feat: finish system bootstrapping with iso

2025-10-11 07:10:39 +02:00 · 2023-04-29 22:34:42 +02:00 · 2023-04-29 22:34:42 +02:00 · a90a8ee678
commit a90a8ee678
parent c3141bf563
6 changed files with 33 additions and 21 deletions
--- a/README.md
+++ b/README.md
@ -71,6 +71,11 @@ This is my personal nix config.
 - Rekey the secrets for the new identity `nix run .#rekey`
 - Deploy again remotely via colmena

+#### Remote encrypted unlock
+
+If a host uses encrypted root together with the `common/initrd-ssh.nix` module,
+it can be unlocked remotely by connecting via ssh on port 4 and executing `systemd-tty-ask-password-agent`.
+
 #### Show QR for external wireguard client

 nix run show-wireguard-qr
--- a/flake.lock
+++ b/flake.lock
@ -53,11 +53,11 @@
        "stable": "stable"
      },
      "locked": {
-        "lastModified": 1682202576,
-        "narHash": "sha256-vcTEEEHKx4PTfY80bUmZMwXRy0cTDJCkULHhqe1HJS8=",
+        "lastModified": 1682737380,
+        "narHash": "sha256-n3rZkHZls9BNr35o3veK00UsM1KSh/oNTJjLkFbEOY8=",
        "owner": "zhaofengli",
        "repo": "colmena",
-        "rev": "089431737e283ed3e402a7dff578cb442444c431",
+        "rev": "be837ee341b6508c355035973d5f7c7e88d7c64f",
        "type": "github"
      },
      "original": {
@ -116,15 +116,15 @@
        ]
      },
      "locked": {
-        "lastModified": 1682299489,
-        "narHash": "sha256-bqHo0/82KB+IyBMyjBd6QdyZWJl/YZeGggjBsAgRFlY=",
-        "owner": "nix-community",
+        "lastModified": 1682795657,
+        "narHash": "sha256-tLZV918KDU8GrucWqliAwO87mqWJhIrvaF17LU51UjE=",
+        "owner": "oddlama",
        "repo": "disko",
-        "rev": "8ab9e5609929379ab15f03fd3bdc1f85419e5a3a",
+        "rev": "3a952244d422ea0e25b0e53c1fe2798605a59434",
        "type": "github"
      },
      "original": {
-        "owner": "nix-community",
+        "owner": "oddlama",
        "repo": "disko",
        "type": "github"
      }
@ -207,11 +207,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1682419509,
-        "narHash": "sha256-+/HI3RbJcEKQ5+55dECzh8geginsbabsA0R3ORKi2Us=",
+        "lastModified": 1682779989,
+        "narHash": "sha256-H8AjcIBYFYrlRobYJ+n1B+ZJ6TsaaeZpuLn4iRqVvr4=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "6142193635ecdafb9a231bd7d1880b9b7b210d19",
+        "rev": "3144311f31194b537808ae6848f86f3dbf977d59",
        "type": "github"
      },
      "original": {
@ -344,11 +344,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1682453498,
-        "narHash": "sha256-WoWiAd7KZt5Eh6n+qojcivaVpnXKqBsVgpixpV2L9CE=",
+        "lastModified": 1682692304,
+        "narHash": "sha256-9/lyXN2BpHw+1xE+D2ySBSLMCHWqiWu5tPHBMRDib8M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c8018361fa1d1650ee8d4b96294783cf564e8a7f",
+        "rev": "937a9d1ee7b1351d8c55fff6611a8edf6e7c1c37",
        "type": "github"
      },
      "original": {
@ -387,11 +387,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1682326782,
-        "narHash": "sha256-wj7p7iEwQXAfTZ6QokAe0dMbpQk5u7ympDnaiPvbv1w=",
+        "lastModified": 1682596858,
+        "narHash": "sha256-Hf9XVpqaGqe/4oDGr30W8HlsWvJXtMsEPHDqHZA6dDg=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "56cd2d47a9c937be98ab225cf014b450f1533cdb",
+        "rev": "fb58866e20af98779017134319b5663b8215d912",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -9,7 +9,9 @@
    };

    disko = {
-      url = "github:nix-community/disko";
+      # TODO temporary until reimport PR merged
+      #url = "github:nix-community/disko";
+      url = "github:oddlama/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };

--- a/hosts/common/initrd-ssh.nix
+++ b/hosts/common/initrd-ssh.nix
@ -1,6 +1,7 @@
 {
  config,
  name,
+  pkgs,
  ...
 }: {
  rekey.secrets.initrd_host_ed25519_key.file = ../${name}/secrets/initrd_host_ed25519_key.age;
@ -20,8 +21,8 @@
  # for the first time, and the secrets were rekeyed for the the new host identity.
  system.activationScripts.agenixEnsureInitrdHostkey = {
    text = ''
-      [[ -e ${rekey.secrets.initrd_host_ed25519_key.path} ]] \
-        || ssh-keygen -t ed25519 -N "" -f ${rekey.secrets.initrd_host_ed25519_key.path}
+      [[ -e ${config.rekey.secrets.initrd_host_ed25519_key.path} ]] \
+        || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.rekey.secrets.initrd_host_ed25519_key.path}
    '';
    deps = ["agenixInstall"];
  };
--- a/hosts/ward/fs.nix
+++ b/hosts/ward/fs.nix
@ -14,7 +14,7 @@
          partitions = [
            {
              name = "efi";
-              start = "2048";
+              start = "0%";
              end = "1GiB";
              fs-type = "fat32";
              bootable = true;
--- a/nix/lib.nix
+++ b/nix/lib.nix
@ -54,6 +54,7 @@ in rec {
    recursiveUpdate {
      ${name} = {
        type = "zpool";
+        mountRoot = "/mnt";
        rootFsOptions = {
          compression = "zstd";
          acltype = "posix";
@ -77,6 +78,7 @@ in rec {
              canmount = "on";
              mountpoint = "/";
            };
+            mountpoint = "/";
          };
          "local/nix" = {
            type = "zfs_fs";
@ -84,6 +86,7 @@ in rec {
              canmount = "on";
              mountpoint = "/nix";
            };
+            mountpoint = "/nix";
          };
          "safe".type = "zfs_fs";
          "safe/persist" = {
@ -92,6 +95,7 @@ in rec {
              canmount = "on";
              mountpoint = "/persist";
            };
+            mountpoint = "/persist";
          };
        };
      };