Make dropbear configuration flexible, closes #13

2020-11-24 21:50:57 +00:00 · 2020-11-24 21:50:57 +00:00 · 024105c44c
commit 024105c44c
parent f5668614bd
3 changed files with 88 additions and 36 deletions
--- a/host/montalin/networking.nix
+++ b/host/montalin/networking.nix
@ -11,17 +11,26 @@ in {
  networking.interfaces.eno1 = {
    ipv4.addresses = [{
      address = montalin-net.v4.ip;
-      prefixLength = plessur-net.lan.v4.bitmask;
+      prefixLength = plessur-net.dmz.v4.bitmask;
    }];
  };
  networking.interfaces.wlp1s0.useDHCP = true;

-  networking.defaultGateway = plessur-net.lan.v4.gateway;
-  networking.nameservers = plessur-net.lan.v4.nameservers;
+  networking.defaultGateway = plessur-net.dmz.v4.gateway;
+  networking.nameservers = plessur-net.dmz.v4.nameservers;

  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.dropbear = {
+    enable = true;
+    interface = "eno1";
+    ip = montalin-net.v4.ip;
+    netmask = "255.255.255.0";
+    gateway = plessur-net.dmz.v4.gateway;
+    sshPort = 2222;
+  };
 }
--- a/meta/network.nix
+++ b/meta/network.nix
@ -12,6 +12,8 @@
      v4 = {
        id = "10.1.2.0";
        bitmask = 24;
+        gateway = "10.1.2.1";
+        nameservers = [ "10.1.2.1" ];
      };

      hosts = {
@ -23,9 +25,7 @@
    plessur.lan = {
      v4 = {
        id = "10.1.1.0";
-        gateway = "10.1.2.1";
        bitmask = 24;
-        nameservers = [ "10.1.2.1" ];
      };

      hosts = { calanda.v4.ip = "10.1.1.1"; };
--- a/role/dropbear/default.nix
+++ b/role/dropbear/default.nix
@ -1,38 +1,81 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, pkgs, ... }:

-# Note: This implementation currently only allows eno1 (first interface) with dhcp.
-let
-  ip = "10.1.2.2";
-  gateway = "10.1.2.1";
-  netmask = "255.255.255.0";
-  hostname = config.networking.hostName;
-  primaryInterface = "eno1";
+with lib;
+
+let cfg = config.services.dropbear;
 in {
-  boot.initrd.network = {
-    enable = true;
-    ssh = {
-      enable = true;
-      port = 2222;
-      authorizedKeys = with lib;
-        concatLists (mapAttrsToList (name: user:
-          if elem "wheel" user.extraGroups then
-            user.openssh.authorizedKeys.keys
-          else
-            [ ]) config.users.users);
-      hostRSAKey = /boot/dropbear_rsa_host_key;
-      hostECDSAKey = /boot/dropbear_ecdsa_host_key;
-      # Key generation with dropbearkey -t <type> -f <output-keyfile>
+  options.services.dropbear = {
+    enable = mkEnableOption "dropbear service";
+
+    interface = mkOption {
+      type = types.str;
+      example = "enp0";
+      description = ''
+        Interface name.
+      '';
+    };
+
+    ip = mkOption {
+      type = types.str;
+      example = "192.168.0.1";
+      description = ''
+        Host IP Address.
+      '';
+    };
+
+    gateway = mkOption {
+      type = types.str;
+      example = "192.168.0.1";
+      description = ''
+        IP of gateway.
+      '';
+    };
+
+    netmask = mkOption {
+      type = types.str;
+      example = "192.168.0.1";
+      description = ''
+        Netmask of internal network.
+      '';
+    };
+
+    sshPort = mkOption {
+      type = types.addCheck types.int (n: n > 0 && n < 65536);
+      default = 2222;
+      description = ''
+        SSH Port of the dropbear deamon.
+        Should be different from default SSH port to prevent known hosts collissions.
+      '';
    };
-    postCommands = ''
-      echo 'cryptsetup-askpass' >> /root/.profile
-    '';
  };

-  boot.kernelParams = [
-    "ip=${ip}::${gateway}:${netmask}:${hostname}:${primaryInterface}:none"
-  ]; # see https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt
+  config = mkIf cfg.enable {
+    boot.initrd.network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = cfg.sshPort;
+        authorizedKeys = with lib;
+          concatLists (mapAttrsToList (name: user:
+            if elem "wheel" user.extraGroups then
+              user.openssh.authorizedKeys.keys
+            else
+              [ ]) config.users.users);
+        hostRSAKey = /boot/dropbear_rsa_host_key;
+        hostECDSAKey = /boot/dropbear_ecdsa_host_key;
+        # Key generation with dropbearkey -t <type> -f <output-keyfile>
+      };
+      postCommands = ''
+        echo 'cryptsetup-askpass' >> /root/.profile
+      '';
+    };

-  boot.initrd.postMountCommands = ''
-    ip link set ${primaryInterface} down
-  '';
+    boot.kernelParams = [
+      "ip=${cfg.ip}::${cfg.gateway}:${cfg.netmask}:${config.networking.hostName}:${cfg.interface}:none"
+    ]; # see https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt
+
+    boot.initrd.postMountCommands = ''
+      ip link set ${cfg.interface} down
+    '';
+  };
 }