diff options
| author | Alex Auvolat <alex@adnab.me> | 2022-02-25 17:52:17 +0100 |
|---|---|---|
| committer | Alex Auvolat <alex@adnab.me> | 2022-02-25 17:52:17 +0100 |
| commit | 6dc92812997e99e12ae5fcab3bda65f056a74edb (patch) | |
| tree | de185f8e60062a90ac2a57243dfce2add70bd083 /nix | |
| parent | 20ab1f7b8a76a116644668029175100c15a615e2 (diff) | |
| download | nixcfg-6dc92812997e99e12ae5fcab3bda65f056a74edb.tar.gz nixcfg-6dc92812997e99e12ae5fcab3bda65f056a74edb.zip | |
Add remote LUKS unlocking configuration
Diffstat (limited to 'nix')
| -rw-r--r-- | nix/deuxfleurs.nix | 41 | ||||
| -rw-r--r-- | nix/remote-unlock.nix | 26 |
2 files changed, 64 insertions, 3 deletions
diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix index 54af8ff..fc39071 100644 --- a/nix/deuxfleurs.nix +++ b/nix/deuxfleurs.nix @@ -29,11 +29,20 @@ in }; in { - # Parameters that may vary between nodes - site_name = mkOption { - description = "Site (availability zone) on which this node is deployed"; + # Parameters for individual nodes + network_interface = mkOption { + description = "Network interface name to configure"; type = types.str; }; + lan_ip = mkOption { + description = "IP address of this node on the local network interface"; + type = types.str; + }; + lan_ip_prefix_length = mkOption { + description = "Prefix length associated with lan_ip"; + type = types.int; + }; + vpn_ip = mkOption { description = "IP address of this node on the Wireguard VPN"; type = types.str; @@ -48,6 +57,17 @@ in default = false; }; + + # Parameters that generally vary between sites + lan_default_gateway = mkOption { + description = "IP address of the default route on the locak network interface"; + type = types.str; + }; + site_name = mkOption { + description = "Site (availability zone) on which this node is deployed"; + type = types.str; + }; + # Parameters common to all nodes cluster_name = mkOption { description = "Name of this Deuxfleurs deployment"; @@ -75,6 +95,21 @@ in openssh.authorizedKeys.keys = publicKeys; }) cfg.admin_accounts; + # Configure network interfaces + networking.interfaces = attrsets.setAttrByPath [ config.deuxfleurs.network_interface ] { + useDHCP = false; + ipv4.addresses = [ + { + address = config.deuxfleurs.lan_ip; + prefixLength = config.deuxfleurs.lan_ip_prefix_length; + } + ]; + }; + networking.defaultGateway = { + address = config.deuxfleurs.lan_default_gateway; + interface = config.deuxfleurs.network_interface; + }; + # Configure Wireguard VPN between all nodes networking.wireguard.interfaces.wg0 = { ips = [ "${cfg.vpn_ip}/16" ]; diff --git a/nix/remote-unlock.nix b/nix/remote-unlock.nix new file mode 100644 index 0000000..669f578 --- /dev/null +++ b/nix/remote-unlock.nix @@ -0,0 +1,26 @@ +{ config, pkgs, ... }: + + with builtins; + with pkgs.lib; +{ + config = { + boot.initrd.availableKernelModules = [ "pps_core" "ptp" "e1000e" ]; + boot.initrd.network.enable = true; + boot.initrd.network.ssh = { + enable = true; + port = 2222; + authorizedKeys = concatLists (mapAttrsToList (name: user: user) config.deuxfleurs.admin_accounts); + hostKeys = [ "/var/lib/deuxfleurs/remote-unlock/ssh_host_ed25519_key" ]; + }; + boot.initrd.network.postCommands = '' + ip addr add ${config.deuxfleurs.lan_ip}/${toString config.deuxfleurs.lan_ip_prefix_length} dev ${config.deuxfleurs.network_interface} + ip link set dev ${config.deuxfleurs.network_interface} up + ip route add default via ${config.deuxfleurs.lan_default_gateway} dev ${config.deuxfleurs.network_interface} + ip a + ip route + ping -c 4 ${config.deuxfleurs.lan_default_gateway} + echo 'echo run cryptsetup-askpass to unlock drives' >> /root/.profile + ''; + }; +} + |