From fb222bc1a43669e286359f39f01d9ea3aca8b190 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Fri, 24 Jan 2025 15:08:24 +0100 Subject: [PATCH 1/3] [disko] rm btrfs-laptop.nix --- machines/modules/disko/btrfs-laptop.nix | 63 ------------------------- 1 file changed, 63 deletions(-) delete mode 100644 machines/modules/disko/btrfs-laptop.nix diff --git a/machines/modules/disko/btrfs-laptop.nix b/machines/modules/disko/btrfs-laptop.nix deleted file mode 100644 index eef69315..00000000 --- a/machines/modules/disko/btrfs-laptop.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ config, self, inputs, ... }: - -{ - imports = [ - inputs.disko.nixosModules.disko - ]; - - # https://github.com/nix-community/disko/blob/master/example/luks-btrfs-subvolumes.nix - disko.devices = { - disk = { - main = { - type = "disk"; - # When using disko-install, we will overwrite this value from the commandline - device = "/dev/disk/by-id/some-disk-id"; - content = { - type = "gpt"; - partitions = { - ESP = { - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; - }; - }; - luks = { - size = "100%"; - content = { - type = "luks"; - name = "crypted"; - passwordFile = /tmp/secret.key; # Interactive - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/home" = { - mountpoint = "/home"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/swap" = { - mountpoint = "/.swapvol"; - swap.swapfile.size = "20M"; - }; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} From 4a6768346293b827f3adff632499a71bb568eb73 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Fri, 24 Jan 2025 18:30:31 +0100 Subject: [PATCH 2/3] [disko] Bit of a hack but the storage partition now gets mounted after zroot using a file on the disk. --- machines/modules/disko/default.nix | 6 +++--- machines/modules/malobeo/initssh.nix | 2 -- machines/testvm/configuration.nix | 2 +- scripts/remote-install-encrypt.sh | 2 ++ 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/machines/modules/disko/default.nix b/machines/modules/disko/default.nix index 2794fff7..6174bf33 100644 --- a/machines/modules/disko/default.nix +++ b/machines/modules/disko/default.nix @@ -187,6 +187,7 @@ in postCreateHook = lib.mkIf cfg.encryption '' zfs set keylocation="prompt" zroot/encrypted; ''; + }; "encrypted/root" = { type = "zfs_fs"; @@ -244,13 +245,12 @@ in }; # use this to read the key during boot postCreateHook = lib.mkIf cfg.encryption '' - zfs set keylocation="prompt" storage/encrypted; + zfs set keylocation="file:///root/secret.key" storage/encrypted; ''; }; "encrypted/data" = { type = "zfs_fs"; mountpoint = "/data"; - options.mountpoint = "legacy"; }; reserved = { # for cow delete if pool is full @@ -267,7 +267,7 @@ in }; boot.zfs.devNodes = lib.mkDefault cfg.devNodes; - + boot.zfs.extraPools = lib.mkIf cfg.storage.enable [ "storage" ]; fileSystems."/".neededForBoot = true; fileSystems."/etc".neededForBoot = true; fileSystems."/boot".neededForBoot = true; diff --git a/machines/modules/malobeo/initssh.nix b/machines/modules/malobeo/initssh.nix index 8286084f..6a68622c 100644 --- a/machines/modules/malobeo/initssh.nix +++ b/machines/modules/malobeo/initssh.nix @@ -30,9 +30,7 @@ in loader.efi.canTouchEfiVariables = true; supportedFilesystems = [ "vfat" "zfs" ]; zfs = { - forceImportAll = true; requestEncryptionCredentials = true; - }; initrd = { availableKernelModules = cfg.ethernetDrivers; diff --git a/machines/testvm/configuration.nix b/machines/testvm/configuration.nix index b338fbca..003a0178 100644 --- a/machines/testvm/configuration.nix +++ b/machines/testvm/configuration.nix @@ -24,7 +24,7 @@ in malobeo.disks = { enable = true; - encryption = false; + encryption = true; hostId = "83abc8cb"; devNodes = "/dev/disk/by-path/"; root = { diff --git a/scripts/remote-install-encrypt.sh b/scripts/remote-install-encrypt.sh index 07331a87..277f5194 100755 --- a/scripts/remote-install-encrypt.sh +++ b/scripts/remote-install-encrypt.sh @@ -37,9 +37,11 @@ trap cleanup EXIT # Create the directory where sshd expects to find the host keys install -d -m755 "$temp/etc/ssh/" +install -d -m755 "$temp/root/" diskKey=$(sops -d machines/$hostname/disk.key) echo "$diskKey" > /tmp/secret.key +echo "$diskKey" > $temp/root/secret.key ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N "" ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N "" From a07bec04726937feae2035c2303038e956e8c4c0 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Fri, 24 Jan 2025 18:42:31 +0100 Subject: [PATCH 3/3] [scripts] only need to unlock once --- scripts/unlock-boot.sh | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/scripts/unlock-boot.sh b/scripts/unlock-boot.sh index 2c5cea33..347f260a 100644 --- a/scripts/unlock-boot.sh +++ b/scripts/unlock-boot.sh @@ -23,18 +23,14 @@ echo if [ $# = 1 ] then diskkey=$(sops -d machines/$HOSTNAME/disk.key) - echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #storage - echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root elif [ $# = 2 ] then diskkey=$(sops -d machines/$HOSTNAME/disk.key) IP=$2 - echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #storage - echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root - + else echo echo "Unlock the root disk on a remote host."