fix: generate initrd hostkey if necessary when system is bootstrapped; fix disko partition types

2025-10-11 07:10:39 +02:00 · 2023-04-29 00:53:06 +02:00 · 2023-04-29 00:53:06 +02:00 · c3141bf563
commit c3141bf563
parent 5c98df767b
5 changed files with 69 additions and 23 deletions
--- a/README.md
+++ b/README.md
@ -22,8 +22,8 @@ This is my personal nix config.
  - `nom/` - My laptop and main development machine
  - `ward/` - ODROID H3, energy efficient SBC. Used as a firewall betwenn my ISP and internal home network. Hosts some lightweight services using full KVM virtual machines.
  - `envoy/` - Hetzner Cloud server. Primarily used as my mailserver and VPN provider.
-  - `zackbiene/` - ODROID N2+. Hosts IoT and Home Automation stuff and fully isolates that from my internal network.
-  - not yet ready for publicized: my main development machine, powerful home server, some services ... (still in transition from gentoo :/)
+  - `zackbiene/` - ODROID N2+. Hosts IoT and Home Automation stuff and fully isolates that stuff from my internal network.
+  - not yet ready for publicized: my main development machine, the powerful home server, some services ... (still in transition from gentoo :/)
 - `modules/` additional NixOS modules that are not yet upstreamed.
 - `nix/` library functions and plumbing
  - `apps/` Additional runnable actions for this flake
@ -52,19 +52,24 @@ This is my personal nix config.

 #### Add new machine

-...
+... incomplete.

 - add hosts/<name>
 - fill meta.nix
 - fill net.nix
- todo: hostid (move to nodeSecrets)
+- fill fs.nix (you need to know the device by-id paths in advance for formatting to work!)
 - generate-initrd-keys
 - generate-wireguard-keys

 #### Initial deploy

- Create a iso disk image for the system using `nix build --print-out-paths --no-link .#installer-image-<hostname>`
- dd the resulting image to a stick and boot from it
+- Create a iso disk image for the system by using `nix build --print-out-paths --no-link .#installer-image-<host>`
+- dd the resulting image to a stick and boot from it on the target
+- (Optional) ssh into the target (keys are already set up)
+- Run `install-system` and reboot
+- Retrieve the new host identity by using `ssh-keyscan <host/ip> | grep -o 'ed25519.*' > host/<host>/secrets/host.pub`
+- Rekey the secrets for the new identity `nix run .#rekey`
+- Deploy again remotely via colmena

 #### Show QR for external wireguard client

--- a/hosts/common/initrd-ssh.nix
+++ b/hosts/common/initrd-ssh.nix
@ -11,4 +11,19 @@
    port = 4;
    hostKeys = [config.rekey.secrets.initrd_host_ed25519_key.path];
  };
+
+  # Make sure that there is always a valid initrd hostkey available that can be installed into
+  # the initrd. When bootstrapping a system (or re-installing), agenix cannot succeed in decrypting
+  # whatever is given, since the correct hostkey doesn't even exist yet. We still require
+  # a valid hostkey to be available so that the initrd can be generated successfully.
+  # The correct initrd host-key will be installed with the next update after the host is booted
+  # for the first time, and the secrets were rekeyed for the the new host identity.
+  system.activationScripts.agenixEnsureInitrdHostkey = {
+    text = ''
+      [[ -e ${rekey.secrets.initrd_host_ed25519_key.path} ]] \
+        || ssh-keygen -t ed25519 -N "" -f ${rekey.secrets.initrd_host_ed25519_key.path}
+    '';
+    deps = ["agenixInstall"];
+  };
+  system.activationScripts.agenixChown.deps = ["agenixEnsureInitrdHostkey"];
 }
--- a/hosts/ward/fs.nix
+++ b/hosts/ward/fs.nix
@ -7,7 +7,7 @@
    disk = {
      m2-ssd = {
        type = "disk";
-        device = "/dev/disk/by-id/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+        device = "/dev/disk/by-id/nvme-Samsung_SSD_980_1TB_S649NL0TC36758M";
        content = {
          type = "table";
          format = "gpt";
@ -17,6 +17,7 @@
              start = "2048";
              end = "1GiB";
              fs-type = "fat32";
+              bootable = true;
              content = {
                type = "filesystem";
                format = "vfat";
@ -27,6 +28,7 @@
              name = "swap";
              start = "1GiB";
              end = "17GiB";
+              fs-type = "linux-swap";
              content = {
                type = "swap";
                randomEncryption = true;
--- a/nix/generate-installer.nix
+++ b/nix/generate-installer.nix
@ -8,18 +8,30 @@
    pkgs,
    lib,
    ...
-  }: {
+  }: let
+    disko = pkgs.writeShellScriptBin "disko" "${nodeAttrs.config.system.build.disko}";
+    disko-mount = pkgs.writeShellScriptBin "disko-mount" "${nodeAttrs.config.system.build.mountScript}";
+    disko-format = pkgs.writeShellScriptBin "disko-format" "${nodeAttrs.config.system.build.formatScript}";
+
+    install-system = pkgs.writeShellScriptBin "install-system" ''
+      set -euo pipefail
+
+      echo "Formatting disks..."
+      ${disko}/bin/disko
+
+      echo "Installing system..."
+      nixos-install --no-root-password --system ${nodeAttrs.config.system.build.toplevel}
+
+      echo "Done!"
+    '';
+  in {
+    isoImage.isoName = lib.mkForce "nixos-image-${nodeName}.iso";
    system.stateVersion = "23.05";
    nix.extraOptions = ''
      experimental-features = nix-command flakes recursive-nix
    '';

-    isoImage.isoName = lib.mkForce "nixos-image-${nodeName}.iso";
-
-    services.openssh = {
-      enable = true;
-      settings.PermitRootLogin = "yes";
-    };
+    console.keyMap = "de-latin1-nodeadkeys";

    users.users.root = {
      password = "nixos";
@ -37,14 +49,21 @@
        fzf
        wget
        curl
-        # TODO nodeAttrs.config.boot.system.
+
+        disko
+        disko-mount
+        disko-format
+        install-system
      ];
    };
  };
 in {
  packages.${system}."installer-image-${nodeName}" = nixos-generators.nixosGenerate {
    pkgs = self.pkgs.${system};
-    modules = [configuration];
+    modules = [
+      configuration
+      ../hosts/common/core/ssh.nix
+    ];
    format =
      {
        x86_64-linux = "install-iso";
--- a/nix/lib.nix
+++ b/nix/lib.nix
@ -54,7 +54,6 @@ in rec {
    recursiveUpdate {
      ${name} = {
        type = "zpool";
-        mode = "mirror";
        rootFsOptions = {
          compression = "zstd";
          acltype = "posix";
@ -74,23 +73,29 @@ in rec {
          "local/root" = {
            type = "zfs_fs";
            postCreateHook = "zfs snapshot ${name}/local/root@blank";
-            options.canmount = "on";
+            options = {
+              canmount = "on";
              mountpoint = "/";
            };
+          };
          "local/nix" = {
            type = "zfs_fs";
-            options.canmount = "on";
+            options = {
+              canmount = "on";
              mountpoint = "/nix";
            };
+          };
          "safe".type = "zfs_fs";
          "safe/persist" = {
            type = "zfs_fs";
-            options.canmount = "on";
+            options = {
+              canmount = "on";
              mountpoint = "/persist";
            };
          };
        };
      };
+    };

  rageMasterIdentityArgs = concatMapStrings (x: ''-i ${escapeShellArg x} '') self.secrets.masterIdentities;
  rageExtraEncryptionPubkeys =