kalipso/infrastructure
1
1
Fork 1
Code Issues 43 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Compare commits

merge into: kalipso:printer-module
Branches Tags
kalipso:master kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver
...
pull from: kalipso:issue31
Branches Tags
kalipso:staging kalipso:master kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver

7 Commits
printer-mo ... issue31

Author SHA1 Message Date
kalipso
2f4cb3787b [disko] rm duplicate filesystems entry
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m16s
Details
2025-02-05 14:31:39 +01:00
kalipso
4f9e66ba82 Merge branch 'master' into issue31
Some checks failed
Check flake syntax / flake-check (push) Failing after 2m0s
Details
2025-02-05 14:25:57 +01:00
ahtlon
c51c1e8e92 Merge master
All checks were successful
Check flake syntax / flake-check (push) Successful in 6m6s
Details
2025-01-19 18:00:27 +01:00
ahtlon
a96b8f65c9 [disko]Force grub on legacy boot
Some checks failed
Check flake syntax / flake-check (push) Waiting to run
Details
Evaluate Hydra Jobs / eval-hydra-jobs (push) Has been cancelled
Details
Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Has been cancelled
Details
Check flake syntax / flake-check (pull_request) Has been cancelled
Details
2025-01-19 17:59:29 +01:00
Ahtlon
29d6bc02e0 Merge branch 'master' into issue31
Some checks failed
Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m41s
Details
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m46s
Details
Check flake syntax / flake-check (pull_request) Failing after 2m20s
Details
Check flake syntax / flake-check (push) Failing after 2m15s
Details
2025-01-18 22:57:21 +01:00
ahtlon
c0cef1ff1e Apply legacy to bakunin
Some checks failed
Evaluate Hydra Jobs / eval-hydra-jobs (push) Has been cancelled
Details
Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 5m14s
Details
2025-01-18 21:33:41 +01:00
ahtlon
7099c92236 [disko] add legacy option 
I don't know if the grub device is right
 2025-01-18 21:33:23 +01:00
3 changed files with 205 additions and 182 deletions
Expand all files Collapse all files

5
machines/bakunin/configuration.nix
View File

@@ -26,6 +26,7 @@ in
malobeo.disks = { malobeo.disks = {
enable = true; enable = true;
legacy = true;
hostId = "a3c3102f"; hostId = "a3c3102f";
root = { root = {
disk0 = "disk/by-id/ata-HITACHI_HTS725016A9A364_110308PCKB04VNHX9XTJ"; disk0 = "disk/by-id/ata-HITACHI_HTS725016A9A364_110308PCKB04VNHX9XTJ";
@@ -33,9 +34,7 @@ in
}; };
malobeo.initssh = { malobeo.initssh = {
enable = true; enable = false;
authorizedKeys = sshKeys.admins;
ethernetDrivers = ["r8169"];
}; };
hardware.sane.enable = true; #scanner support hardware.sane.enable = true; #scanner support

379
machines/modules/disko/default.nix
View File

@@ -20,6 +20,11 @@ in
default = true; default = true;
description = "Allows encryption to be disabled for testing"; description = "Allows encryption to be disabled for testing";
}; };
legacy = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable legacy boot (bios)";
};
devNodes = lib.mkOption { devNodes = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "/dev/disk/by-id/"; default = "/dev/disk/by-id/";
@@ -81,198 +86,220 @@ in
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkMerge [
networking.hostId = cfg.hostId; (lib.mkIf (cfg.enable && !cfg.legacy) {
disko.devices = { boot = {
disk = lib.mkMerge [ loader.systemd-boot.enable = true;
{ loader.efi.canTouchEfiVariables = true;
ssd0 = lib.mkIf (cfg.root.disk0 != "") { supportedFilesystems = [ "vfat" "zfs" ];
type = "disk"; };
device = "/dev/${cfg.root.disk0}"; fileSystems."/boot".neededForBoot = true;
content = { })
type = "gpt"; (lib.mkIf (cfg.enable && cfg.legacy) {
partitions = { boot.loader.grub = {
ESP = { enable = lib.mkForce true;
size = "1024M"; device = "/dev/${cfg.root.disk0}-part1";
type = "EF00"; efiSupport = false;
content = { enableCryptodisk = cfg.encryption;
type = "filesystem"; zfsSupport = true;
format = "vfat"; };
mountpoint = "/boot"; })
mountOptions = [ "umask=0077" ]; (lib.mkIf cfg.enable {
networking.hostId = cfg.hostId;
disko.devices = {
disk = lib.mkMerge [
{
ssd0 = lib.mkIf (cfg.root.disk0 != "") {
type = "disk";
device = "/dev/${cfg.root.disk0}";
content = {
type = "gpt";
partitions = {
ESP = lib.mkIf (!cfg.legacy) {
size = "1024M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
}; };
}; boot = lib.mkIf cfg.legacy {
encryptedSwap = { size = "1024M";
size = cfg.root.swap; type = "EF02";
content = {
type = "swap";
randomEncryption = true;
}; };
}; encryptedSwap = {
zfs = { size = cfg.root.swap;
size = "100%"; content = {
content = { type = "swap";
type = "zfs"; randomEncryption = true;
pool = "zroot"; };
}; };
}; zfs = {
}; size = "100%";
}; content = {
}; type = "zfs";
ssd1 = lib.mkIf (cfg.root.disk1 != "") { pool = "zroot";
type = "disk";
device = "/dev/${cfg.root.disk1}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
}
(lib.mkIf cfg.storage.enable (
lib.mkMerge (
map (diskname: {
"${diskname}" = {
type = "disk";
device = "/dev/${diskname}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "storage";
};
}; };
}; };
}; };
}; };
}) cfg.storage.disks };
) ssd1 = lib.mkIf (cfg.root.disk1 != "") {
)) type = "disk";
]; device = "/dev/${cfg.root.disk1}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
}
(lib.mkIf cfg.storage.enable (
lib.mkMerge (
map (diskname: {
"${diskname}" = {
type = "disk";
device = "/dev/${diskname}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "storage";
};
};
};
};
};
}) cfg.storage.disks
)
))
];
zpool = { zpool = {
zroot = { zroot = {
type = "zpool"; type = "zpool";
mode = lib.mkIf cfg.root.mirror "mirror"; mode = lib.mkIf cfg.root.mirror "mirror";
# Workaround: cannot import 'zroot': I/O error in disko tests # Workaround: cannot import 'zroot': I/O error in disko tests
options.cachefile = "none"; options.cachefile = "none";
rootFsOptions = { rootFsOptions = {
mountpoint = "none"; mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount xattr = "sa"; # für microvm virtiofs mount
acltype = "posixacl"; # für microvm virtiofs mount acltype = "posixacl"; # für microvm virtiofs mount
compression = "zstd"; compression = "zstd";
"com.sun:auto-snapshot" = "false"; "com.sun:auto-snapshot" = "false";
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
};
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="prompt" zroot/encrypted;
'';
};
"encrypted/root" = {
type = "zfs_fs";
mountpoint = "/";
options.mountpoint = "legacy";
};
"encrypted/var" = {
type = "zfs_fs";
mountpoint = "/var";
options.mountpoint = "legacy";
};
"encrypted/etc" = {
type = "zfs_fs";
mountpoint = "/etc";
options.mountpoint = "legacy";
};
"encrypted/home" = {
type = "zfs_fs";
mountpoint = "/home";
options.mountpoint = "legacy";
};
"encrypted/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
options.mountpoint = "legacy";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.root.reservation}";
};
type = "zfs_fs";
};
};
}; };
datasets = { storage = lib.mkIf cfg.storage.enable {
encrypted = { type = "zpool";
type = "zfs_fs"; mode = lib.mkIf (cfg.storage.mirror) "mirror";
options = { rootFsOptions = {
mountpoint = "none"; mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm"; xattr = "sa"; # für microvm virtiofs mount
keyformat = lib.mkIf cfg.encryption "passphrase"; acltype = "posixacl"; # für microvm virtiofs mount
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key"; };
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
};
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="file:///root/secret.key" storage/encrypted;
'';
}; };
# use this to read the key during boot "encrypted/data" = {
postCreateHook = lib.mkIf cfg.encryption '' type = "zfs_fs";
zfs set keylocation="prompt" zroot/encrypted; mountpoint = "/data";
'';
};
"encrypted/root" = {
type = "zfs_fs";
mountpoint = "/";
options.mountpoint = "legacy";
};
"encrypted/var" = {
type = "zfs_fs";
mountpoint = "/var";
options.mountpoint = "legacy";
};
"encrypted/etc" = {
type = "zfs_fs";
mountpoint = "/etc";
options.mountpoint = "legacy";
};
"encrypted/home" = {
type = "zfs_fs";
mountpoint = "/home";
options.mountpoint = "legacy";
};
"encrypted/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
options.mountpoint = "legacy";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.root.reservation}";
}; };
type = "zfs_fs"; reserved = {
}; # for cow delete if pool is full
}; options = {
}; canmount = "off";
mountpoint = "none";
storage = lib.mkIf cfg.storage.enable { reservation = "${cfg.storage.reservation}";
type = "zpool"; };
mode = lib.mkIf (cfg.storage.mirror) "mirror"; type = "zfs_fs";
rootFsOptions = {
mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount
acltype = "posixacl"; # für microvm virtiofs mount
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
}; };
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="file:///root/secret.key" storage/encrypted;
'';
};
"encrypted/data" = {
type = "zfs_fs";
mountpoint = "/data";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.storage.reservation}";
};
type = "zfs_fs";
}; };
}; };
}; };
}; };
};
boot.zfs.devNodes = lib.mkDefault cfg.devNodes; boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
boot.zfs.extraPools = lib.mkIf cfg.storage.enable [ "storage" ]; boot.zfs.extraPools = lib.mkIf cfg.storage.enable [ "storage" ];
fileSystems."/".neededForBoot = true;
fileSystems."/etc".neededForBoot = true; fileSystems."/".neededForBoot = true;
fileSystems."/boot".neededForBoot = true; fileSystems."/etc".neededForBoot = true;
fileSystems."/var".neededForBoot = true; fileSystems."/var".neededForBoot = true;
fileSystems."/home".neededForBoot = true; fileSystems."/home".neededForBoot = true;
fileSystems."/nix".neededForBoot = true; fileSystems."/nix".neededForBoot = true;
}; })
];
} }

3
machines/modules/malobeo/initssh.nix
View File

@@ -26,9 +26,6 @@ in
config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) { config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
boot = { boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
supportedFilesystems = [ "vfat" "zfs" ];
zfs = { zfs = {
requestEncryptionCredentials = true; requestEncryptionCredentials = true;
}; };