kalipso/infrastructure
1
1
Fork 1
Code Issues 43 Pull Requests 3 Actions Projects 2 Releases Wiki Activity

init now automaticly imports all pools
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m29s
Details
Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m27s
Details

Browse Source
This commit is contained in:
ahtlon
2024-12-31 13:33:24 +01:00
parent 8c488d50a8
commit 9f81b1497d
3 changed files with 27 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
machines/modules/disko/default.nix
View File

@@ -176,7 +176,7 @@ in
mountpoint = "none"; mountpoint = "none";
encryption = "aes-256-gcm"; encryption = "aes-256-gcm";
keyformat = "passphrase"; keyformat = "passphrase";
keylocation = "file:///tmp/root.key"; keylocation = "file:///tmp/secret.key";
}; };
# use this to read the key during boot # use this to read the key during boot
postCreateHook = '' postCreateHook = ''
@@ -186,22 +186,27 @@ in
"encrypted/root" = { "encrypted/root" = {
type = "zfs_fs"; type = "zfs_fs";
mountpoint = "/"; mountpoint = "/";
options.mountpoint = "legacy";
}; };
"encrypted/var" = { "encrypted/var" = {
type = "zfs_fs"; type = "zfs_fs";
mountpoint = "/var"; mountpoint = "/var";
options.mountpoint = "legacy";
}; };
"encrypted/etc" = { "encrypted/etc" = {
type = "zfs_fs"; type = "zfs_fs";
mountpoint = "/etc"; mountpoint = "/etc";
options.mountpoint = "legacy";
}; };
"encrypted/home" = { "encrypted/home" = {
type = "zfs_fs"; type = "zfs_fs";
mountpoint = "/home"; mountpoint = "/home";
options.mountpoint = "legacy";
}; };
"encrypted/nix" = { "encrypted/nix" = {
type = "zfs_fs"; type = "zfs_fs";
mountpoint = "/nix"; mountpoint = "/nix";
options.mountpoint = "legacy";
}; };
reserved = { reserved = {
# for cow delete if pool is full # for cow delete if pool is full
@@ -230,7 +235,7 @@ in
mountpoint = "none"; mountpoint = "none";
encryption = "aes-256-gcm"; encryption = "aes-256-gcm";
keyformat = "passphrase"; keyformat = "passphrase";
keylocation = "file:///tmp/storage.key"; keylocation = "file:///tmp/secret.key";
}; };
# use this to read the key during boot # use this to read the key during boot
postCreateHook = '' postCreateHook = ''
@@ -240,6 +245,7 @@ in
"encrypted/data" = { "encrypted/data" = {
type = "zfs_fs"; type = "zfs_fs";
mountpoint = "/data"; mountpoint = "/data";
options.mountpoint = "legacy";
}; };
reserved = { reserved = {
# for cow delete if pool is full # for cow delete if pool is full
@@ -255,11 +261,14 @@ in
}; };
}; };
boot.zfs.devNodes = cfg.devNodes;
fileSystems."/".neededForBoot = true; fileSystems."/".neededForBoot = true;
fileSystems."/etc".neededForBoot = true; fileSystems."/etc".neededForBoot = true;
fileSystems."/boot".neededForBoot = true; fileSystems."/boot".neededForBoot = true;
fileSystems."/var".neededForBoot = true; fileSystems."/var".neededForBoot = true;
fileSystems."/home".neededForBoot = true; fileSystems."/home".neededForBoot = true;
fileSystems."/nix".neededForBoot = true; fileSystems."/nix".neededForBoot = true;
fileSystems."/data".neededForBoot = true;
}; };
} }

21
machines/modules/malobeo/initssh.nix
View File

@@ -32,6 +32,7 @@ in
zfs = { zfs = {
forceImportAll = true; forceImportAll = true;
requestEncryptionCredentials = true; requestEncryptionCredentials = true;
}; };
initrd = { initrd = {
availableKernelModules = cfg.ethernetDrivers; availableKernelModules = cfg.ethernetDrivers;
@@ -48,18 +49,18 @@ in
secrets = { secrets = {
"/etc/ssh/initrd" = "/etc/ssh/initrd"; "/etc/ssh/initrd" = "/etc/ssh/initrd";
}; };
systemd.services.zfs-remote-unlock = {
description = "Prepare for ZFS remote unlock";
wantedBy = ["initrd.target"];
after = ["systemd-networkd.service"];
path = with pkgs; [ zfs ];
serviceConfig.Type = "oneshot";
script = ''
echo "systemctl default" >> /var/empty/.profile
'';
};
}; };
kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ]; kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
systemd.services.zfs-remote-unlock = {
description = "Prepare for ZFS remote unlock";
wantedBy = ["initrd.target"];
after = ["systemd-networkd.service"];
path = with pkgs; [ zfs ];
serviceConfig.Type = "oneshot";
script = ''
echo "systemctl default" >> /var/empty/.profile
'';
};
}; };
}; };
} }

7
scripts/remote-install-encrypt.sh
View File

@@ -24,6 +24,9 @@ trap cleanup EXIT
# Create the directory where sshd expects to find the host keys # Create the directory where sshd expects to find the host keys
install -d -m755 "$temp/etc/ssh/" install -d -m755 "$temp/etc/ssh/"
diskKey=$(sops -d machines/$hostname/disk.key)
echo "$diskKey" > /tmp/secret.key
ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N "" ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N ""
ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N "" ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N ""
@@ -36,9 +39,9 @@ chmod 600 "$temp/etc/ssh/initrd"
if [ $# = 3 ] if [ $# = 3 ]
then then
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \ nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \
--disk-encryption-keys /tmp/secret.key <(sops -d machines/$hostname/disk.key) --flake .#$hostname $3@$ipaddress --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname $3@$ipaddress
else else
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \ nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \
--disk-encryption-keys /tmp/secret.key <(sops -d machines/$hostname/disk.key) --flake .#$hostname root@$ipaddress --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress
fi fi