ahtlon/infrastructure
1
0
Fork 0
forked from kalipso/infrastructure
Code Pull Requests Activity

init now automaticly imports all pools

Browse Source
This commit is contained in:
ahtlon
2024-12-31 13:33:24 +01:00
parent 8c488d50a8
commit 9f81b1497d
3 changed files with 27 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
machines/modules/disko/default.nix
View File

@@ -176,7 +176,7 @@ in
mountpoint = "none";
encryption = "aes-256-gcm";
keyformat = "passphrase";
keylocation = "file:///tmp/root.key";
keylocation = "file:///tmp/secret.key";
};
# use this to read the key during boot
postCreateHook = ''
@@ -186,22 +186,27 @@ in
"encrypted/root" = {
type = "zfs_fs";
mountpoint = "/";
options.mountpoint = "legacy";
};
"encrypted/var" = {
type = "zfs_fs";
mountpoint = "/var";
options.mountpoint = "legacy";
};
"encrypted/etc" = {
type = "zfs_fs";
mountpoint = "/etc";
options.mountpoint = "legacy";
};
"encrypted/home" = {
type = "zfs_fs";
mountpoint = "/home";
options.mountpoint = "legacy";
};
"encrypted/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
options.mountpoint = "legacy";
};
reserved = {
# for cow delete if pool is full
@@ -230,7 +235,7 @@ in
mountpoint = "none";
encryption = "aes-256-gcm";
keyformat = "passphrase";
keylocation = "file:///tmp/storage.key";
keylocation = "file:///tmp/secret.key";
};
# use this to read the key during boot
postCreateHook = ''
@@ -240,6 +245,7 @@ in
"encrypted/data" = {
type = "zfs_fs";
mountpoint = "/data";
options.mountpoint = "legacy";
};
reserved = {
# for cow delete if pool is full
@@ -255,11 +261,14 @@ in
};
};
boot.zfs.devNodes = cfg.devNodes;
fileSystems."/".neededForBoot = true;
fileSystems."/etc".neededForBoot = true;
fileSystems."/boot".neededForBoot = true;
fileSystems."/var".neededForBoot = true;
fileSystems."/home".neededForBoot = true;
fileSystems."/nix".neededForBoot = true;
fileSystems."/data".neededForBoot = true;
};
}

5
machines/modules/malobeo/initssh.nix
View File

@@ -32,6 +32,7 @@ in
zfs = {
forceImportAll = true;
requestEncryptionCredentials = true;
};
initrd = {
availableKernelModules = cfg.ethernetDrivers;
@@ -48,8 +49,6 @@ in
secrets = {
"/etc/ssh/initrd" = "/etc/ssh/initrd";
};
};
kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
systemd.services.zfs-remote-unlock = {
description = "Prepare for ZFS remote unlock";
wantedBy = ["initrd.target"];
@@ -61,5 +60,7 @@ in
'';
};
};
kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
};
};
}

7
scripts/remote-install-encrypt.sh
View File

@@ -24,6 +24,9 @@ trap cleanup EXIT
# Create the directory where sshd expects to find the host keys
install -d -m755 "$temp/etc/ssh/"
diskKey=$(sops -d machines/$hostname/disk.key)
echo "$diskKey" > /tmp/secret.key
ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N ""
ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N ""
@@ -36,9 +39,9 @@ chmod 600 "$temp/etc/ssh/initrd"
if [ $# = 3 ]
then
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \
--disk-encryption-keys /tmp/secret.key <(sops -d machines/$hostname/disk.key) --flake .#$hostname $3@$ipaddress
--disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname $3@$ipaddress
else
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \
--disk-encryption-keys /tmp/secret.key <(sops -d machines/$hostname/disk.key) --flake .#$hostname root@$ipaddress
--disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress
fi