Make dropbear configuration flexible, closes #13

host/montalin/networking.nix

@@ -11,17 +11,26 @@ in {
   networking.interfaces.eno1 = {
     ipv4.addresses = [{
       address = montalin-net.v4.ip;
-      prefixLength = plessur-net.lan.v4.bitmask;
+      prefixLength = plessur-net.dmz.v4.bitmask;
     }];
   };
   networking.interfaces.wlp1s0.useDHCP = true;
 
-  networking.defaultGateway = plessur-net.lan.v4.gateway;
+  networking.defaultGateway = plessur-net.dmz.v4.gateway;
-  networking.nameservers = plessur-net.lan.v4.nameservers;
+  networking.nameservers = plessur-net.dmz.v4.nameservers;
 
   # Configure network proxy if necessary
   # networking.proxy.default = "http://user:password@proxy:port/";
   # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.dropbear = {
+    enable = true;
+    interface = "eno1";
+    ip = montalin-net.v4.ip;
+    netmask = "255.255.255.0";
+    gateway = plessur-net.dmz.v4.gateway;
+    sshPort = 2222;
+  };
 }

meta/network.nix

@@ -12,6 +12,8 @@
       v4 = {
         id = "10.1.2.0";
         bitmask = 24;
+        gateway = "10.1.2.1";
+        nameservers = [ "10.1.2.1" ];
       };
 
       hosts = {
@@ -23,9 +25,7 @@
     plessur.lan = {
       v4 = {
         id = "10.1.1.0";
-        gateway = "10.1.2.1";
         bitmask = 24;
-        nameservers = [ "10.1.2.1" ];
       };
 
       hosts = { calanda.v4.ip = "10.1.1.1"; };

role/dropbear/default.nix

@@ -1,38 +1,81 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, pkgs, ... }:
 
-# Note: This implementation currently only allows eno1 (first interface) with dhcp.
+with lib;
-let
+
-  ip = "10.1.2.2";
+let cfg = config.services.dropbear;
-  gateway = "10.1.2.1";
-  netmask = "255.255.255.0";
-  hostname = config.networking.hostName;
-  primaryInterface = "eno1";
 in {
-  boot.initrd.network = {
+  options.services.dropbear = {
-    enable = true;
+    enable = mkEnableOption "dropbear service";
-    ssh = {
+
-      enable = true;
+    interface = mkOption {
-      port = 2222;
+      type = types.str;
-      authorizedKeys = with lib;
+      example = "enp0";
-        concatLists (mapAttrsToList (name: user:
+      description = ''
-          if elem "wheel" user.extraGroups then
+        Interface name.
-            user.openssh.authorizedKeys.keys
+      '';
-          else
+    };
-            [ ]) config.users.users);
+
-      hostRSAKey = /boot/dropbear_rsa_host_key;
+    ip = mkOption {
-      hostECDSAKey = /boot/dropbear_ecdsa_host_key;
+      type = types.str;
-      # Key generation with dropbearkey -t <type> -f <output-keyfile>
+      example = "192.168.0.1";
+      description = ''
+        Host IP Address.
+      '';
+    };
+
+    gateway = mkOption {
+      type = types.str;
+      example = "192.168.0.1";
+      description = ''
+        IP of gateway.
+      '';
+    };
+
+    netmask = mkOption {
+      type = types.str;
+      example = "192.168.0.1";
+      description = ''
+        Netmask of internal network.
+      '';
+    };
+
+    sshPort = mkOption {
+      type = types.addCheck types.int (n: n > 0 && n < 65536);
+      default = 2222;
+      description = ''
+        SSH Port of the dropbear deamon.
+        Should be different from default SSH port to prevent known hosts collissions.
+      '';
     };
-    postCommands = ''
-      echo 'cryptsetup-askpass' >> /root/.profile
-    '';
   };
 
-  boot.kernelParams = [
+  config = mkIf cfg.enable {
-    "ip=${ip}::${gateway}:${netmask}:${hostname}:${primaryInterface}:none"
+    boot.initrd.network = {
-  ]; # see https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt
+      enable = true;
+      ssh = {
+        enable = true;
+        port = cfg.sshPort;
+        authorizedKeys = with lib;
+          concatLists (mapAttrsToList (name: user:
+            if elem "wheel" user.extraGroups then
+              user.openssh.authorizedKeys.keys
+            else
+              [ ]) config.users.users);
+        hostRSAKey = /boot/dropbear_rsa_host_key;
+        hostECDSAKey = /boot/dropbear_ecdsa_host_key;
+        # Key generation with dropbearkey -t <type> -f <output-keyfile>
+      };
+      postCommands = ''
+        echo 'cryptsetup-askpass' >> /root/.profile
+      '';
+    };
 
-  boot.initrd.postMountCommands = ''
+    boot.kernelParams = [
-    ip link set ${primaryInterface} down
+      "ip=${cfg.ip}::${cfg.gateway}:${cfg.netmask}:${config.networking.hostName}:${cfg.interface}:none"
-  '';
+    ]; # see https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt
+
+    boot.initrd.postMountCommands = ''
+      ip link set ${cfg.interface} down
+    '';
+  };
 }