mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect.git
synced 2024-11-22 12:01:27 +00:00
networking configuration for DigitalOcean
This commit is contained in:
parent
158c711f66
commit
528d5de6dd
93
nixos-infect
93
nixos-infect
|
@ -19,8 +19,10 @@
|
||||||
: "${CONFIG_URL:?CONFIG_URL variable is not set}"
|
: "${CONFIG_URL:?CONFIG_URL variable is not set}"
|
||||||
: "${SSH_AUTHORIZED_KEY:=}"
|
: "${SSH_AUTHORIZED_KEY:=}"
|
||||||
|
|
||||||
|
readonly NL=$'\n'
|
||||||
readonly LOCAL_FLAKE_DIR="/etc/nixos"
|
readonly LOCAL_FLAKE_DIR="/etc/nixos"
|
||||||
readonly SECRETS_FILEPATH="/etc/selfprivacy/secrets.json"
|
readonly SECRETS_FILEPATH="/etc/selfprivacy/secrets.json"
|
||||||
|
DoNetConf=
|
||||||
|
|
||||||
genOptionalSsh() {
|
genOptionalSsh() {
|
||||||
[ -n "${SSH_AUTHORIZED_KEY}" ] && cat << EOF
|
[ -n "${SSH_AUTHORIZED_KEY}" ] && cat << EOF
|
||||||
|
@ -131,11 +133,12 @@ genDeploymentConfiguration() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cat << EOF
|
cat << EOF
|
||||||
{
|
${DoNetConf:+"{ lib, ... }: "}{
|
||||||
# The content below is static and belongs to this deployment only!
|
# The content below is static and belongs to this deployment only!
|
||||||
# Do not copy this configuration file to another NixOS installation!
|
# Do not copy this configuration file to another NixOS installation!
|
||||||
|
|
||||||
system.stateVersion = "$release";
|
system.stateVersion = "$release";`
|
||||||
|
`$(if [ "$DoNetConf" == "y" ]; then echo -e "$NL"; genNetworkingConf; fi)
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
@ -174,6 +177,85 @@ setupConf() {
|
||||||
install -m0600 <(printf "%s" "$secrets") -DT ${SECRETS_FILEPATH}
|
install -m0600 <(printf "%s" "$secrets") -DT ${SECRETS_FILEPATH}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# shellcheck disable=SC2207
|
||||||
|
genNetworkingConf() {
|
||||||
|
# XXX It'd be better if we used procfs for all this...
|
||||||
|
|
||||||
|
local IFS=$'\n'
|
||||||
|
local eth0_name eth0_ip4s eth0_ip6s gateway gateway6 ether0 eth1_name
|
||||||
|
local interfaces1 extraRules1 predictable_inames
|
||||||
|
|
||||||
|
eth0_name="$(ip address show | grep '^2:' | awk -F': ' '{print $2}')"
|
||||||
|
eth0_ip4s=($(ip address show dev "$eth0_name" | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
|
||||||
|
eth0_ip6s=($(ip address show dev "$eth0_name" | grep 'inet6 ' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|')) || true
|
||||||
|
gateway="$(ip route show dev "$eth0_name" | grep default | sed -r 's|default via ([0-9.]+).*|\1|')"
|
||||||
|
gateway6="$(ip -6 route show dev "$eth0_name" | grep default | sed -r 's|default via ([0-9a-f:]+).*|\1|')" || true
|
||||||
|
ether0="$(ip address show dev "$eth0_name" | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|')"
|
||||||
|
|
||||||
|
eth1_name="$(ip address show | grep '^3:' | awk -F': ' '{print $2}')" || true
|
||||||
|
if [ -n "$eth1_name" ]; then
|
||||||
|
local eth1_ip4s eth1_ip6s ether1
|
||||||
|
eth1_ip4s="$(ip address show dev "$eth1_name" | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|')"
|
||||||
|
eth1_ip6s="$(ip address show dev "$eth1_name" | grep 'inet6 ' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|')" || true
|
||||||
|
ether1="$(ip address show dev "$eth1_name" | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|')"
|
||||||
|
interfaces1=$(cat << EOF
|
||||||
|
$eth1_name = {
|
||||||
|
ipv4.addresses = [$(for a in "${eth1_ip4s[@]}"; do echo -n "
|
||||||
|
$a"; done)
|
||||||
|
];
|
||||||
|
ipv6.addresses = [$(for a in "${eth1_ip6s[@]}"; do echo -n "
|
||||||
|
$a"; done)
|
||||||
|
];
|
||||||
|
};
|
||||||
|
EOF
|
||||||
|
)
|
||||||
|
extraRules1="ATTR{address}==\"${ether1}\", NAME=\"${eth1_name}\""
|
||||||
|
else
|
||||||
|
interfaces1=""
|
||||||
|
extraRules1=""
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ "$eth0_name" = eth* ]]; then
|
||||||
|
predictable_inames="usePredictableInterfaceNames = lib.mkForce false;"
|
||||||
|
else
|
||||||
|
predictable_inames="usePredictableInterfaceNames = lib.mkForce true;"
|
||||||
|
fi
|
||||||
|
|
||||||
|
local defaultGateway6=${gateway6:+defaultGateway6 = \{ address = "${gateway6}"; interface = "${eth0_name}"; \};}
|
||||||
|
local ipv6routes=${gateway6:+ipv6.routes = \[ \{ address = "${gateway6}"; prefixLength = 128; \} \];}
|
||||||
|
cat << EOF
|
||||||
|
# Networking configuration was populated by nixos-infect with the networking
|
||||||
|
# details gathered from the running system.
|
||||||
|
networking = {
|
||||||
|
defaultGateway = "${gateway}";`
|
||||||
|
`${defaultGateway6:+
|
||||||
|
defaultGateway6}
|
||||||
|
dhcpcd.enable = false;
|
||||||
|
$predictable_inames
|
||||||
|
interfaces = {
|
||||||
|
$eth0_name = {
|
||||||
|
ipv4.addresses = [$(for a in "${eth0_ip4s[@]}"; do echo -n "
|
||||||
|
$a"; done)
|
||||||
|
];
|
||||||
|
ipv6.addresses = [$(for a in "${eth0_ip6s[@]}"; do echo -n "
|
||||||
|
$a"; done)
|
||||||
|
];
|
||||||
|
ipv4.routes = [ { address = "${gateway}"; prefixLength = 32; } ];`
|
||||||
|
`${ipv6routes:+
|
||||||
|
$ipv6routes}
|
||||||
|
};`
|
||||||
|
`${interfaces1:+
|
||||||
|
$interfaces1}
|
||||||
|
};
|
||||||
|
};
|
||||||
|
services.udev.extraRules = ''
|
||||||
|
ATTR{address}=="${ether0}", NAME="${eth0_name}"`
|
||||||
|
`${extraRules1:+
|
||||||
|
$extraRules1}
|
||||||
|
'';
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
makeSwap() {
|
makeSwap() {
|
||||||
# TODO check currently available swapspace first
|
# TODO check currently available swapspace first
|
||||||
swapFile=$(mktemp /tmp/nixos-infect.XXXXX.swp)
|
swapFile=$(mktemp /tmp/nixos-infect.XXXXX.swp)
|
||||||
|
@ -373,10 +455,15 @@ infect() {
|
||||||
|
|
||||||
set -o pipefail
|
set -o pipefail
|
||||||
set -o nounset
|
set -o nounset
|
||||||
set -o xtrace
|
|
||||||
set -o errexit
|
set -o errexit
|
||||||
|
set -o xtrace
|
||||||
shopt -s inherit_errexit
|
shopt -s inherit_errexit
|
||||||
|
|
||||||
|
genNetworkingConf
|
||||||
|
|
||||||
|
# digitalocean requires detailed network config to be generated
|
||||||
|
[ "$PROVIDER" == "digitalocean" ] && DoNetConf="y"
|
||||||
|
|
||||||
apt update
|
apt update
|
||||||
apt install -y git tar curl whois jq
|
apt install -y git tar curl whois jq
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue