From ddcc8c65e30a9ca3b56e25466e749cb100b28510 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sat, 22 Oct 2022 19:33:45 +0200
Subject: ...

---
 hosts/sif/default.nix                  | 11 +++---
 hosts/surtr/dns/zones/email.bouncy.soa |  4 +-
 hosts/surtr/email/default.nix          |  7 +++-
 hosts/vidhar/dns/zones/yggdrasil.soa   |  3 +-
 hosts/vidhar/network/default.nix       | 26 +++++++++++++
 hosts/vidhar/network/dhcp/default.nix  | 70 ++++++++++++++++++----------------
 hosts/vidhar/network/ruleset.nft       | 19 +++++----
 7 files changed, 91 insertions(+), 49 deletions(-)

(limited to 'hosts')

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index b38a387c..58f99b9a 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -38,6 +38,8 @@ in {
         kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" "dm-mod" "dm-crypt" ];
       };
 
+      supportedFilesystems = [ "nfs" "nfs4" ];
+
       blacklistedKernelModules = [ "nouveau" ];
 
       # Use the systemd-boot EFI boot loader.
@@ -289,10 +291,6 @@ in {
     ];
 
     services = {
-      udev.packages = with pkgs; [ uhk-agent ];
-
-      # tinc.yggdrasil.enable = true;
-
       uucp = {
         enable = true;
         nodeName = "sif";
@@ -383,9 +381,10 @@ in {
     };
 
     users = {
-      users.gkleen.extraGroups = [ "media" "plugdev" ];
+      users.gkleen.extraGroups = [ "media" "plugdev" "input" ];
       groups.media = {};
       groups.plugdev = {};
+      groups.input = {};
     };
 
     security.rtkit.enable = true;
@@ -501,6 +500,8 @@ in {
       };
 
       firmware = [ pkgs.firmwareLinuxNonfree ];
+
+      keyboard.uhk.enable = true;
     };
 
     sound.enable = true;
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa
index abf8ef07..3f038b92 100644
--- a/hosts/surtr/dns/zones/email.bouncy.soa
+++ b/hosts/surtr/dns/zones/email.bouncy.soa
@@ -1,7 +1,7 @@
 $ORIGIN bouncy.email.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
-  2022071002 ; serial
+  2022100600 ; serial
   10800      ; refresh
   3600       ; retry
   604800     ; expire
@@ -69,7 +69,7 @@ spm			IN	MX	0 mailin.bouncy.email.
 spm			IN	TXT	"v=spf1 redirect=bouncy.email"
 _acme-challenge.spm	IN	NS	ns.yggdrasil.li.
 
-_mta-sts		IN	TXT	"v=STSv1; id=2022071002"
+_mta-sts		IN	TXT	"v=STSv1; id=2022100600"
 _smtp._tls		IN	TXT	"v=TLSRPTv1; rua=mailto:postmaster@bouncy.email"
 mta-sts			IN	A	202.61.241.61
 mta-sts			IN	AAAA	2a03:4000:52:ada::
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 2fe5b7f0..42b50c88 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -412,6 +412,8 @@ in {
       in ''
         mail_home = /var/lib/mail/%u
 
+        mail_plugins = $mail_plugins quota
+
         first_valid_uid = ${toString config.users.users.dovecot2.uid}
         last_valid_uid = ${toString config.users.users.dovecot2.uid}
         first_valid_gid = ${toString config.users.groups.dovecot2.gid}
@@ -473,9 +475,10 @@ in {
             result_failure = return-fail
             result_internalfail = return-fail
           }
+
+          mail_plugins = $mail_plugins sieve
         }
 
-        mail_plugins = $mail_plugins quota
         mailbox_list_index = yes
         postmaster_address = postmaster@yggdrasil.li
         recipient_delimiter =
@@ -732,7 +735,7 @@ in {
               cp ${pkgs.writeText "mta-sts.txt" ''
                 version: STSv1
                 mode: enforce
-                max_age: 604800
+                max_age: 2419200
                 mx: mailin.bouncy.email
               ''} $out/.well-known/mta-sts.txt
             '';
diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa
index ffa79ee1..3d9d4d83 100644
--- a/hosts/vidhar/dns/zones/yggdrasil.soa
+++ b/hosts/vidhar/dns/zones/yggdrasil.soa
@@ -1,7 +1,7 @@
 $ORIGIN yggdrasil.
 $TTL 300
 @ IN SOA vidhar.yggdrasil. root.yggdrasil.li. (
-  2022040802 ; serial
+  2022101601 ; serial
   300        ; refresh
   300        ; retry
   300        ; expire
@@ -16,6 +16,7 @@ sif		IN	AAAA	2a03:4000:52:ada:1:2::
 
 grafana.vidhar		IN	CNAME	vidhar.yggdrasil.
 prometheus.vidhar	IN	CNAME	vidhar.yggdrasil.
+nfsroot.vidhar		IN	CNAME	vidhar.lan.yggdrasil.
 
 
 vidhar.lan	IN	A	10.141.0.1
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index e69674f4..f19ea9cd 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -1,4 +1,5 @@
 { pkgs, ... }:
+
 {
   imports = [ ./dsl.nix ./bifrost ./dhcp ];
 
@@ -69,5 +70,30 @@
         networkConfig.LinkLocalAddressing = "no";
       };
     };
+
+    services.nfs.server = {
+      enable = true;
+      createMountPoints = true;
+
+      statdPort = 4000;
+      lockdPort = 4001;
+      mountdPort = 4002;
+
+      extraNfsdConfig = ''
+        vers3=off
+      '';
+
+      exports = ''
+        /srv/nfs 10.141.0.0/24(ro,async,root_squash,fsid=0) 2a03:4000:52:ada:1::/80(ro,async,root_squash,fsid=0)
+        /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash)
+      '';
+    };
+
+    fileSystems = {
+      "/srv/nfs/nix-store" = {
+        device = "/nix/store";
+        options = [ "bind" ];
+      };
+    };
   };
 }
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix
index e14b15ac..dfaa4c9f 100644
--- a/hosts/vidhar/network/dhcp/default.nix
+++ b/hosts/vidhar/network/dhcp/default.nix
@@ -26,7 +26,7 @@ with lib;
             { name = "ipxe";
               test = "option[77].hex == 'iPXE'";
               next-server = "10.141.0.1";
-              boot-file-name = "installer-x86_64-linux/netboot.ipxe";
+              boot-file-name = "http://nfsroot.vidhar.yggdrasil/installer-x86_64-linux/netboot.ipxe";
               only-if-required = true;
             }
             { name = "uefi-64";
@@ -229,6 +229,40 @@ with lib;
       sopsFile = ./knot-tsig.json.frag;
     };
 
+    services.nginx.virtualHosts."nfsroot.vidhar.yggdrasil" = {
+      addSSL = false;
+      forceSSL = false;
+      locations."/" = {
+        extraConfig = ''
+          autoindex on;
+        '';
+        root = pkgs.symlinkJoin {
+          name = "nfsroot.vidhar.yggdrasil";
+          paths =
+            (map (system:
+               let
+                 installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
+                   modules = [
+                     ({ ... }: {
+                       config.nfsroot.storeDevice = "10.141.0.1:nix-store";
+                       config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/installer-${system}/registration";
+                     })
+                   ];
+                 }).config.system.build;
+               in builtins.toPath (pkgs.runCommandLocal "install-${system}" {} ''
+                 mkdir -p $out/installer-${system}
+                 install -m 0444 -t $out/installer-${system} \
+                   ${installerBuild.initialRamdisk}/initrd \
+                   ${installerBuild.kernel}/bzImage \
+                   ${installerBuild.netbootIpxeScript}/netboot.ipxe \
+                   ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration
+               '')
+              ) ["x86_64-linux"]
+            );
+        };
+      };
+    };
+
     systemd.services."pxe-atftpd" = {
       description = "TFTP Server for PXE Booting";
       after = [ "network.target" ];
@@ -238,44 +272,16 @@ with lib;
           additionalTargets = {
             "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
           };
+          additionalOptions = [
+            "NSLOOKUP_CMD"
+          ];
         };
         tftpRoot = pkgs.runCommandLocal "netboot" {} ''
           mkdir -p $out
           install -m 0444 -t $out \
             ${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe
-
-          ${concatMapStringsSep "\n" (system:
-            let
-              installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
-                modules = [
-                  ({ ... }: { config.nfsroot.storeDevice = "vidhar:nix-store"; })
-                ];
-              }).config.system.build;
-            in ''
-              mkdir -p $out/installer-${system}
-              install -m 0444 -t $out/installer-${system} \
-                ${installerBuild.initialRamdisk}/initrd \
-                ${installerBuild.kernel}/bzImage \
-                ${installerBuild.netbootIpxeScript}/netboot.ipxe
-            ''
-          ) ["x86_64-linux"]}
         '';
       in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}";
     };
-
-    services.nfs.server = {
-      enable = true;
-      createMountPoints = true;
-      exports = ''
-        /export/nix-root 10.141.0.0/24(ro)
-      '';
-    };
-
-    fileSystems = {
-      "/export/nix-root" = {
-        device = "/nix/store";
-        options = [ "bind" ];
-      };
-    };
   };
 }
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index c0da0fa6..473f8a20 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -78,6 +78,7 @@ table inet filter {
   counter ssh-rx {}
   counter mosh-rx {}
   counter dns-rx {}
+  counter nfs-rx {}
   counter wg-rx {}
   counter yggdrasil-gre-rx {}
   counter ipv6-pd-rx {}
@@ -104,6 +105,7 @@ table inet filter {
   counter ssh-tx {}
   counter mosh-tx {}
   counter dns-tx {}
+  counter nfs-tx {}
   counter wg-tx {}
   counter yggdrasil-gre-tx {}
   counter ipv6-pd-tx {}
@@ -152,7 +154,7 @@ table inet filter {
 
 
     ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
-    
+
 
     iifname lo counter name rx-lo accept
     iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
@@ -165,8 +167,9 @@ table inet filter {
     iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
     iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
 
-    iifname { lan, mgmt, dmz01, yggdrasil } tcp dport 53 counter name dns-rx accept
-    iifname { lan, mgmt, dmz01, yggdrasil } udp dport 53 counter name dns-rx accept
+    iifname { lan, mgmt, dmz01, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
+
+    iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
 
     iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept
     iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept
@@ -182,7 +185,8 @@ table inet filter {
     iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept
 
     iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept
-    
+    iifname lan tcp dport 80 counter name http-rx accept
+
     iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept
 
     ct state {established, related} counter name established-rx accept
@@ -209,8 +213,9 @@ table inet filter {
     tcp sport 22 counter name ssh-tx
     udp sport 60000-61000 counter name mosh-tx
 
-    tcp sport 53 counter name dns-tx
-    udp sport 53 counter name dns-tx
+    meta l4proto {tcp, udp} th sport 53 counter name dns-tx
+
+    tcp sport 2049 counter name nfs-tx
 
     meta protocol ip udp sport 51820 counter name wg-tx
     meta protocol ip6 udp sport {51821,51822} counter name wg-tx
@@ -225,7 +230,7 @@ table inet filter {
     udp sport { 137, 138, 3702 } counter name samba-tx accept
     tcp sport { 445, 139, 5357 } counter name samba-tx accept
 
-    tcp sport {80,443} counter name http-tx accept
+    tcp sport { 80, 443 } counter name http-tx accept
 
     udp sport 69 counter name tftp-tx accept
     udp dport 69 counter name tftp-tx accept
-- 
cgit v1.2.3