{ config, lib, pkgs, nodes, modulesPath, ... }: # The way the connection is established is specific to the wob01 site and the Intel S2600KPR blades. # Proper netboot is not possible, because while the blades and the APU board (which is the netboot # server here) are in the same L2 network, the uplink connection of each blade is an LACP LAG, # meaning that the switch on the other side will only enable the port if it sees valid LACP packets. # We work around this by presenting a virtual floppy drive using the "IUSB" protocol of the BMC. # This virtual floppy drive contains an per-blade customized initramfs which will initialize the # network connection including IP configuration and load the actual image off hydra. let netboot-server-ip = "2a01:584:11::2"; netbootNodes = lib.filterAttrs (_: node: node.config.bagel.baremetal.builders.enable && node.config.bagel.baremetal.builders.netboot) nodes; in { assertions = [ { assertion = !(lib.elem 443 config.networking.firewall.allowedTCPPorts); message = '' Port 443 is in networking.firewalls.allowedTCPPorts, but should be only manually allowed for specific IPs and source ports in ${builtins.toJSON __curPos} ''; } ]; systemd.services = lib.mapAttrs' (nodename: node: let bmcIp = "192.168.1.${toString (node.config.bagel.baremetal.builders.num * 4 + 2)}"; notipxe = node.config.system.build.notipxe.config.system.build.usbImage; in lib.nameValuePair "iusb-spoof-${nodename}" { wantedBy = [ "multi-user.target" ]; serviceConfig = { Restart = "always"; }; script = '' AUTH_TOKEN=$(${pkgs.iusb-spoof}/bin/make-token ${bmcIp}) exec ${pkgs.iusb-spoof}/bin/iusb-spoof -r ${bmcIp} 5123 $AUTH_TOKEN ${notipxe} ''; }) netbootNodes; # Since the builders are stateless, they can not store their ssh hostkeys networking.firewall.allowedTCPPorts = [ 80 ]; # for ACME networking.firewall.extraInputRules = '' ip6 saddr 2a01:584:11::/64 tcp sport < 1024 tcp dport 443 accept; ''; security.acme.acceptTerms = true; security.acme.defaults.email = "infra@forkos.org"; services.nginx = { enable = true; virtualHosts."vpn-gw.wob01.infra.forkos.org" = { enableACME = true; forceSSL = true; locations = lib.mapAttrs' (nodename: node: let ip = "2a01:584:11::1:${toString node.config.bagel.baremetal.builders.num}"; in lib.nameValuePair "/${nodename}/" { root = "/var/www"; extraConfig = '' allow ${ip}; deny all; ''; }) netbootNodes; }; }; }