = '' + vers3=off + ''; + + exports = '' + /srv/nfs 10.141.0.0/24(ro,async,root_squash,fsid=0) 2a03:4000:52:ada:1::/80(ro,async,root_squash,fsid=0) + /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash) + ''; + }; + + fileSystems = { + "/srv/nfs/nix-store" = { + device = "/nix/store"; + options = [ "bind" ]; + }; + }; }; } diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix index e14b15ac..dfaa4c9f 100644 --- a/hosts/vidhar/network/dhcp/default.nix +++ b/hosts/vidhar/network/dhcp/default.nix @@ -26,7 +26,7 @@ with lib; { name = "ipxe"; test = "option[77].hex == 'iPXE'"; next-server = "10.141.0.1"; - boot-file-name = "installer-x86_64-linux/netboot.ipxe"; + boot-file-name = "http://nfsroot.vidhar.yggdrasil/installer-x86_64-linux/netboot.ipxe"; only-if-required = true; } { name = "uefi-64"; @@ -229,6 +229,40 @@ with lib; sopsFile = ./knot-tsig.json.frag; }; + services.nginx.virtualHosts."nfsroot.vidhar.yggdrasil" = { + addSSL = false; + forceSSL = false; + locations."/" = { + extraConfig = '' + autoindex on; + ''; + root = pkgs.symlinkJoin { + name = "nfsroot.vidhar.yggdrasil"; + paths = + (map (system: + let + installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules { + modules = [ + ({ ... }: { + config.nfsroot.storeDevice = "10.141.0.1:nix-store"; + config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/installer-${system}/registration"; + }) + ]; + }).config.system.build; + in builtins.toPath (pkgs.runCommandLocal "install-${system}" {} '' + mkdir -p $out/installer-${system} + install -m 0444 -t $out/installer-${system} \ + ${installerBuild.initialRamdisk}/initrd \ + ${installerBuild.kernel}/bzImage \ + ${installerBuild.netbootIpxeScript}/netboot.ipxe \ + ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration + '') + ) ["x86_64-linux"] + ); + }; + }; + }; + systemd.services."pxe-atftpd" = { description = "TFTP Server for PXE Booting"; after = [ "network.target" ]; @@ -238,44 +272,16 @@ with lib; additionalTargets = { "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi"; }; + additionalOptions = [ + "NSLOOKUP_CMD" + ]; }; tftpRoot = pkgs.runCommandLocal "netboot" {} '' mkdir -p $out install -m 0444 -t $out \ ${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe - - ${concatMapStringsSep "\n" (system: - let - installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules { - modules = [ - ({ ... }: { config.nfsroot.storeDevice = "vidhar:nix-store"; }) - ]; - }).config.system.build; - in '' - mkdir -p $out/installer-${system} - install -m 0444 -t $out/installer-${system} \ - ${installerBuild.initialRamdisk}/initrd \ - ${installerBuild.kernel}/bzImage \ - ${installerBuild.netbootIpxeScript}/netboot.ipxe - '' - ) ["x86_64-linux"]} ''; in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}"; }; - - services.nfs.server = { - enable = true; - createMountPoints = true; - exports = '' - /export/nix-root 10.141.0.0/24(ro) - ''; - }; - - fileSystems = { - "/export/nix-root" = { - device = "/nix/store"; - options = [ "bind" ]; - }; - }; }; } diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index c0da0fa6..473f8a20 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -78,6 +78,7 @@ table inet filter { counter ssh-rx {} counter mosh-rx {} counter dns-rx {} + counter nfs-rx {} counter wg-rx {} counter yggdrasil-gre-rx {} counter ipv6-pd-rx {} @@ -104,6 +105,7 @@ table inet filter { counter ssh-tx {} counter mosh-tx {} counter dns-tx {} + counter nfs-tx {} counter wg-tx {} counter yggdrasil-gre-tx {} counter ipv6-pd-tx {} @@ -152,7 +154,7 @@ table inet filter { ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop - + iifname lo counter name rx-lo accept iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject @@ -165,8 +167,9 @@ table inet filter { iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept - iifname { lan, mgmt, dmz01, yggdrasil } tcp dport 53 counter name dns-rx accept - iifname { lan, mgmt, dmz01, yggdrasil } udp dport 53 counter name dns-rx accept + iifname { lan, mgmt, dmz01, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept + + iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept @@ -182,7 +185,8 @@ table inet filter { iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept - + iifname lan tcp dport 80 counter name http-rx accept + iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept ct state {established, related} counter name established-rx accept @@ -209,8 +213,9 @@ table inet filter { tcp sport 22 counter name ssh-tx udp sport 60000-61000 counter name mosh-tx - tcp sport 53 counter name dns-tx - udp sport 53 counter name dns-tx + meta l4proto {tcp, udp} th sport 53 counter name dns-tx + + tcp sport 2049 counter name nfs-tx meta protocol ip udp sport 51820 counter name wg-tx meta protocol ip6 udp sport {51821,51822} counter name wg-tx @@ -225,7 +230,7 @@ table inet filter { udp sport { 137, 138, 3702 } counter name samba-tx accept tcp sport { 445, 139, 5357 } counter name samba-tx accept - tcp sport {80,443} counter name http-tx accept + tcp sport { 80, 443 } counter name http-tx accept udp sport 69 counter name tftp-tx accept udp dport 69 counter name tftp-tx accept -- cgit v1.2.3