mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

fix: generate initrd hostkey if necessary when system is bootstrapped; fix disko partition types

Browse source
This commit is contained in:
oddlama 2023-04-29 00:53:06 +02:00
parent 5c98df767b
commit c3141bf563
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
5 changed files with 69 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

17
README.md
View file

@ -22,8 +22,8 @@ This is my personal nix config.
- `nom/` - My laptop and main development machine - `nom/` - My laptop and main development machine
- `ward/` - ODROID H3, energy efficient SBC. Used as a firewall betwenn my ISP and internal home network. Hosts some lightweight services using full KVM virtual machines. - `ward/` - ODROID H3, energy efficient SBC. Used as a firewall betwenn my ISP and internal home network. Hosts some lightweight services using full KVM virtual machines.
- `envoy/` - Hetzner Cloud server. Primarily used as my mailserver and VPN provider. - `envoy/` - Hetzner Cloud server. Primarily used as my mailserver and VPN provider.
- `zackbiene/` - ODROID N2+. Hosts IoT and Home Automation stuff and fully isolates that from my internal network. - `zackbiene/` - ODROID N2+. Hosts IoT and Home Automation stuff and fully isolates that stuff from my internal network.
- not yet ready for publicized: my main development machine, powerful home server, some services ... (still in transition from gentoo :/) - not yet ready for publicized: my main development machine, the powerful home server, some services ... (still in transition from gentoo :/)
- `modules/` additional NixOS modules that are not yet upstreamed. - `modules/` additional NixOS modules that are not yet upstreamed.
- `nix/` library functions and plumbing - `nix/` library functions and plumbing
- `apps/` Additional runnable actions for this flake - `apps/` Additional runnable actions for this flake
@ -52,19 +52,24 @@ This is my personal nix config.
#### Add new machine #### Add new machine
... ... incomplete.
- add hosts/<name> - add hosts/<name>
- fill meta.nix - fill meta.nix
- fill net.nix - fill net.nix
- todo: hostid (move to nodeSecrets) - fill fs.nix (you need to know the device by-id paths in advance for formatting to work!)
- generate-initrd-keys - generate-initrd-keys
- generate-wireguard-keys - generate-wireguard-keys
#### Initial deploy #### Initial deploy
- Create a iso disk image for the system using `nix build --print-out-paths --no-link .#installer-image-<hostname>` - Create a iso disk image for the system by using `nix build --print-out-paths --no-link .#installer-image-<host>`
- dd the resulting image to a stick and boot from it - dd the resulting image to a stick and boot from it on the target
- (Optional) ssh into the target (keys are already set up)
- Run `install-system` and reboot
- Retrieve the new host identity by using `ssh-keyscan <host/ip> | grep -o 'ed25519.*' > host/<host>/secrets/host.pub`
- Rekey the secrets for the new identity `nix run .#rekey`
- Deploy again remotely via colmena
#### Show QR for external wireguard client #### Show QR for external wireguard client

15
hosts/common/initrd-ssh.nix
View file

@ -11,4 +11,19 @@
port = 4; port = 4;
hostKeys = [config.rekey.secrets.initrd_host_ed25519_key.path]; hostKeys = [config.rekey.secrets.initrd_host_ed25519_key.path];
}; };
# Make sure that there is always a valid initrd hostkey available that can be installed into
# the initrd. When bootstrapping a system (or re-installing), agenix cannot succeed in decrypting
# whatever is given, since the correct hostkey doesn't even exist yet. We still require
# a valid hostkey to be available so that the initrd can be generated successfully.
# The correct initrd host-key will be installed with the next update after the host is booted
# for the first time, and the secrets were rekeyed for the the new host identity.
system.activationScripts.agenixEnsureInitrdHostkey = {
text = ''
[[ -e ${rekey.secrets.initrd_host_ed25519_key.path} ]] \
|| ssh-keygen -t ed25519 -N "" -f ${rekey.secrets.initrd_host_ed25519_key.path}
'';
deps = ["agenixInstall"];
};
system.activationScripts.agenixChown.deps = ["agenixEnsureInitrdHostkey"];
} }

4
hosts/ward/fs.nix
View file

@ -7,7 +7,7 @@
disk = { disk = {
m2-ssd = { m2-ssd = {
type = "disk"; type = "disk";
device = "/dev/disk/by-id/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; device = "/dev/disk/by-id/nvme-Samsung_SSD_980_1TB_S649NL0TC36758M";
content = { content = {
type = "table"; type = "table";
format = "gpt"; format = "gpt";
@ -17,6 +17,7 @@
start = "2048"; start = "2048";
end = "1GiB"; end = "1GiB";
fs-type = "fat32"; fs-type = "fat32";
bootable = true;
content = { content = {
type = "filesystem"; type = "filesystem";
format = "vfat"; format = "vfat";
@ -27,6 +28,7 @@
name = "swap"; name = "swap";
start = "1GiB"; start = "1GiB";
end = "17GiB"; end = "17GiB";
fs-type = "linux-swap";
content = { content = {
type = "swap"; type = "swap";
randomEncryption = true; randomEncryption = true;

37
nix/generate-installer.nix
View file

@ -8,18 +8,30 @@
pkgs, pkgs,
lib, lib,
... ...
}: { }: let
disko = pkgs.writeShellScriptBin "disko" "${nodeAttrs.config.system.build.disko}";
disko-mount = pkgs.writeShellScriptBin "disko-mount" "${nodeAttrs.config.system.build.mountScript}";
disko-format = pkgs.writeShellScriptBin "disko-format" "${nodeAttrs.config.system.build.formatScript}";
install-system = pkgs.writeShellScriptBin "install-system" ''
set -euo pipefail
echo "Formatting disks..."
${disko}/bin/disko
echo "Installing system..."
nixos-install --no-root-password --system ${nodeAttrs.config.system.build.toplevel}
echo "Done!"
'';
in {
isoImage.isoName = lib.mkForce "nixos-image-${nodeName}.iso";
system.stateVersion = "23.05"; system.stateVersion = "23.05";
nix.extraOptions = '' nix.extraOptions = ''
experimental-features = nix-command flakes recursive-nix experimental-features = nix-command flakes recursive-nix
''; '';
isoImage.isoName = lib.mkForce "nixos-image-${nodeName}.iso"; console.keyMap = "de-latin1-nodeadkeys";
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
users.users.root = { users.users.root = {
password = "nixos"; password = "nixos";
@ -37,14 +49,21 @@
fzf fzf
wget wget
curl curl
# TODO nodeAttrs.config.boot.system.
disko
disko-mount
disko-format
install-system
]; ];
}; };
}; };
in { in {
packages.${system}."installer-image-${nodeName}" = nixos-generators.nixosGenerate { packages.${system}."installer-image-${nodeName}" = nixos-generators.nixosGenerate {
pkgs = self.pkgs.${system}; pkgs = self.pkgs.${system};
modules = [configuration]; modules = [
configuration
../hosts/common/core/ssh.nix
];
format = format =
{ {
x86_64-linux = "install-iso"; x86_64-linux = "install-iso";

19
nix/lib.nix
View file

@ -54,7 +54,6 @@ in rec {
recursiveUpdate { recursiveUpdate {
${name} = { ${name} = {
type = "zpool"; type = "zpool";
mode = "mirror";
rootFsOptions = { rootFsOptions = {
compression = "zstd"; compression = "zstd";
acltype = "posix"; acltype = "posix";
@ -74,19 +73,25 @@ in rec {
"local/root" = { "local/root" = {
type = "zfs_fs"; type = "zfs_fs";
postCreateHook = "zfs snapshot ${name}/local/root@blank"; postCreateHook = "zfs snapshot ${name}/local/root@blank";
options.canmount = "on"; options = {
mountpoint = "/"; canmount = "on";
mountpoint = "/";
};
}; };
"local/nix" = { "local/nix" = {
type = "zfs_fs"; type = "zfs_fs";
options.canmount = "on"; options = {
mountpoint = "/nix"; canmount = "on";
mountpoint = "/nix";
};
}; };
"safe".type = "zfs_fs"; "safe".type = "zfs_fs";
"safe/persist" = { "safe/persist" = {
type = "zfs_fs"; type = "zfs_fs";
options.canmount = "on"; options = {
mountpoint = "/persist"; canmount = "on";
mountpoint = "/persist";
};
}; };
}; };
}; };