diff --git a/README.md b/README.md index ffae69a..3091bd2 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,6 @@ This is my personal nix config. - `default.nix` Collects all apps and generates a definition for a specified system - `draw-graph.nix` (**WIP:** infrastructure graph renderer) - `format-secrets.nix` Runs the code formatter on the secret .nix files - - `generate-initrd-keys.nix` Generates initrd hostkeys for each host if they don't exist yet (for setup) - `generate-wireguard-keys.nix` Generates wireguard keys for each server-and-peer pair - `show-wireguard-qr.nix` Generates a QR code for external wireguard participants - `checks.nix` pre-commit-hooks for this repository @@ -62,14 +61,24 @@ This is my personal nix config. - create hosts/ - fill net.nix - fill fs.nix (you need to know the device by-id paths in advance for formatting to work!) -- generate-initrd-keys -- generate-wireguard-keys +- generate an initrd hostkey if necessary `ssh-keygen -t ed25519 -N "" -f /tmp/key; rage ...` +- run generate-wireguard-keys #### Initial deploy +A. Fresh pre-made installer ISO + - Create a iso disk image for the system with `nix build --print-out-paths --no-link .#installer-image-` - dd the resulting image to a stick and boot from it on the target - (Optional) ssh into the target (keys are already set up) + +B. Reusing any nixos-live iso + +- Boot from live-iso and setup ssh access by writing your key to `/root/.ssh/authorized_keys` +- Copy installer package with `nix copy --to .#installer-package-` + +Afterwards: + - Run `install-system` and reboot - Retrieve the new host identity by using `ssh-keyscan | grep -o 'ed25519.*' > host//secrets/host.pub` - (If the host has microvms, also retrieve their identities!) diff --git a/hosts/sentinel/fs.nix b/hosts/sentinel/fs.nix index e6b759f..7d4038e 100644 --- a/hosts/sentinel/fs.nix +++ b/hosts/sentinel/fs.nix @@ -14,7 +14,8 @@ type = "table"; format = "gpt"; partitions = [ - (partEfi "efi" "0%" "512MiB") + (partGrub "grub" "0%" "1MiB") + (partEfi "bios" "1MiB" "512MiB") (partLuksZfs "rpool" "512MiB" "100%") ]; }; diff --git a/hosts/sentinel/secrets/host.pub b/hosts/sentinel/secrets/host.pub deleted file mode 100644 index e69de29..0000000 diff --git a/hosts/sentinel/secrets/local.nix.age b/hosts/sentinel/secrets/local.nix.age index aab7048..c5de8ef 100644 Binary files a/hosts/sentinel/secrets/local.nix.age and b/hosts/sentinel/secrets/local.nix.age differ diff --git a/nix/generate-installer.nix b/nix/generate-installer.nix index 8fe3ef0..44cae1c 100644 --- a/nix/generate-installer.nix +++ b/nix/generate-installer.nix @@ -4,27 +4,40 @@ ... }: nodeName: nodeAttrs: let inherit (self.hosts.${nodeName}) system; + + pkgs = self.pkgs.${system}; + + disko-script = pkgs.writeShellScriptBin "disko-script" "${nodeAttrs.config.system.build.diskoScript}"; + disko-mount = pkgs.writeShellScriptBin "disko-mount" "${nodeAttrs.config.system.build.mountScript}"; + disko-format = pkgs.writeShellScriptBin "disko-format" "${nodeAttrs.config.system.build.formatScript}"; + + install-system = pkgs.writeShellScriptBin "install-system" '' + set -euo pipefail + + echo "Formatting disks..." + ${disko-script}/bin/disko-script + + echo "Installing system..." + nixos-install --no-root-password --system ${nodeAttrs.config.system.build.toplevel} + + echo "Done!" + ''; + + installer-package = pkgs.symlinkJoin { + name = "installer-package-${nodeName}"; + paths = with pkgs; [ + disko-script + disko-mount + disko-format + install-system + ]; + }; + configuration = { pkgs, lib, ... - }: let - disko = pkgs.writeShellScriptBin "disko" "${nodeAttrs.config.system.build.disko}"; - disko-mount = pkgs.writeShellScriptBin "disko-mount" "${nodeAttrs.config.system.build.mountScript}"; - disko-format = pkgs.writeShellScriptBin "disko-format" "${nodeAttrs.config.system.build.formatScript}"; - - install-system = pkgs.writeShellScriptBin "install-system" '' - set -euo pipefail - - echo "Formatting disks..." - ${disko}/bin/disko - - echo "Installing system..." - nixos-install --no-root-password --system ${nodeAttrs.config.system.build.toplevel} - - echo "Done!" - ''; - in { + }: { isoImage.isoName = lib.mkForce "nixos-image-${nodeName}.iso"; system.stateVersion = self.stateVersion; nix.extraOptions = '' @@ -41,6 +54,8 @@ environment = { variables.EDITOR = "nvim"; systemPackages = with pkgs; [ + installer-package + neovim git tmux @@ -49,26 +64,27 @@ fzf wget curl - - disko - disko-mount - disko-format - install-system ]; }; }; in { - packages.${system}."installer-image-${nodeName}" = nixos-generators.nixosGenerate { - pkgs = self.pkgs.${system}; - modules = [ - configuration - ../hosts/common/core/ssh.nix - ]; - format = - { - x86_64-linux = "install-iso"; - aarch64-linux = "sd-aarch64-installer"; - } - .${system}; + packages.${system} = { + # Everything required for the installer as a single package, + # so it can be used from an existing live system by copying the derivation. + # TODO can we use a unified installer iso? does that work regarding size of this package? + "installer-package-${nodeName}" = installer-package; + "installer-image-${nodeName}" = nixos-generators.nixosGenerate { + inherit pkgs; + modules = [ + configuration + ../hosts/common/core/ssh.nix + ]; + format = + { + x86_64-linux = "install-iso"; + aarch64-linux = "sd-aarch64-installer"; + } + .${system}; + }; }; } diff --git a/nix/lib.nix b/nix/lib.nix index 8a205ba..3a1d58a 100644 --- a/nix/lib.nix +++ b/nix/lib.nix @@ -131,6 +131,11 @@ in rec { disko = { gpt = { + partGrub = name: start: end: { + inherit name start end; + part-type = "primary"; + flags = ["bios_grub"]; + }; partEfi = name: start: end: { inherit name start end; fs-type = "fat32";