[fanny] fix flushing init vpn

[fanny] fix typo
[fanny] flush wg-initd
2025-11-15 18:02:20 +01:00 · 2025-11-15 17:21:45 +01:00 · 2025-11-15 17:17:40 +01:00 · 2025-11-15 16:50:07 +01:00 · 2025-11-15 16:37:11 +01:00 · 2025-11-15 16:22:03 +01:00
3 changed files with 35 additions and 23 deletions
--- a/machines/fanny/configuration.nix
+++ b/machines/fanny/configuration.nix
@@ -91,6 +91,10 @@ in

  boot.initrd = {
    availableKernelModules = [ "wireguard" ];
+    # postMountCommands = ''
+    #   ip address flush dev wg-initrd
+    #   ip link set dev wg-initrd down
+    # '';
    systemd = {
      enable = true;
      network = {
@@ -102,15 +106,15 @@ in
          };
          wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
          wireguardPeers = [{
-            AllowedIPs = peers.fanny-initrd.allowedIPs;
-            PublicKey = peers.fanny-initrd.publicKey;
+            AllowedIPs = peers.vpn.allowedIPs;
+            PublicKey = peers.vpn.publicKey;
            Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
            PersistentKeepalive = 25;
          }];
        };
        networks."30-wg-initrd" = {
          name = "wg-initrd";
-          addresses = [{ Address = peers.fanny-initrd.address; }];
+          addresses = [{ Address = "${peers.fanny-initrd.address}/24"; }];
        };
      };
    };
--- a/machines/modules/malobeo/initssh.nix
+++ b/machines/modules/malobeo/initssh.nix
@@ -42,30 +42,36 @@ in
      initrd = {
        availableKernelModules = cfg.ethernetDrivers;
        systemd = {
-          packages = [ pkgs.busybox ];
+          initrdBin = [ pkgs.busybox pkgs.wireguard-tools pkgs.iproute2 ]; 
          enable = true;
          network.enable = true;
+          services."stopInitVpn" = {
+            description = "stop init vpn";
+            wantedBy = [
+              "initrd.target"
+            ];
+            after = [
+              "zfs.target"
+            ];
+            serviceConfig.StandardOutput = "journal+console";
+            script = ''
+              networkctl down wg-initrd
+            '';
+            serviceConfig.Type = "oneshot";
      };
-        network.ssh = {
+        };
+        network = {
+          flushBeforeStage2 = true;
+          ssh = {
            enable = true;
            port = 222;
            authorizedKeys = cfg.authorizedKeys;
            hostKeys = [ "/etc/ssh/initrd" ];
          };
+        };
        secrets = {
          "/etc/ssh/initrd" = "/etc/ssh/initrd";
        };
-        systemd.services.zfs-remote-unlock = {
-          description = "Prepare for ZFS remote unlock";
-          wantedBy = ["initrd.target"];
-          after = ["systemd-networkd.service"];
-          path = with pkgs; [ zfs ];
-          serviceConfig.Type = "oneshot";
-          script = ''
-            zpool import storage
-            echo "zfs load-key -a; killall zfs; systemctl default" >> /var/empty/.profile
-          '';
-        };
      };
      kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
    };
--- a/scripts/unlock-boot.sh
+++ b/scripts/unlock-boot.sh
@@ -24,14 +24,16 @@ diskkey=$(sops -d machines/$hostname/secrets/disk.key)
 echo
 if [ $# = 1 ]
    then
-    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
+    ssh $sshoptions root@$hostname-initrd "zpool import -a"
+    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "zfs load-key storage/encrypted" #root
    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data

 elif [ $# = 2 ]
    then
    ip=$2
-    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
-    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #data
+    ssh $sshoptions root@$ip "zpool import -a"
+    echo "$diskkey" | ssh $sshoptions root@$ip "zfs load-key storage/encrypted" 
+    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent"
    
 else
    echo
Author	SHA1	Message	Date
ahtlon	b94574c640	[fanny] fix flushing init vpn All checks were successful Check flake syntax / flake-check (push) Successful in 4m46s Details	2025-11-15 18:02:20 +01:00
kalipso	a97de389e5	[fanny] fix typo Some checks failed Check flake syntax / flake-check (push) Failing after 2m48s Details	2025-11-15 17:21:45 +01:00
kalipso	845379ac86	[fanny] flush wg-initd Some checks failed Check flake syntax / flake-check (push) Failing after 2m52s Details	2025-11-15 17:17:40 +01:00
kalipso	e91481c405	[initssh] network.flushBeforeStage2 All checks were successful Check flake syntax / flake-check (push) Successful in 10m17s Details	2025-11-15 16:50:07 +01:00
kalipso	d3312c870a	[fanny] remove zfs-remote-unlock All checks were successful Check flake syntax / flake-check (push) Successful in 5m19s Details	2025-11-15 16:37:11 +01:00
kalipso	eee561b650	[fanny] set /24 for wg ip All checks were successful Check flake syntax / flake-check (push) Successful in 4m51s Details	2025-11-15 16:22:03 +01:00
ahtlon	a612221e2a	change script to first import storage before unlocking root All checks were successful Check flake syntax / flake-check (push) Successful in 4m49s Details	2025-11-15 16:12:32 +01:00
kalipso	73c482ece0	[fanny] set vpn pubkey All checks were successful Check flake syntax / flake-check (push) Successful in 4m53s Details	2025-11-15 16:07:17 +01:00
kalipso	4d4e9d980b	[initssh] add iproute2 All checks were successful Check flake syntax / flake-check (push) Successful in 4m55s Details	2025-11-15 15:48:40 +01:00
kalipso	beb3839a6b	[initssh] add wireguard-tools	2025-11-15 15:47:38 +01:00
kalipso	0df32bf47c	[initssh] fix busybox	2025-11-15 15:47:02 +01:00