diff --git a/hosts/mno001/configuration.nix b/hosts/mno001/configuration.nix index cda32053..c8e33cb8 100644 --- a/hosts/mno001/configuration.nix +++ b/hosts/mno001/configuration.nix @@ -4,6 +4,7 @@ imports = [ ./hardware-configuration.nix ./network.nix + ./initrd_network.nix ]; # Use the systemd-boot EFI boot loader. diff --git a/hosts/mno001/initrd_network.nix b/hosts/mno001/initrd_network.nix new file mode 100644 index 00000000..eda9b1b5 --- /dev/null +++ b/hosts/mno001/initrd_network.nix @@ -0,0 +1,16 @@ +{ pkgs, config, ... }: { + #boot.initrd.network.enable = true; + #boot.initrd.network.postCommands = '' + # # TODO automatically import pools / prompt user and continue boot + #''; + #boot.initrd.network.ssh = { + # enable = true; + # port = 2222; + # authorizedKeys = [ + # "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6NLB8EHnUgl2GO2uaojdf3p3YpsHH6px6CZleif8klhLN+ro5KeFK2OXC2SO3Vo4qgF/NySdsoInV9JEsssELZ2ttVbeKxI6f76V5dZgGI7qoSf4E0TXIgpS9n9K2AEmRKr65uC2jgkSJuo/T1mF+4/Nzyo706FT/GGVoiBktgq9umbYX0vIQkTMFAcw921NwFCWFQcMYRruaH01tLu6HIAdJ9FVG8MAt84hCr4D4PobD6b029bHXTzcixsguRtl+q4fQAl3WK3HAxT+txN91CDoP2eENo3gbmdTBprD2RcB/hz5iI6IaY3p1+8fTX2ehvI3loRA8Qjr/xzkzMUlpA/8NLKbJD4YxNGgFbauEmEnlC8Evq2vMrxdDr2SjnBAUwzZ63Nq+pUoBNYG/c+h+eO/s7bjnJVe0m2/2ZqPj1jWQp4hGoNzzU1cQmy6TdEWJcg2c8ints5068HN3o0gQKkp1EseNrdB8SuG+me/c/uIOX8dPASgo3Yjv9IGLhhx8GOGQxHEQN9QFC4QyZt/rrAyGmlX342PBNYmmStgVWHiYCcMVUWGlsG0XvG6bvGgmMeHNVsDf6WdMQuLj9luvxJzrd4FlKX6O0X/sIaqMVSkhIbD2+vvKNqrii7JdUTntUPs89L5h9DoDqQWkL13Plg1iQt4/VYeKTbUhYYz1lw== revo-xut@plank" + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHuSECgZffKGH56xoVzITe43IdRyYbAr3sef8TJOrGGH thomas.liske@dd-ix.net" + # "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMbUizElFyULDlpEE9XHWWOca4ZXepS18ljh4Fj4YnJOAs7sbYzzhfMUiD703FIgK5YObzOlheu/PBbwUOStgcmPDuRalZWLr+0kCUYERfjLHkgliFx96xEFw9dluvII6JpbzFI/uvkEkQ3ESKapRcYAuBTk2sRoit8za+HX9sLmMueqNtN4H92sFYYm1wWy3FFgz/NN+uTh7F5nmA7SrSS/fpbmugcgBdR/Zy1YwSA8Rl1pagEvgN9/qAnP7pssvXr9pTCUNxVSQ7FlTUOHmxzG16RybYRikgevQaHtFYvmS7AuRvRDlQWhHt1drREGOIwwZPXD1smfQAsvP66J85j9aeanZdoBoJcvvFNer3071QGmi+5NHDSiG+YvoWt7qgiKLF4lOfByzjdoRRSg01uuhdQLOHHt0hbfyGS6hx//1MtjiXTElXvOOiUJ6AqfCSwOTK+72W6VKhKYcO11+Ngym1dyF3TtVcoEYN3JpUdbNq+qctMzXFMGovPEEMh7s= mel@umbreon" + # ]; + # hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" "/etc/secrets/initrd/ssh_host_ed25519_key" ]; + #}; +} diff --git a/hosts/mno001/network.nix b/hosts/mno001/network.nix index 574516a3..a64434b5 100644 --- a/hosts/mno001/network.nix +++ b/hosts/mno001/network.nix @@ -1,39 +1,101 @@ { pkgs, ... }: let - bond_name = "bond0"; + bond_device_name = "bond"; # name of the bond interface + first_device_name = "enp144s0"; # first port that should be part of the LAG + second_device_name = "enp144s0d1"; # second port that should be part of the LAG in { + networking = { + enableIPv6 = true; + useDHCP = false; - # LACP on first two ports - networking.bonds."${bond_name}" = { - interfaces = [ "eno2" "eno3" ]; - driverOptions = { - mode = "802.3ad"; - lacp_rate = "fast"; - }; + useNetworkd = true; + wireguard.enable = true; + + nameservers = [ + "212.111.228.53" # IBH 1 + "193.36.123.53" # IBH 2 + ]; }; - # Static IP Address - networking.interfaces."${bond_name}" = { - useDHCP = false; - ipv4.addresses = [ - { - address = "212.111.245.178"; - prefixLength = 29; - } + services.resolved = { + enable = true; + fallbackDns = [ + "9.9.9.9" # QUAD 9 ]; }; - # Default Gateway - networking.defaultGateway.address = "212.111.245.177"; + systemd.network = { + enable = true; + + netdevs."10-${bond_device_name}" = { + netdevConfig = { + Name = "${bond_device_name}"; + Kind = "bond"; + }; + bondConfig = { + Mode = "802.3ad"; # LACP + MIIMonitorSec = "250ms"; + LACPTransmitRate = "fast"; + }; + }; + + netdevs."20-uplink" = { + netdevConfig = { + Name = "uplink"; + Kind = "vlan"; + }; + vlanConfig = { + Id = 100; + }; + }; + + networks."10-${bond_device_name}" = { + matchConfig.Name = "${bond_device_name}"; - # nameservers - networking.nameservers = [ "212.111.228.53" "193.36.123.53" ]; + vlan = [ "uplink" ]; + + networkConfig = { + DHCP = "no"; + }; + }; + + networks."10-uplink" = { + matchConfig.Name = "uplink"; + + address = [ "212.111.245.178/29" ]; + routes = [ + { + routeConfig.Gateway = "212.111.245.176"; + } + ]; + + vlan = [ "uplink" ]; + + networkConfig = { + DHCP = "no"; + }; + }; + + networks."10-${first_device_name}-${bond_device_name}" = { + matchConfig.Name = "${first_device_name}"; + networkConfig = { + Bond = "${bond_device_name}"; # Enslaving to bond + }; + }; + + networks."10-${second_device_name}-${bond_device_name}" = { + matchConfig.Name = "${second_device_name}"; + networkConfig = { + Bond = "${bond_device_name}"; # Enslaving to bond + }; + }; + }; # enabling and configuring firewall networking.firewall = { enable = true; - allowedTCPPorts = [ 80 22 443 ]; + allowedTCPPorts = [ 80 22 443 2222 ]; allowedUDPPorts = [ ]; }; } diff --git a/modules/management/website.nix b/modules/management/website.nix index 1d7d1022..b7995d3f 100644 --- a/modules/management/website.nix +++ b/modules/management/website.nix @@ -2,7 +2,7 @@ sops.secrets.listmonk_admin.owner = config.dd-ix.foundation.user; services.nginx = { - enable = true; + enable = true; virtualHosts = { "www.${config.deployment-dd-ix.domain}" = { enableACME = true;