diff --git a/hosts/bootstrap/default.nix b/hosts/bootstrap/default.nix index ee7aa32..7199bfc 100644 --- a/hosts/bootstrap/default.nix +++ b/hosts/bootstrap/default.nix @@ -3,16 +3,17 @@ let pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys); secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; -in +in { imports = - [ + [ # Disk configuration + inputs.sops-nix.nixosModules.sops inputs.disko.nixosModules.disko - (import ../common/disks/std-disk-config.nix { device = "/dev/vda"; }) + (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda" ; }) + #(import ../common/disks/std-disk-config.nix { device = "/dev/vda" ; }) ../common/optional/btrfs-impermanence.nix inputs.impermanence.nixosModules.impermanence - inputs.sops-nix.nixosModules.sops # Import core options ./hardware-configuration.nix @@ -42,14 +43,14 @@ in ]; }; - + i18n.defaultLocale = "en_GB.UTF-8"; console = { font = "Lat2-Terminus16"; keyMap = "uk"; - useXkbConfig = false; + useXkbConfig = false; }; - + boot = { loader = { @@ -96,7 +97,7 @@ in pkgs.just pkgs.git pkgs.neovim - ]; + ]; services.openssh = { enable = true; @@ -115,7 +116,7 @@ in }; }; - programs.ssh.extraConfig = '' + programs.ssh.extraConfig = '' Host git.bitlab21.com IdentitiesOnly yes StrictHostKeyChecking no @@ -125,7 +126,7 @@ in security.pam = { sshAgentAuth.enable = true; }; - + networking.firewall.allowedTCPPorts = [ 22 ]; services = { diff --git a/hosts/common/disks/luks-btrfs-subvolumes.nix b/hosts/common/disks/luks-btrfs-subvolumes.nix index 9191570..e5e2953 100644 --- a/hosts/common/disks/luks-btrfs-subvolumes.nix +++ b/hosts/common/disks/luks-btrfs-subvolumes.nix @@ -1,9 +1,10 @@ +{device ? throw "Must define a device, e.g. /dev/sda"}: { disko.devices = { disk = { vdb = { type = "disk"; - device = "/dev/vdb"; + inherit device; content = { type = "gpt"; partitions = { @@ -25,36 +26,38 @@ type = "luks"; name = "crypted"; # disable settings.keyFile if you want to use interactive password entry - #passwordFile = "/tmp/secret.key"; # Interactive - settings = { - allowDiscards = true; - keyFile = "/tmp/secret.key"; - }; - additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/home" = { - mountpoint = "/home"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/swap" = { - mountpoint = "/.swapvol"; - swap.swapfile.size = "20M"; - }; + passwordFile = "/tmp/luks_secret.key"; # Interactive +# settings = { +# allowDiscards = true; +# keyFile = "${sopsHashedPasswordFile}"; +# }; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "/root" = { + mountpoint = "/"; + }; + + "/persist" = { + mountOptions = [ "subvol=persist" ]; + mountpoint = "/persist"; + }; + + "/nix" = { + mountOptions = [ "subvol=nix" "noatime" ]; + mountpoint = "/nix"; + }; + + "/swap" = { + mountOptions = [ "noatime" ]; + mountpoint = "/.swapvol"; + swap.swapfile.size = "8192M"; + }; + }; }; }; }; - }; }; }; }; diff --git a/hosts/common/optional/btrfs-impermanence.nix b/hosts/common/optional/btrfs-impermanence.nix index e812848..ab94fb2 100644 --- a/hosts/common/optional/btrfs-impermanence.nix +++ b/hosts/common/optional/btrfs-impermanence.nix @@ -2,7 +2,7 @@ { boot.initrd.postDeviceCommands = lib.mkAfter '' mkdir /btrfs_tmp - mount /dev/root_vg/root /btrfs_tmp + mount /dev/mapper/crypted /btrfs_tmp if [[ -e /btrfs_tmp/root ]]; then mkdir -p /btrfs_tmp/old_roots timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") diff --git a/hosts/sparky/default.nix b/hosts/sparky/default.nix index 9781027..fa203dd 100644 --- a/hosts/sparky/default.nix +++ b/hosts/sparky/default.nix @@ -1,10 +1,10 @@ { inputs, config, lib, pkgs, outputs,... }: let dev = "/dev/vda"; -in +in { imports = - [ + [ # Disk configuration inputs.disko.nixosModules.disko (import ../common/disks/std-disk-config.nix { device = dev; }) diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 2811a2e..3fde864 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -5,7 +5,7 @@ Before using this tool, ensure that the host has been setup correctly. Boot the latest Nixos-minimal install ISO on the host and access the tty. Use 'ip a' to get the ip address, then 'sudo su' to change to root. Finally -Run 'passwd' and set a temporary password (something simple like '1234') +Run 'passwd' and set a temporary password (something simple like '1234') for the root user. " @@ -17,34 +17,35 @@ ip="192.168.122.193" config="bootstrap" # Delete key in known hosts if exists -sed -i "/$ip/d" ~/.ssh/known_hosts +sed -i "/$ip/d" ~/.ssh/known_hosts # Authorise source public key echo "Copying pubkey to target host" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip" -# Create temp directory for ssh keys to be copied to host: -temp=$(mktemp -d) +# Create temp directory for ssh and luks keys to be copied to host: +temp_ssh=$(mktemp -d) +touch /tmp/luks_secret.key # Function to cleanup temporary directory on exit cleanup() { - rm -rf "$temp" + rm -rf "$temp_ssh" /tmp/luks_secret.key } trap cleanup EXIT # Create the directory where sshd expects to find the host keys -install -d -m755 "$temp/persist/etc/ssh" +install -d -m755 "$temp_ssh/persist/etc/ssh" # Create ssh keys if not exists echo "Creating '$hostname' ssh keys" -ssh-keygen -t ed25519 -f "$temp/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" +ssh-keygen -t ed25519 -f "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" -chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key" -chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub" +chmod 600 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" +chmod 644 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub" # Generate age key from target host and user public ssh key echo "Generating age key from target host and user ssh key" -HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") +HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") echo -e "Host age key:\n$HOST_AGE_KEY\n" # Update .sops.yaml with new age key: @@ -61,13 +62,15 @@ sed -i "{ just update-sops-secrets && just update-flake-secrets && just update-flake -echo -e "\nNeed to change ownership of temp directories, enter sudo password if prompted:\n" +# Extract luks key from secrets +luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"sparky""\"]' ../nix-secrets/secrets.yaml") +echo "$luks_secret" > /tmp/luks_secret.key # Install Nixos to target cd "$HOME/nixos" git add . && git commit -m "auto: bootstrapping $hostname" && git push -nix run github:nix-community/nixos-anywhere/242444d228636b1f0e89d3681f04a75254c29f66 -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" +SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/242444d228636b1f0e89d3681f04a75254c29f66 -- --extra-files "$temp_ssh" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" [ $? != 0 ] && echo "Error installing Nixos" && exit 1 ## Delete keys from local known_hosts