From 61d582f033ef7c062a11d73ee1d4ced1a141747f Mon Sep 17 00:00:00 2001 From: oddlama Date: Tue, 30 May 2023 02:46:29 +0200 Subject: [PATCH] feat: add ability to copy installer scripts to existing live systems --- README.md | 15 ++++- hosts/sentinel/fs.nix | 3 +- hosts/sentinel/secrets/host.pub | 0 hosts/sentinel/secrets/local.nix.age | Bin 809 -> 816 bytes nix/generate-installer.nix | 84 ++++++++++++++++----------- nix/lib.nix | 5 ++ 6 files changed, 69 insertions(+), 38 deletions(-) delete mode 100644 hosts/sentinel/secrets/host.pub diff --git a/README.md b/README.md index ffae69a..3091bd2 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,6 @@ This is my personal nix config. - `default.nix` Collects all apps and generates a definition for a specified system - `draw-graph.nix` (**WIP:** infrastructure graph renderer) - `format-secrets.nix` Runs the code formatter on the secret .nix files - - `generate-initrd-keys.nix` Generates initrd hostkeys for each host if they don't exist yet (for setup) - `generate-wireguard-keys.nix` Generates wireguard keys for each server-and-peer pair - `show-wireguard-qr.nix` Generates a QR code for external wireguard participants - `checks.nix` pre-commit-hooks for this repository @@ -62,14 +61,24 @@ This is my personal nix config. - create hosts/ - fill net.nix - fill fs.nix (you need to know the device by-id paths in advance for formatting to work!) -- generate-initrd-keys -- generate-wireguard-keys +- generate an initrd hostkey if necessary `ssh-keygen -t ed25519 -N "" -f /tmp/key; rage ...` +- run generate-wireguard-keys #### Initial deploy +A. Fresh pre-made installer ISO + - Create a iso disk image for the system with `nix build --print-out-paths --no-link .#installer-image-` - dd the resulting image to a stick and boot from it on the target - (Optional) ssh into the target (keys are already set up) + +B. Reusing any nixos-live iso + +- Boot from live-iso and setup ssh access by writing your key to `/root/.ssh/authorized_keys` +- Copy installer package with `nix copy --to .#installer-package-` + +Afterwards: + - Run `install-system` and reboot - Retrieve the new host identity by using `ssh-keyscan | grep -o 'ed25519.*' > host//secrets/host.pub` - (If the host has microvms, also retrieve their identities!) diff --git a/hosts/sentinel/fs.nix b/hosts/sentinel/fs.nix index e6b759f..7d4038e 100644 --- a/hosts/sentinel/fs.nix +++ b/hosts/sentinel/fs.nix @@ -14,7 +14,8 @@ type = "table"; format = "gpt"; partitions = [ - (partEfi "efi" "0%" "512MiB") + (partGrub "grub" "0%" "1MiB") + (partEfi "bios" "1MiB" "512MiB") (partLuksZfs "rpool" "512MiB" "100%") ]; }; diff --git a/hosts/sentinel/secrets/host.pub b/hosts/sentinel/secrets/host.pub deleted file mode 100644 index e69de29..0000000 diff --git a/hosts/sentinel/secrets/local.nix.age b/hosts/sentinel/secrets/local.nix.age index aab70485d2decaadf090f0a9549399dae16f3db4..c5de8ef9ec062557f03a65914c4bcf58ec564582 100644 GIT binary patch delta 797 zcmV+&1LFLt2CxQ@Ab(;{Xhd~!aaBiIcy~5*cx_d4S~oB=LsKtHOgS($H)%mQb#pa% zW@2+iGzu$YXm4y`F=#PEXj5)TRcvi-MnghRLQhmlP&O-0N;pksF?UCIH%4++I0`L3 zAaH4REpRe5HXwL$Q)M_&AVGI(MpamHLSjf-Npo#zY->m{LVq$;Pf%8EP*rMEN=|2Q zNli90R(e=?VK53*b46G~dRH)VO?rATN@p)KWGi)eD@RXdLvS%OMMY9gdPj3wWimEc zGEoXGJ|JB$D=lYoWnpt=3P(|POH^emV?=dVZg*KQOhZ&RF;GuSYgTwjFh@*xT4!@) zYIu2XPcdVg_lT69J=6T4ql(Mo@D{T1Q1`dShr~Q8qRTOm_+`EiE8& zVNqmMXj5WMGeuNULrh~YZ^*P@l$xW!oiZ`IluZVh®XpdE%E@QX}`K+#|-|;3+)leYEW#bN8 z&hAn5*ZO&mzDG1_6`4e|YMly{FT20!L^)DbU+;%}%q+9<2Aahj>e zP<)CLz<(4u)d%9`k$)*N>mM>|J+utH;b_V4_e|&tzs-4_z_jtslH99?1^UNdHr!#& z3B5)-P9XZJ)nvsG9F=vB<5t@M##bWGbh?63qj(>@d`B>f+5lA1LkRWfsL5Q}@+N%2 zuWRsfDN+NXtYl78u5`IWu6rQ(=^dZ?N`O_{Sbu;bgMCm0r8p1OH8-o3K$ijW){qA8 zw7oZpIXZ^BD5)o?T>O33athf=m5RiY;eu4ODGzt)w>m`_3cp%3 b;})W#x$n07q+c>9uJ{L&E!DFlLpBm!juJ>^ delta 790 zcmV+x1L^#*2B`*+Ab(G2RW(;cGj2|ESa~&5Q8I60c2aVBSz}XLbulwmXir0SL2Ff5 zGcjXRX9{ynT4`!ZS3*p9Q&KQ1VschdF;`i4D?wUsVN7**YEok_NJMRTMrA}WcM2^& zAaH4REpRe5HXwL$Q)M_&AVFtRSZZQUdT>x{cr#Bhb9qu!Hh)TPIW$^gYfCscH8@UF zPHs0#ZE`SmGHMEIXnIaeM^i_5G-fYibW&+Xba_Qrc}p@jFfeUvMrT!TVpmE{Nq8`E zPf-djJ|H`Odp}++XL4m>b7dejYeZ;KAarpkcWP-wAaQqhd{%8BYzk31QA|W?Y)Ugq zPD(gV@^?Jb2CplGe|*KPG@9xZFV?%T5k$O=(A)gR)1Q}bmVtr7zGf=MRA!x>pA3j z^UM>hk=1*uBONNg$k?G3zsPo}kr~(JI8+$Uq~-qs4=^nVwP0wRzuaTmFdl9ZxG!)I zcD)LRfIf1u0YVk}V-jwp{NdUC7%>8X3hSavmH$i?BJUMDgjoJ=)(?U{8Jfo3A~;Ii zRJ{9L6@Suy<0;uW`?kXNqHa$li10!UW(AZUmootZdWJA^8|t+$sMp3la`ct3mn|jS|Az0H`hjX?B%W){KqDvVT5q1r2Df5_A_IXD>_Meu;&KqVl25 zS5UX4&Q?SiTaVgzN}p$duVizEdW&uJ zRqojs$z2Rk!eQ#icr}PwSla)}FhJmHW(lavU166A0-TS=guGxP2-CcLrPca&>x5`7 U-Vd+jK+2F4OyY3yRk;VZC7TIE^8f$< diff --git a/nix/generate-installer.nix b/nix/generate-installer.nix index 8fe3ef0..44cae1c 100644 --- a/nix/generate-installer.nix +++ b/nix/generate-installer.nix @@ -4,27 +4,40 @@ ... }: nodeName: nodeAttrs: let inherit (self.hosts.${nodeName}) system; + + pkgs = self.pkgs.${system}; + + disko-script = pkgs.writeShellScriptBin "disko-script" "${nodeAttrs.config.system.build.diskoScript}"; + disko-mount = pkgs.writeShellScriptBin "disko-mount" "${nodeAttrs.config.system.build.mountScript}"; + disko-format = pkgs.writeShellScriptBin "disko-format" "${nodeAttrs.config.system.build.formatScript}"; + + install-system = pkgs.writeShellScriptBin "install-system" '' + set -euo pipefail + + echo "Formatting disks..." + ${disko-script}/bin/disko-script + + echo "Installing system..." + nixos-install --no-root-password --system ${nodeAttrs.config.system.build.toplevel} + + echo "Done!" + ''; + + installer-package = pkgs.symlinkJoin { + name = "installer-package-${nodeName}"; + paths = with pkgs; [ + disko-script + disko-mount + disko-format + install-system + ]; + }; + configuration = { pkgs, lib, ... - }: let - disko = pkgs.writeShellScriptBin "disko" "${nodeAttrs.config.system.build.disko}"; - disko-mount = pkgs.writeShellScriptBin "disko-mount" "${nodeAttrs.config.system.build.mountScript}"; - disko-format = pkgs.writeShellScriptBin "disko-format" "${nodeAttrs.config.system.build.formatScript}"; - - install-system = pkgs.writeShellScriptBin "install-system" '' - set -euo pipefail - - echo "Formatting disks..." - ${disko}/bin/disko - - echo "Installing system..." - nixos-install --no-root-password --system ${nodeAttrs.config.system.build.toplevel} - - echo "Done!" - ''; - in { + }: { isoImage.isoName = lib.mkForce "nixos-image-${nodeName}.iso"; system.stateVersion = self.stateVersion; nix.extraOptions = '' @@ -41,6 +54,8 @@ environment = { variables.EDITOR = "nvim"; systemPackages = with pkgs; [ + installer-package + neovim git tmux @@ -49,26 +64,27 @@ fzf wget curl - - disko - disko-mount - disko-format - install-system ]; }; }; in { - packages.${system}."installer-image-${nodeName}" = nixos-generators.nixosGenerate { - pkgs = self.pkgs.${system}; - modules = [ - configuration - ../hosts/common/core/ssh.nix - ]; - format = - { - x86_64-linux = "install-iso"; - aarch64-linux = "sd-aarch64-installer"; - } - .${system}; + packages.${system} = { + # Everything required for the installer as a single package, + # so it can be used from an existing live system by copying the derivation. + # TODO can we use a unified installer iso? does that work regarding size of this package? + "installer-package-${nodeName}" = installer-package; + "installer-image-${nodeName}" = nixos-generators.nixosGenerate { + inherit pkgs; + modules = [ + configuration + ../hosts/common/core/ssh.nix + ]; + format = + { + x86_64-linux = "install-iso"; + aarch64-linux = "sd-aarch64-installer"; + } + .${system}; + }; }; } diff --git a/nix/lib.nix b/nix/lib.nix index 8a205ba..3a1d58a 100644 --- a/nix/lib.nix +++ b/nix/lib.nix @@ -131,6 +131,11 @@ in rec { disko = { gpt = { + partGrub = name: start: end: { + inherit name start end; + part-type = "primary"; + flags = ["bios_grub"]; + }; partEfi = name: start: end: { inherit name start end; fs-type = "fat32";