From 831a55f03e2350835871aa12f70f2fe1aa2b51a6 Mon Sep 17 00:00:00 2001 From: yomaq Date: Thu, 16 May 2024 23:43:53 -0500 Subject: [PATCH] cleanup + cut down initrd kernel modules --- modules/hosts/initrd-tailscale/nixos.nix | 73 ++++++++---------------- 1 file changed, 24 insertions(+), 49 deletions(-) diff --git a/modules/hosts/initrd-tailscale/nixos.nix b/modules/hosts/initrd-tailscale/nixos.nix index db9b447..98163ee 100644 --- a/modules/hosts/initrd-tailscale/nixos.nix +++ b/modules/hosts/initrd-tailscale/nixos.nix @@ -6,8 +6,6 @@ ### authkeys expired every 3 months and will need to be manually updated. ### I have had weird results when trying to overwrite existing key files in initrd, often times only re-naming to a fresh file name appears to work. - - with lib; let cfg = config.yomaq.initrd-tailscale; @@ -25,6 +23,7 @@ in included. Service is killed when stage-1 boot is finished. ''; }; + package = lib.mkPackageOptionMD pkgs "tailscale" {}; authKeyFile = mkOption { @@ -35,6 +34,7 @@ in A file containing the auth key. ''; }; + extraUpFlags = mkOption { description = lib.mdDoc "Extra flags to pass to {command}`tailscale up`."; type = types.listOf types.str; @@ -56,39 +56,39 @@ in in mkIf (config.boot.initrd.network.enable && cfg.enable) { - - boot.initrd.kernelModules = [ "tun" "tap" ]; + boot.initrd.kernelModules = [ "tun" ]; boot.initrd.availableKernelModules = [ - "ip6_tables" - "ip6t_rpfilter" - "ip_tables" - "ipt_rpfilter" - "libcrc32c" - "nf_conntrack" - "nf_conntrack_netlink" - "nf_defrag_ipv4" - "nf_defrag_ipv6" - "nf_nat" - "nf_reject_ipv4" - "nf_reject_ipv6" - "nf_tables" + # "ip6_tables" + # "ip6t_rpfilter" + # "ip_tables" + # "ipt_rpfilter" + # "libcrc32c" + # "nf_conntrack" + # "nf_conntrack_netlink" + # "nf_defrag_ipv4" + # "nf_defrag_ipv6" + # "nf_nat" + # "nfnetlink" + # "nf_reject_ipv4" + # "nf_reject_ipv6" + # "nf_tables" + # "tun" + # "x_tables" + + "xt_mark" "nft_chain_nat" "nft_compat" - "nfnetlink" "nft_compat" - "tun" - "x_tables" "xt_LOG" "xt_MASQUERADE" "xt_addrtype" "xt_comment" "xt_conntrack" - "xt_mark" "xt_multiport" "xt_pkttype" "xt_tcpudp" ]; - # [...] + boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${cfg.package}/bin/.tailscaled-wrapped copy_bin_and_libs ${cfg.package}/bin/.tailscale-wrapped @@ -98,32 +98,10 @@ in copy_bin_and_libs ${iptables-static}/bin/xtables-legacy-multi copy_bin_and_libs ${iptables-static}/bin/xtables-nft-multi ''; - ## this didn't work for extraUtilsCommands - # ${lib.concatMapStringsSep "\n" (file: '' - # cp "${file}" /etc/ssl/certs/ - # '') config.security.pki.certificateFiles} - + age.secrets.tailscaleOAuthKeyAcceptSsh.file = (inputs.self + /secrets/tailscaleOAuthKeyAcceptSsh.age); - # boot.initrd.systemd.storePaths = [ - # # "${lib.getExe cfg.package}" - # "${lib.getExe pkgs.kmod}" - # "${cfg.package}}/bin/tailscale" - # ]; - - - age.secrets.tailscaleOAuthKeyAcceptSsh.file = ( inputs.self + /secrets/tailscaleOAuthKeyAcceptSsh.age); - - boot.initrd.secrets = { - "/etc/tauthkey" = cfg.authKeyFile; - }; - - # boot.initrd.extraFiles = { - # "/etc/ssl/certs/".source = config.security.pki.certificateFiles; - # }; - # boot.initrd.extraUtilsCommandsTest = mkIf (!config.boot.initrd.systemd.enable) '' - # $out/bin/tailscale --version - # ''; + boot.initrd.secrets."/etc/tauthkey" = cfg.authKeyFile; boot.initrd.network.postCommands = mkIf (!config.boot.initrd.systemd.enable) '' .tailscaled-wrapped --state=mem: & @@ -132,9 +110,7 @@ in # oathkeys need dns and trusted CA's. # echo "nameserver 1.1.1.1" >> /etc/resolv.conf & - # boot.initrd.systemd.enable = true; - # boot.initrd.systemd.services.tailscaled = { # wantedBy = [ "initrd.target" ]; # path = [ pkgs.kmod ]; @@ -142,7 +118,6 @@ in # serviceConfig.ExecStart = ".tailscaled-wrapped"; # serviceConfig.Type = "notify"; # }; - # boot.initrd.systemd.services.tailscale = { # wantedBy = [ "initrd.target" ]; # after = [ "tailscaled.service" ];