diff --git a/junos/default.nix b/junos/default.nix index 17e876d..78107a0 100644 --- a/junos/default.nix +++ b/junos/default.nix @@ -1,5 +1,4 @@ { - name, lib, config, ... @@ -22,6 +21,7 @@ in ./interfaces.nix ./vlans.nix ./poe.nix + ./system.nix ]; options = { netconf.xmls.configuration = mkOption { @@ -58,6 +58,7 @@ in mapAttrs mkIntf config.netconf.mandatoryInterfaces; config.netconf.xmls.configuration = '' + ${config.netconf.xmls.system} ${config.netconf.xmls.interfaces} ${config.netconf.xmls.protocols} ${config.netconf.xmls.vlans} diff --git a/junos/system.nix b/junos/system.nix new file mode 100644 index 0000000..8868131 --- /dev/null +++ b/junos/system.nix @@ -0,0 +1,72 @@ +{ lib, config, ... }: +with lib; +{ + options = { + system = { + host-name = mkOption { + type = types.str; + description = "The hostname of the switch."; + }; + root-authentication = { + hashedPasswd = mkOption { + type = types.str; + description = "Hashed password for root."; + }; + ssh-keys = mkOption { + type = types.listOf types.str; + description = "ssh keys for root user."; + default = [ ]; + }; + }; + services = { + ssh.root-login = mkOption { + type = types.enum [ + "allow" + "deny" + "deny-password" + ]; + description = "Login policy to use for root."; + }; + netconf.port = mkOption { + type = types.port; + description = "Port to use for netconf."; + default = 830; + }; + }; + }; + netconf.xmls.system = mkOption { + type = types.str; + visible = false; + readOnly = true; + }; + }; + config.netconf.xmls.system = + let + ssh-keys1 = map (splitString " ") config.system.root-authentication.ssh-keys; + ssh-keys2 = map (key: if length key < 3 then key ++ [ "foo@bar" ] else key) ssh-keys1; + ssh-keys = map (concatStringsSep " ") ssh-keys2; + edsca = map (key: "${key}") ( + filter (hasPrefix "ssh-edsca ") ssh-keys + ); + rsa = map (key: "${key}") (filter (hasPrefix "ssh-rsa ") ssh-keys); + ed25519 = map (key: "${key}") ( + filter (hasPrefix "ssh-ed25519 ") ssh-keys + ); + in + '' + + ${config.system.host-name} + + ${config.system.root-authentication.hashedPasswd} + ${concatStrings (edsca ++ rsa ++ ed25519)} + + + ${config.system.services.ssh.root-login} + + ${toString config.system.services.netconf.port} + + + + + ''; +} diff --git a/netconf-hive.nix b/netconf-hive.nix index 20865cc..44f07b4 100644 --- a/netconf-hive.nix +++ b/netconf-hive.nix @@ -33,12 +33,29 @@ let vlans = [ "ap-staging" ]; }; }; + default = + { name, ... }: + { + vlans = vlansPlan; + system = { + host-name = name; + services.ssh.root-login = "deny-password"; + root-authentication = { + hashedPasswd = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0"; + ssh-keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor" + ]; + }; + }; + }; in { netcore02 = { deployment.targetHost = "netcore02.dgn"; - imports = [ ./ex2300.nix ]; - vlans = vlansPlan; + imports = [ + ./ex2300.nix + default + ]; dgn-interfaces = { # "ge-0/0/0" = AP-staging; # "ge-0/0/1" = AP-staging; @@ -120,8 +137,10 @@ in netaccess01 = { deployment.targetHost = "netaccess01.dgn"; - imports = [ ./ex2300.nix ]; - vlans = vlansPlan; + imports = [ + ./ex2300.nix + default + ]; dgn-interfaces = { # "ge-0/0/0" = AP-staging;