From 7099c92236cf46cbadd1841ea9b856ec50f2a864 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Sat, 18 Jan 2025 21:33:23 +0100 Subject: [PATCH] [disko] add legacy option I don't know if the grub device is right --- machines/modules/disko/default.nix | 377 ++++++++++++++------------- machines/modules/malobeo/initssh.nix | 4 - 2 files changed, 202 insertions(+), 179 deletions(-) diff --git a/machines/modules/disko/default.nix b/machines/modules/disko/default.nix index 2794fff..44df8c3 100644 --- a/machines/modules/disko/default.nix +++ b/machines/modules/disko/default.nix @@ -20,6 +20,11 @@ in default = true; description = "Allows encryption to be disabled for testing"; }; + legacy = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Enable legacy boot (bios)"; + }; devNodes = lib.mkOption { type = lib.types.str; default = "/dev/disk/by-id/"; @@ -81,198 +86,220 @@ in }; }; - config = lib.mkIf cfg.enable { - networking.hostId = cfg.hostId; - disko.devices = { - disk = lib.mkMerge [ - { - ssd0 = lib.mkIf (cfg.root.disk0 != "") { - type = "disk"; - device = "/dev/${cfg.root.disk0}"; - content = { - type = "gpt"; - partitions = { - ESP = { - size = "1024M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; + config = lib.mkMerge [ + (lib.mkIf (cfg.enable && !cfg.legacy) { + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + supportedFilesystems = [ "vfat" "zfs" ]; + }; + fileSystems."/boot".neededForBoot = true; + }) + (lib.mkIf (cfg.enable && cfg.legacy) { + boot.loader.grub = { + enable = true; + device = "/dev/${cfg.root.disk0}-part1"; + efiSupport = false; + enableCryptodisk = cfg.encryption; + zfsSupport = true; + }; + }) + (lib.mkIf cfg.enable { + networking.hostId = cfg.hostId; + disko.devices = { + disk = lib.mkMerge [ + { + ssd0 = lib.mkIf (cfg.root.disk0 != "") { + type = "disk"; + device = "/dev/${cfg.root.disk0}"; + content = { + type = "gpt"; + partitions = { + ESP = lib.mkIf (!cfg.legacy) { + size = "1024M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; }; - }; - encryptedSwap = { - size = cfg.root.swap; - content = { - type = "swap"; - randomEncryption = true; + boot = lib.mkIf cfg.legacy { + size = "1024M"; + type = "EF02"; }; - }; - zfs = { - size = "100%"; - content = { - type = "zfs"; - pool = "zroot"; + encryptedSwap = { + size = cfg.root.swap; + content = { + type = "swap"; + randomEncryption = true; + }; }; - }; - }; - }; - }; - ssd1 = lib.mkIf (cfg.root.disk1 != "") { - type = "disk"; - device = "/dev/${cfg.root.disk1}"; - content = { - type = "gpt"; - partitions = { - zfs = { - size = "100%"; - content = { - type = "zfs"; - pool = "zroot"; - }; - }; - }; - }; - }; - } - (lib.mkIf cfg.storage.enable ( - lib.mkMerge ( - map (diskname: { - "${diskname}" = { - type = "disk"; - device = "/dev/${diskname}"; - content = { - type = "gpt"; - partitions = { - zfs = { - size = "100%"; - content = { - type = "zfs"; - pool = "storage"; - }; + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; }; }; }; }; - }) cfg.storage.disks - ) - )) - ]; + }; + ssd1 = lib.mkIf (cfg.root.disk1 != "") { + type = "disk"; + device = "/dev/${cfg.root.disk1}"; + content = { + type = "gpt"; + partitions = { + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + } + (lib.mkIf cfg.storage.enable ( + lib.mkMerge ( + map (diskname: { + "${diskname}" = { + type = "disk"; + device = "/dev/${diskname}"; + content = { + type = "gpt"; + partitions = { + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "storage"; + }; + }; + }; + }; + }; + }) cfg.storage.disks + ) + )) + ]; - zpool = { - zroot = { - type = "zpool"; - mode = lib.mkIf cfg.root.mirror "mirror"; - # Workaround: cannot import 'zroot': I/O error in disko tests - options.cachefile = "none"; - rootFsOptions = { - mountpoint = "none"; - xattr = "sa"; # für microvm virtiofs mount - acltype = "posixacl"; # für microvm virtiofs mount - compression = "zstd"; - "com.sun:auto-snapshot" = "false"; + zpool = { + zroot = { + type = "zpool"; + mode = lib.mkIf cfg.root.mirror "mirror"; + # Workaround: cannot import 'zroot': I/O error in disko tests + options.cachefile = "none"; + rootFsOptions = { + mountpoint = "none"; + xattr = "sa"; # für microvm virtiofs mount + acltype = "posixacl"; # für microvm virtiofs mount + compression = "zstd"; + "com.sun:auto-snapshot" = "false"; + }; + + datasets = { + encrypted = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + encryption = lib.mkIf cfg.encryption "aes-256-gcm"; + keyformat = lib.mkIf cfg.encryption "passphrase"; + keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key"; + }; + # use this to read the key during boot + postCreateHook = lib.mkIf cfg.encryption '' + zfs set keylocation="prompt" zroot/encrypted; + ''; + }; + "encrypted/root" = { + type = "zfs_fs"; + mountpoint = "/"; + options.mountpoint = "legacy"; + }; + "encrypted/var" = { + type = "zfs_fs"; + mountpoint = "/var"; + options.mountpoint = "legacy"; + }; + "encrypted/etc" = { + type = "zfs_fs"; + mountpoint = "/etc"; + options.mountpoint = "legacy"; + }; + "encrypted/home" = { + type = "zfs_fs"; + mountpoint = "/home"; + options.mountpoint = "legacy"; + }; + "encrypted/nix" = { + type = "zfs_fs"; + mountpoint = "/nix"; + options.mountpoint = "legacy"; + }; + reserved = { + # for cow delete if pool is full + options = { + canmount = "off"; + mountpoint = "none"; + reservation = "${cfg.root.reservation}"; + }; + type = "zfs_fs"; + }; + }; }; - datasets = { - encrypted = { - type = "zfs_fs"; - options = { - mountpoint = "none"; - encryption = lib.mkIf cfg.encryption "aes-256-gcm"; - keyformat = lib.mkIf cfg.encryption "passphrase"; - keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key"; + storage = lib.mkIf cfg.storage.enable { + type = "zpool"; + mode = lib.mkIf (cfg.storage.mirror) "mirror"; + rootFsOptions = { + mountpoint = "none"; + xattr = "sa"; # für microvm virtiofs mount + acltype = "posixacl"; # für microvm virtiofs mount + }; + datasets = { + encrypted = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + encryption = lib.mkIf cfg.encryption "aes-256-gcm"; + keyformat = lib.mkIf cfg.encryption "passphrase"; + keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key"; + }; + # use this to read the key during boot + postCreateHook = lib.mkIf cfg.encryption '' + zfs set keylocation="prompt" storage/encrypted; + ''; }; - # use this to read the key during boot - postCreateHook = lib.mkIf cfg.encryption '' - zfs set keylocation="prompt" zroot/encrypted; - ''; - }; - "encrypted/root" = { - type = "zfs_fs"; - mountpoint = "/"; - options.mountpoint = "legacy"; - }; - "encrypted/var" = { - type = "zfs_fs"; - mountpoint = "/var"; - options.mountpoint = "legacy"; - }; - "encrypted/etc" = { - type = "zfs_fs"; - mountpoint = "/etc"; - options.mountpoint = "legacy"; - }; - "encrypted/home" = { - type = "zfs_fs"; - mountpoint = "/home"; - options.mountpoint = "legacy"; - }; - "encrypted/nix" = { - type = "zfs_fs"; - mountpoint = "/nix"; - options.mountpoint = "legacy"; - }; - reserved = { - # for cow delete if pool is full - options = { - canmount = "off"; - mountpoint = "none"; - reservation = "${cfg.root.reservation}"; + "encrypted/data" = { + type = "zfs_fs"; + mountpoint = "/data"; + options.mountpoint = "legacy"; }; - type = "zfs_fs"; - }; - }; - }; - - storage = lib.mkIf cfg.storage.enable { - type = "zpool"; - mode = lib.mkIf (cfg.storage.mirror) "mirror"; - rootFsOptions = { - mountpoint = "none"; - xattr = "sa"; # für microvm virtiofs mount - acltype = "posixacl"; # für microvm virtiofs mount - }; - datasets = { - encrypted = { - type = "zfs_fs"; - options = { - mountpoint = "none"; - encryption = lib.mkIf cfg.encryption "aes-256-gcm"; - keyformat = lib.mkIf cfg.encryption "passphrase"; - keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key"; + reserved = { + # for cow delete if pool is full + options = { + canmount = "off"; + mountpoint = "none"; + reservation = "${cfg.storage.reservation}"; + }; + type = "zfs_fs"; }; - # use this to read the key during boot - postCreateHook = lib.mkIf cfg.encryption '' - zfs set keylocation="prompt" storage/encrypted; - ''; - }; - "encrypted/data" = { - type = "zfs_fs"; - mountpoint = "/data"; - options.mountpoint = "legacy"; - }; - reserved = { - # for cow delete if pool is full - options = { - canmount = "off"; - mountpoint = "none"; - reservation = "${cfg.storage.reservation}"; - }; - type = "zfs_fs"; }; }; }; }; - }; - boot.zfs.devNodes = lib.mkDefault cfg.devNodes; + boot.zfs.devNodes = lib.mkDefault cfg.devNodes; - fileSystems."/".neededForBoot = true; - fileSystems."/etc".neededForBoot = true; - fileSystems."/boot".neededForBoot = true; - fileSystems."/var".neededForBoot = true; - fileSystems."/home".neededForBoot = true; - fileSystems."/nix".neededForBoot = true; - }; + fileSystems."/".neededForBoot = true; + fileSystems."/etc".neededForBoot = true; + fileSystems."/var".neededForBoot = true; + fileSystems."/home".neededForBoot = true; + fileSystems."/nix".neededForBoot = true; + }) + ]; } diff --git a/machines/modules/malobeo/initssh.nix b/machines/modules/malobeo/initssh.nix index 8286084..9c60576 100644 --- a/machines/modules/malobeo/initssh.nix +++ b/machines/modules/malobeo/initssh.nix @@ -26,13 +26,9 @@ in config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) { boot = { - loader.systemd-boot.enable = true; - loader.efi.canTouchEfiVariables = true; - supportedFilesystems = [ "vfat" "zfs" ]; zfs = { forceImportAll = true; requestEncryptionCredentials = true; - }; initrd = { availableKernelModules = cfg.ethernetDrivers;