kalipso/infrastructure
1
1
Fork 1
Code Issues 42 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Compare commits

base: kalipso:a96b8f65c9dcf486fd5a25502ce1372928b026da
Branches Tags
kalipso:master kalipso:vaultwarden kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver
..
compare: kalipso:local-testing-v2
Branches Tags
kalipso:vaultwarden kalipso:master kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver

3 Commits
a96b8f65c9 ... local-test

Author SHA1 Message Date
ahtlon
d4ef6381a0 i don't know if this should be used
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m9s
Details 
Since only passing though the ssh dir doesn't work, the host would be polluted by all the other hosts writing to etc
 2025-01-18 17:39:28 +01:00
ahtlon
c416f27c81 add note to docs 2025-01-18 16:35:34 +01:00
ahtlon
0d61107515 Try constant test keys 2025-01-18 16:34:24 +01:00
9 changed files with 198 additions and 264 deletions
Expand all files Collapse all files

15
.gitea/workflows/flake-check.yml
View File

@@ -1,15 +0,0 @@
name: "Check flake syntax"
on:
pull_request:
push:
jobs:
flake-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dependencies for Nix setup action
run: |
apt update -y
apt install sudo -y
- uses: cachix/install-nix-action@v27
- run: nix flake check --no-update-lock-file --accept-flake-config .

3
doc/src/anleitung/microvm.md
View File

@@ -44,6 +44,9 @@ sudo mkdir -p /var/lib/microvms/durruti/{var,etc}
# alternatively u can run the vm in interactive mode (maybe stop the microvm@durruti.service first) # alternatively u can run the vm in interactive mode (maybe stop the microvm@durruti.service first)
microvm -r durruti microvm -r durruti
#if you get an error like "Error booting VM: VmBoot(DeviceManager(CreateVirtioFs(VhostUserConnect)))", try starting the virtio service manually
sudo systemctl start microvm-virtiofsd@{host}.service
# after u made changes to the microvm update and restart the vm # after u made changes to the microvm update and restart the vm
microvm -uR durruti microvm -uR durruti

5
machines/bakunin/configuration.nix
View File

@@ -26,7 +26,6 @@ in
malobeo.disks = { malobeo.disks = {
enable = true; enable = true;
legacy = true;
hostId = "a3c3102f"; hostId = "a3c3102f";
root = { root = {
disk0 = "disk/by-id/ata-HITACHI_HTS725016A9A364_110308PCKB04VNHX9XTJ"; disk0 = "disk/by-id/ata-HITACHI_HTS725016A9A364_110308PCKB04VNHX9XTJ";
@@ -34,7 +33,9 @@ in
}; };
malobeo.initssh = { malobeo.initssh = {
enable = false; enable = true;
authorizedKeys = sshKeys.admins;
ethernetDrivers = ["r8169"];
}; };
hardware.sane.enable = true; #scanner support hardware.sane.enable = true; #scanner support

10
machines/configuration.nix
View File

@@ -3,7 +3,6 @@
, nixpkgs , nixpkgs
, sops-nix , sops-nix
, inputs , inputs
, microvm
, nixos-hardware , nixos-hardware
, home-manager , home-manager
, ... , ...
@@ -35,14 +34,15 @@ let
}; };
}; };
}) })
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
microvm.nixosModules.microvm
]; ];
} }
]; ];
defaultModules = baseModules; defaultModules = baseModules;
makeMicroVM = hostName: ipv4Addr: macAddr: modules: [ makeMicroVM = hostName: ipv4Addr: macAddr: modules: [
inputs.microvm.nixosModules.microvm
{ {
microvm = { microvm = {
hypervisor = "cloud-hypervisor"; hypervisor = "cloud-hypervisor";
@@ -56,11 +56,11 @@ let
socket = "store.socket"; socket = "store.socket";
} }
{ {
source = "/var/lib/microvms/${hostName}/etc"; source = "/var/lib/microvms/test/etc/";
mountPoint = "/etc"; mountPoint = "/etc";
tag = "etc"; tag = "etcssh";
proto = "virtiofs"; proto = "virtiofs";
socket = "etc.socket"; socket = "etcssh.socket";
} }
{ {
source = "/var/lib/microvms/${hostName}/var"; source = "/var/lib/microvms/${hostName}/var";

379
machines/modules/disko/default.nix
View File

@@ -20,11 +20,6 @@ in
default = true; default = true;
description = "Allows encryption to be disabled for testing"; description = "Allows encryption to be disabled for testing";
}; };
legacy = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable legacy boot (bios)";
};
devNodes = lib.mkOption { devNodes = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "/dev/disk/by-id/"; default = "/dev/disk/by-id/";
@@ -86,220 +81,198 @@ in
}; };
}; };
config = lib.mkMerge [ config = lib.mkIf cfg.enable {
(lib.mkIf (cfg.enable && !cfg.legacy) { networking.hostId = cfg.hostId;
boot = { disko.devices = {
loader.systemd-boot.enable = true; disk = lib.mkMerge [
loader.efi.canTouchEfiVariables = true; {
supportedFilesystems = [ "vfat" "zfs" ]; ssd0 = lib.mkIf (cfg.root.disk0 != "") {
}; type = "disk";
fileSystems."/boot".neededForBoot = true; device = "/dev/${cfg.root.disk0}";
}) content = {
(lib.mkIf (cfg.enable && cfg.legacy) { type = "gpt";
boot.loader.grub = { partitions = {
enable = lib.mkForce true; ESP = {
device = "/dev/${cfg.root.disk0}-part1"; size = "1024M";
efiSupport = false; type = "EF00";
enableCryptodisk = cfg.encryption;
zfsSupport = true;
};
})
(lib.mkIf cfg.enable {
networking.hostId = cfg.hostId;
disko.devices = {
disk = lib.mkMerge [
{
ssd0 = lib.mkIf (cfg.root.disk0 != "") {
type = "disk";
device = "/dev/${cfg.root.disk0}";
content = {
type = "gpt";
partitions = {
ESP = lib.mkIf (!cfg.legacy) {
size = "1024M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
boot = lib.mkIf cfg.legacy {
size = "1024M";
type = "EF02";
};
encryptedSwap = {
size = cfg.root.swap;
content = {
type = "swap";
randomEncryption = true;
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
ssd1 = lib.mkIf (cfg.root.disk1 != "") {
type = "disk";
device = "/dev/${cfg.root.disk1}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
}
(lib.mkIf cfg.storage.enable (
lib.mkMerge (
map (diskname: {
"${diskname}" = {
type = "disk";
device = "/dev/${diskname}";
content = { content = {
type = "gpt"; type = "filesystem";
partitions = { format = "vfat";
zfs = { mountpoint = "/boot";
size = "100%"; mountOptions = [ "umask=0077" ];
content = { };
type = "zfs"; };
pool = "storage"; encryptedSwap = {
}; size = cfg.root.swap;
content = {
type = "swap";
randomEncryption = true;
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
ssd1 = lib.mkIf (cfg.root.disk1 != "") {
type = "disk";
device = "/dev/${cfg.root.disk1}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
}
(lib.mkIf cfg.storage.enable (
lib.mkMerge (
map (diskname: {
"${diskname}" = {
type = "disk";
device = "/dev/${diskname}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "storage";
}; };
}; };
}; };
}; };
}) cfg.storage.disks };
) }) cfg.storage.disks
)) )
]; ))
];
zpool = { zpool = {
zroot = { zroot = {
type = "zpool"; type = "zpool";
mode = lib.mkIf cfg.root.mirror "mirror"; mode = lib.mkIf cfg.root.mirror "mirror";
# Workaround: cannot import 'zroot': I/O error in disko tests # Workaround: cannot import 'zroot': I/O error in disko tests
options.cachefile = "none"; options.cachefile = "none";
rootFsOptions = { rootFsOptions = {
mountpoint = "none"; mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount xattr = "sa"; # für microvm virtiofs mount
acltype = "posixacl"; # für microvm virtiofs mount acltype = "posixacl"; # für microvm virtiofs mount
compression = "zstd"; compression = "zstd";
"com.sun:auto-snapshot" = "false"; "com.sun:auto-snapshot" = "false";
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
};
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="prompt" zroot/encrypted;
'';
};
"encrypted/root" = {
type = "zfs_fs";
mountpoint = "/";
options.mountpoint = "legacy";
};
"encrypted/var" = {
type = "zfs_fs";
mountpoint = "/var";
options.mountpoint = "legacy";
};
"encrypted/etc" = {
type = "zfs_fs";
mountpoint = "/etc";
options.mountpoint = "legacy";
};
"encrypted/home" = {
type = "zfs_fs";
mountpoint = "/home";
options.mountpoint = "legacy";
};
"encrypted/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
options.mountpoint = "legacy";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.root.reservation}";
};
type = "zfs_fs";
};
};
}; };
storage = lib.mkIf cfg.storage.enable { datasets = {
type = "zpool"; encrypted = {
mode = lib.mkIf (cfg.storage.mirror) "mirror"; type = "zfs_fs";
rootFsOptions = { options = {
mountpoint = "none"; mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount encryption = lib.mkIf cfg.encryption "aes-256-gcm";
acltype = "posixacl"; # für microvm virtiofs mount keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
};
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="prompt" zroot/encrypted;
'';
}; };
datasets = { "encrypted/root" = {
encrypted = { type = "zfs_fs";
type = "zfs_fs"; mountpoint = "/";
options = { options.mountpoint = "legacy";
mountpoint = "none"; };
encryption = lib.mkIf cfg.encryption "aes-256-gcm"; "encrypted/var" = {
keyformat = lib.mkIf cfg.encryption "passphrase"; type = "zfs_fs";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key"; mountpoint = "/var";
}; options.mountpoint = "legacy";
# use this to read the key during boot };
postCreateHook = lib.mkIf cfg.encryption '' "encrypted/etc" = {
zfs set keylocation="prompt" storage/encrypted; type = "zfs_fs";
''; mountpoint = "/etc";
options.mountpoint = "legacy";
};
"encrypted/home" = {
type = "zfs_fs";
mountpoint = "/home";
options.mountpoint = "legacy";
};
"encrypted/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
options.mountpoint = "legacy";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.root.reservation}";
}; };
"encrypted/data" = { type = "zfs_fs";
type = "zfs_fs"; };
mountpoint = "/data"; };
options.mountpoint = "legacy"; };
storage = lib.mkIf cfg.storage.enable {
type = "zpool";
mode = lib.mkIf (cfg.storage.mirror) "mirror";
rootFsOptions = {
mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount
acltype = "posixacl"; # für microvm virtiofs mount
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
}; };
reserved = { # use this to read the key during boot
# for cow delete if pool is full postCreateHook = lib.mkIf cfg.encryption ''
options = { zfs set keylocation="prompt" storage/encrypted;
canmount = "off"; '';
mountpoint = "none"; };
reservation = "${cfg.storage.reservation}"; "encrypted/data" = {
}; type = "zfs_fs";
type = "zfs_fs"; mountpoint = "/data";
options.mountpoint = "legacy";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.storage.reservation}";
}; };
type = "zfs_fs";
}; };
}; };
}; };
}; };
};
boot.zfs.devNodes = lib.mkDefault cfg.devNodes; boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
fileSystems."/".neededForBoot = true; fileSystems."/".neededForBoot = true;
fileSystems."/etc".neededForBoot = true; fileSystems."/etc".neededForBoot = true;
fileSystems."/var".neededForBoot = true; fileSystems."/boot".neededForBoot = true;
fileSystems."/home".neededForBoot = true; fileSystems."/var".neededForBoot = true;
fileSystems."/nix".neededForBoot = true; fileSystems."/home".neededForBoot = true;
}) fileSystems."/nix".neededForBoot = true;
]; };
} }

4
machines/modules/malobeo/initssh.nix
View File

@@ -26,9 +26,13 @@ in
config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) { config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
boot = { boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
supportedFilesystems = [ "vfat" "zfs" ];
zfs = { zfs = {
forceImportAll = true; forceImportAll = true;
requestEncryptionCredentials = true; requestEncryptionCredentials = true;
}; };
initrd = { initrd = {
availableKernelModules = cfg.ethernetDrivers; availableKernelModules = cfg.ethernetDrivers;

10
outputs.nix
View File

@@ -20,7 +20,6 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
let let
sops = sops-nix.packages."${pkgs.system}"; sops = sops-nix.packages."${pkgs.system}";
microvmpkg = microvm.packages."${pkgs.system}"; microvmpkg = microvm.packages."${pkgs.system}";
installed = builtins.attrNames self.legacyPackages."${pkgs.system}".scripts;
in in
pkgs.mkShell { pkgs.mkShell {
sopsPGPKeyDirs = [ sopsPGPKeyDirs = [
@@ -38,14 +37,11 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
pkgs.mdbook pkgs.mdbook
microvmpkg.microvm microvmpkg.microvm
]; ];
packages = builtins.map (pkgName: self.legacyPackages."${pkgs.system}".scripts.${pkgName}) installed;
shellHook = ''echo "Available scripts: ${builtins.concatStringsSep " " installed}"'';
};
legacyPackages = {
scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
}; };
packages = { packages = {
remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
docs = pkgs.stdenv.mkDerivation { docs = pkgs.stdenv.mkDerivation {
name = "malobeo-docs"; name = "malobeo-docs";
phases = [ "buildPhase" ]; phases = [ "buildPhase" ];

16
scripts/remote-install-encrypt.sh
View File

@@ -1,4 +1,5 @@
set -o errexit set -o errexit
set -o nounset
set -o pipefail set -o pipefail
if [ $# -lt 2 ]; then if [ $# -lt 2 ]; then
@@ -8,21 +9,6 @@ if [ $# -lt 2 ]; then
exit 1 exit 1
fi fi
if [ ! -e flake.nix ]
then
echo "flake.nix not found. Searching down."
while [ ! -e flake.nix ]
do
if [ $PWD = "/" ]
then
echo "Found root. Aborting."
exit 1
else
cd ..
fi
done
fi
hostname=$1 hostname=$1
ipaddress=$2 ipaddress=$2

20
scripts/unlock-boot.sh
View File

@@ -4,33 +4,19 @@ set -o pipefail
sshoptions="-o StrictHostKeyChecking=no -o ServerAliveInterval=1 -o ServerAliveCountMax=1 -p 222 -T" sshoptions="-o StrictHostKeyChecking=no -o ServerAliveInterval=1 -o ServerAliveCountMax=1 -p 222 -T"
HOSTNAME=$1 HOSTNAME=$1
if [ ! -e flake.nix ]
then
echo "flake.nix not found. Searching down."
while [ ! -e flake.nix ]
do
if [ $PWD = "/" ]
then
echo "Found root. Aborting."
exit 1
else
cd ..
fi
done
fi
echo echo
diskkey=$(sops -d machines/$HOSTNAME/disk.key)
if [ $# = 1 ] if [ $# = 1 ]
then then
diskkey=$(sops -d machines/$HOSTNAME/disk.key)
echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #storage echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #storage
echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root
elif [ $# = 2 ] elif [ $# = 2 ]
then then
diskkey=$(sops -d machines/$HOSTNAME/disk.key)
IP=$2 IP=$2
echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #storage echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #storage
echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root