change script to first import storage before unlocking root

Add wireguard generation to scripts (THIS IS NOT TESTED)
[fanny] set wg initrd key
2025-11-15 15:43:34 +01:00 · 2025-11-15 14:02:04 +01:00 · 2025-11-15 13:39:55 +01:00 · 2025-11-15 13:12:29 +01:00 · 2025-11-15 13:12:29 +01:00
6 changed files with 54 additions and 5 deletions
--- a/machines/fanny/configuration.nix
+++ b/machines/fanny/configuration.nix
@@ -1,6 +1,7 @@
 { inputs, config, ... }:
 let
  sshKeys = import ../ssh_keys.nix;
  peers = import ../modules/malobeo/peers.nix;
 in
 {
  sops.defaultSopsFile = ./secrets.yaml;
@@ -87,6 +88,35 @@ in
    ethernetDrivers = ["r8169"];
  };
  boot.initrd = {
    availableKernelModules = [ "wireguard" ];
    systemd = {
      enable = true;
      network = {
        enable = true;
        netdevs."30-wg-initrd" = {
          netdevConfig = {
            Kind = "wireguard";
            Name = "wg-initrd";
          };
          wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
          wireguardPeers = [{
            AllowedIPs = peers.fanny-initrd.allowedIPs;
            PublicKey = peers.fanny-initrd.publicKey;
            Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
            PersistentKeepalive = 25;
          }];
        };
        networks."30-wg-initrd" = {
          name = "wg-initrd";
          addresses = [{ Address = peers.fanny-initrd.address; }];
        };
      };
    };
  };
  boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/wg.private";
  services.malobeo.vpn = {
    enable = true;
    name = "fanny";
--- a/machines/modules/malobeo/initssh.nix
+++ b/machines/modules/malobeo/initssh.nix
@@ -56,7 +56,7 @@ in
          path = with pkgs; [ zfs ];
          serviceConfig.Type = "oneshot";
          script = ''
-            echo "systemctl default" >> /var/empty/.profile
+            echo "zfs load-key -a; killall zfs; systemctl default" >> /var/empty/.profile
          '';
        };
      };
--- a/machines/modules/malobeo/peers.nix
+++ b/machines/modules/malobeo/peers.nix
@@ -44,6 +44,14 @@
    publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
  };
  "fanny-initrd" = {
    role = "client";
    address = "10.100.0.102";
    allowedIPs = [ "10.100.0.102/32" ];
    #TODO: UPDATE
    publicKey = "h1A2yt7OQ5EJIilC8tQg203u27o6J6/c+Kd/pZ4UWAY=";
  };
  "backup0" = {
    role = "client";
    address = "10.100.0.20";
--- a/scripts/add_new_host_keys.sh
+++ b/scripts/add_new_host_keys.sh
@@ -31,10 +31,13 @@ cd "$pwpath"
 # Generate SSH keys
 ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host"
 ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd"
 wg genkey > wg.private
 publickey=$(cat wg.private | wg pubkey)
 #encrypt the private keys
 sops -e -i ./$hostkey
 sops -e -i ./$initrdkey
 sops -e -i ./wg.private
 #generate encryption key
 tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
@@ -45,6 +48,9 @@ echo
 echo "Hier ist der age public key für sops etc:"
 echo "$(ssh-to-age -i ./"$hostkey".pub)"
 echo
 echo "Hier ist der wireguard pubkey für das gerät"
 echo "$publickey"
 echo 
 echo "Hier ist eine reproduzierbare mac-addresse:"
 echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
--- a/scripts/remote-install-encrypt.sh
+++ b/scripts/remote-install-encrypt.sh
@@ -40,7 +40,9 @@ trap cleanup EXIT
 # Create the directory where sshd expects to find the host keys
 install -d -m755 "$temp/etc/ssh/"
 install -d -m755 "$temp/etc/wireguard/"
 ##TODO:: wg genkey + pubkey --> /etc/wireguard/wg.private
 diskKey=$(sops -d $pwpath/disk.key)
 echo "$diskKey" > /tmp/secret.key
@@ -48,6 +50,7 @@ sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"
 sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
 sops -d "$pwpath/wg.private" > "$temp/etc/wireguard/wg.private"
 # # Set the correct permissions so sshd will accept the key
 chmod 600 "$temp/etc/ssh/$hostname"
 chmod 600 "$temp/etc/ssh/initrd"
--- a/scripts/unlock-boot.sh
+++ b/scripts/unlock-boot.sh
@@ -24,14 +24,16 @@ diskkey=$(sops -d machines/$hostname/secrets/disk.key)
 echo
 if [ $# = 1 ]
    then
-    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
+    ssh $sshoptions root@$hostname-initrd "zpool import -a"
    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "zfs load-key storage/encrypted" #root
    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data
 elif [ $# = 2 ]
    then
    ip=$2
-    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
+    ssh $sshoptions root@$ip "zpool import -a"
-    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #data
+    echo "$diskkey" | ssh $sshoptions root@$ip "zfs load-key storage/encrypted" 
    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent"
 else
    echo
Author	SHA1	Message	Date
ahtlon	ee24f8a4a9	change script to first import storage before unlocking root All checks were successful Check flake syntax / flake-check (push) Successful in 4m36s Details	2025-11-15 15:43:34 +01:00
ahtlon	c18724e9a6	Add wireguard generation to scripts (THIS IS NOT TESTED) All checks were successful Check flake syntax / flake-check (push) Successful in 5m20s Details	2025-11-15 14:02:04 +01:00
kalipso	b59f4084c0	[fanny] set wg initrd key All checks were successful Check flake syntax / flake-check (push) Successful in 4m59s Details	2025-11-15 13:39:55 +01:00
kalipso	f6bd56d583	[fanny] setup initrd wireguard All checks were successful Check flake syntax / flake-check (push) Successful in 9m48s Details	2025-11-15 13:12:29 +01:00
kalipso	f8f68df868	[initssh] load all zfs keys	2025-11-15 13:12:29 +01:00