Skip to content

Commit

Permalink
cleanup + cut down initrd kernel modules
Browse files Browse the repository at this point in the history
  • Loading branch information
@yomaq
yomaq committed May 17, 2024
1 parent da0395c commit 831a55f
Showing 1 changed file with 24 additions and 49 deletions.
73 changes: 24 additions & 49 deletions modules/hosts/initrd-tailscale/nixos.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,6 @@
### authkeys expired every 3 months and will need to be manually updated.
### I have had weird results when trying to overwrite existing key files in initrd, often times only re-naming to a fresh file name appears to work.



with lib;
let
cfg = config.yomaq.initrd-tailscale;
Expand All @@ -25,6 +23,7 @@ in
included. Service is killed when stage-1 boot is finished.
'';
};

package = lib.mkPackageOptionMD pkgs "tailscale" {};

authKeyFile = mkOption {
Expand All @@ -35,6 +34,7 @@ in
A file containing the auth key.
'';
};

extraUpFlags = mkOption {
description = lib.mdDoc "Extra flags to pass to {command}`tailscale up`.";
type = types.listOf types.str;
Expand All @@ -56,39 +56,39 @@ in
in
mkIf (config.boot.initrd.network.enable && cfg.enable) {


boot.initrd.kernelModules = [ "tun" "tap" ];
boot.initrd.kernelModules = [ "tun" ];
boot.initrd.availableKernelModules = [
"ip6_tables"
"ip6t_rpfilter"
"ip_tables"
"ipt_rpfilter"
"libcrc32c"
"nf_conntrack"
"nf_conntrack_netlink"
"nf_defrag_ipv4"
"nf_defrag_ipv6"
"nf_nat"
"nf_reject_ipv4"
"nf_reject_ipv6"
"nf_tables"
# "ip6_tables"
# "ip6t_rpfilter"
# "ip_tables"
# "ipt_rpfilter"
# "libcrc32c"
# "nf_conntrack"
# "nf_conntrack_netlink"
# "nf_defrag_ipv4"
# "nf_defrag_ipv6"
# "nf_nat"
# "nfnetlink"
# "nf_reject_ipv4"
# "nf_reject_ipv6"
# "nf_tables"
# "tun"
# "x_tables"

"xt_mark"
"nft_chain_nat"
"nft_compat"
"nfnetlink"
"nft_compat"
"tun"
"x_tables"
"xt_LOG"
"xt_MASQUERADE"
"xt_addrtype"
"xt_comment"
"xt_conntrack"
"xt_mark"
"xt_multiport"
"xt_pkttype"
"xt_tcpudp"
];
# [...]

boot.initrd.extraUtilsCommands = ''
copy_bin_and_libs ${cfg.package}/bin/.tailscaled-wrapped
copy_bin_and_libs ${cfg.package}/bin/.tailscale-wrapped
Expand All @@ -98,32 +98,10 @@ in
copy_bin_and_libs ${iptables-static}/bin/xtables-legacy-multi
copy_bin_and_libs ${iptables-static}/bin/xtables-nft-multi
'';
## this didn't work for extraUtilsCommands
# ${lib.concatMapStringsSep "\n" (file: ''
# cp "${file}" /etc/ssl/certs/
# '') config.security.pki.certificateFiles}


age.secrets.tailscaleOAuthKeyAcceptSsh.file = (inputs.self + /secrets/tailscaleOAuthKeyAcceptSsh.age);

# boot.initrd.systemd.storePaths = [
# # "${lib.getExe cfg.package}"
# "${lib.getExe pkgs.kmod}"
# "${cfg.package}}/bin/tailscale"
# ];


age.secrets.tailscaleOAuthKeyAcceptSsh.file = ( inputs.self + /secrets/tailscaleOAuthKeyAcceptSsh.age);

boot.initrd.secrets = {
"/etc/tauthkey" = cfg.authKeyFile;
};

# boot.initrd.extraFiles = {
# "/etc/ssl/certs/".source = config.security.pki.certificateFiles;
# };
# boot.initrd.extraUtilsCommandsTest = mkIf (!config.boot.initrd.systemd.enable) ''
# $out/bin/tailscale --version
# '';
boot.initrd.secrets."/etc/tauthkey" = cfg.authKeyFile;

boot.initrd.network.postCommands = mkIf (!config.boot.initrd.systemd.enable) ''
.tailscaled-wrapped --state=mem: &
Expand All @@ -132,17 +110,14 @@ in
# oathkeys need dns and trusted CA's.
# echo "nameserver 1.1.1.1" >> /etc/resolv.conf &


# boot.initrd.systemd.enable = true;

# boot.initrd.systemd.services.tailscaled = {
# wantedBy = [ "initrd.target" ];
# path = [ pkgs.kmod ];
# after = [ "network.target" "initrd-nixos-copy-secrets.service" ];
# serviceConfig.ExecStart = ".tailscaled-wrapped";
# serviceConfig.Type = "notify";
# };

# boot.initrd.systemd.services.tailscale = {
# wantedBy = [ "initrd.target" ];
# after = [ "tailscaled.service" ];
Expand Down

0 comments on commit 831a55f

Please sign in to comment.