From 245bbb8de6c5a73bf6be09e48c9e6433337d8a27 Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 26 May 2024 13:11:54 +0100 Subject: [PATCH 01/16] auto: bootstrapping sparky --- flake.lock | 32 ++++++------ hosts/bootstrap/default.nix | 18 +++---- hosts/common/disks/luks-btrfs-subvolumes.nix | 54 +++++++++++--------- 3 files changed, 55 insertions(+), 49 deletions(-) diff --git a/flake.lock b/flake.lock index f9f1551..07a7ac7 100644 --- a/flake.lock +++ b/flake.lock @@ -155,11 +155,11 @@ ] }, "locked": { - "lastModified": 1716679503, - "narHash": "sha256-aX8AEWHLwuiYX8OCpTnHGrQeei1Gb+AGbk1hq+RIClg=", + "lastModified": 1716711219, + "narHash": "sha256-TnZETiQPXbyT5mdCHMOyrJnx2+BwroMBRrguciz1vEo=", "owner": "nix-community", "repo": "home-manager", - "rev": "e4611630c3cc8ed618b48d92f6291f65be9f7913", + "rev": "05e6ba83eb3585ce0aff7b41e4bd0e317d05ad4a", "type": "github" }, "original": { @@ -228,11 +228,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716685908, - "narHash": "sha256-lVKaygQD16Kfld/Jq6/646OIQiJh8P2/gz29gvd0P08=", + "lastModified": 1716725506, + "narHash": "sha256-RjDe7MWPgutEOFxAN7A6m7X/xJOLzBUQgHO2vvNLI6U=", "ref": "refs/heads/master", - "rev": "31ea4397c72c7c0ce650ea4cadfa7924ef84074f", - "revCount": 35, + "rev": "38def2b57c5d77a1eea960f5e52109304f80a6ef", + "revCount": 36, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, @@ -255,11 +255,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1716061101, - "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=", + "lastModified": 1716655032, + "narHash": "sha256-kQ25DAiCGigsNR/Quxm3v+JGXAEXZ8I7RAF4U94bGzE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2", + "rev": "59a450646ec8ee0397f5fa54a08573e8240eb91f", "type": "github" }, "original": { @@ -300,11 +300,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1716673923, - "narHash": "sha256-2u/NXh4FBbj8myQJTd3Are+a+qvhkXeqnpT/jq6VX2s=", + "lastModified": 1716717390, + "narHash": "sha256-Hd8ky86xAFDrUqNPPx0bO/1x6WUEyWNLrdTEVShAMb8=", "owner": "nix-community", "repo": "nixvim", - "rev": "1cc2e02fcaabd224348fa0dbfeb311063787a060", + "rev": "beb86eec7cad226d100d2841aae09fc2d4e152a8", "type": "github" }, "original": { @@ -360,11 +360,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1716400300, - "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=", + "lastModified": 1716692524, + "narHash": "sha256-sALodaA7Zkp/JD6ehgwc0UCBrSBfB4cX66uFGTsqeFU=", "owner": "mic92", "repo": "sops-nix", - "rev": "b549832718b8946e875c016a4785d204fcfc2e53", + "rev": "962797a8d7f15ed7033031731d0bb77244839960", "type": "github" }, "original": { diff --git a/hosts/bootstrap/default.nix b/hosts/bootstrap/default.nix index ee7aa32..b89cf3c 100644 --- a/hosts/bootstrap/default.nix +++ b/hosts/bootstrap/default.nix @@ -3,13 +3,13 @@ let pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys); secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; -in +in { imports = - [ + [ # Disk configuration inputs.disko.nixosModules.disko - (import ../common/disks/std-disk-config.nix { device = "/dev/vda"; }) + (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda"; }) ../common/optional/btrfs-impermanence.nix inputs.impermanence.nixosModules.impermanence inputs.sops-nix.nixosModules.sops @@ -42,14 +42,14 @@ in ]; }; - + i18n.defaultLocale = "en_GB.UTF-8"; console = { font = "Lat2-Terminus16"; keyMap = "uk"; - useXkbConfig = false; + useXkbConfig = false; }; - + boot = { loader = { @@ -96,7 +96,7 @@ in pkgs.just pkgs.git pkgs.neovim - ]; + ]; services.openssh = { enable = true; @@ -115,7 +115,7 @@ in }; }; - programs.ssh.extraConfig = '' + programs.ssh.extraConfig = '' Host git.bitlab21.com IdentitiesOnly yes StrictHostKeyChecking no @@ -125,7 +125,7 @@ in security.pam = { sshAgentAuth.enable = true; }; - + networking.firewall.allowedTCPPorts = [ 22 ]; services = { diff --git a/hosts/common/disks/luks-btrfs-subvolumes.nix b/hosts/common/disks/luks-btrfs-subvolumes.nix index 9191570..650a714 100644 --- a/hosts/common/disks/luks-btrfs-subvolumes.nix +++ b/hosts/common/disks/luks-btrfs-subvolumes.nix @@ -1,9 +1,13 @@ +{...}: +let + sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path; +in { disko.devices = { disk = { vdb = { type = "disk"; - device = "/dev/vdb"; + inherit device; content = { type = "gpt"; partitions = { @@ -28,33 +32,35 @@ #passwordFile = "/tmp/secret.key"; # Interactive settings = { allowDiscards = true; - keyFile = "/tmp/secret.key"; + keyFile = "${sopsHashedPasswordFile}"; }; - additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/home" = { - mountpoint = "/home"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/swap" = { - mountpoint = "/.swapvol"; - swap.swapfile.size = "20M"; - }; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "/root" = { + mountpoint = "/"; + }; + + "/persist" = { + mountOptions = [ "subvol=persist" ]; + mountpoint = "/persist"; + }; + + "/nix" = { + mountOptions = [ "subvol=nix" "noatime" ]; + mountpoint = "/nix"; + }; + + "/swap" = { + mountOptions = [ "noatime" ]; + mountpoint = "/.swapvol"; + swap.swapfile.size = "8192M"; + }; + }; }; }; }; - }; }; }; }; From 7739e82f8e8b640b1d6d810a3d546ba277e4e1cb Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 26 May 2024 13:13:35 +0100 Subject: [PATCH 02/16] auto: bootstrapping sparky --- flake.lock | 8 ++++---- hosts/common/disks/luks-btrfs-subvolumes.nix | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index 07a7ac7..4a40eb2 100644 --- a/flake.lock +++ b/flake.lock @@ -228,11 +228,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716725506, - "narHash": "sha256-RjDe7MWPgutEOFxAN7A6m7X/xJOLzBUQgHO2vvNLI6U=", + "lastModified": 1716725610, + "narHash": "sha256-NSsfQlBI+kPhJyprVq+SBzPtjdEJURGbzUNMIrlh5yo=", "ref": "refs/heads/master", - "rev": "38def2b57c5d77a1eea960f5e52109304f80a6ef", - "revCount": 36, + "rev": "d77862466d6b88debf272d1856c407b29a41c111", + "revCount": 37, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/hosts/common/disks/luks-btrfs-subvolumes.nix b/hosts/common/disks/luks-btrfs-subvolumes.nix index 650a714..4686f0d 100644 --- a/hosts/common/disks/luks-btrfs-subvolumes.nix +++ b/hosts/common/disks/luks-btrfs-subvolumes.nix @@ -1,4 +1,4 @@ -{...}: +{lib, inputs, config, device ? throw "Must define a device, e.g. /dev/sda", ...}: let sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path; in From 15291a162d9e2cea25493eb0c3692f21688c6b39 Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 26 May 2024 13:16:16 +0100 Subject: [PATCH 03/16] auto: bootstrapping sparky --- flake.lock | 8 ++++---- hosts/bootstrap/default.nix | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index 4a40eb2..5d952cb 100644 --- a/flake.lock +++ b/flake.lock @@ -228,11 +228,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716725610, - "narHash": "sha256-NSsfQlBI+kPhJyprVq+SBzPtjdEJURGbzUNMIrlh5yo=", + "lastModified": 1716725770, + "narHash": "sha256-8dyp5ZjwGUVRpyUMbmc51a/YR6mP2kqXt4gWGwaiNqA=", "ref": "refs/heads/master", - "rev": "d77862466d6b88debf272d1856c407b29a41c111", - "revCount": 37, + "rev": "e79bdf9bdf923f57e1598637c39b2411f43e4388", + "revCount": 38, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/hosts/bootstrap/default.nix b/hosts/bootstrap/default.nix index b89cf3c..acb8b38 100644 --- a/hosts/bootstrap/default.nix +++ b/hosts/bootstrap/default.nix @@ -8,11 +8,11 @@ in imports = [ # Disk configuration + inputs.sops-nix.nixosModules.sops inputs.disko.nixosModules.disko (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda"; }) ../common/optional/btrfs-impermanence.nix inputs.impermanence.nixosModules.impermanence - inputs.sops-nix.nixosModules.sops # Import core options ./hardware-configuration.nix From 7bb5689128553378ee297f2b0fdd8dd7d6ddfd39 Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 26 May 2024 13:23:35 +0100 Subject: [PATCH 04/16] auto: bootstrapping sparky --- flake.lock | 8 ++++---- hosts/bootstrap/default.nix | 3 ++- hosts/common/disks/luks-btrfs-subvolumes.nix | 5 ++--- hosts/sparky/default.nix | 4 ++-- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/flake.lock b/flake.lock index 5d952cb..a1d6717 100644 --- a/flake.lock +++ b/flake.lock @@ -228,11 +228,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716725770, - "narHash": "sha256-8dyp5ZjwGUVRpyUMbmc51a/YR6mP2kqXt4gWGwaiNqA=", + "lastModified": 1716726210, + "narHash": "sha256-usCA/GuvvERo5tcSIYFet5sF0GhKdewcbHfJNNsnNrw=", "ref": "refs/heads/master", - "rev": "e79bdf9bdf923f57e1598637c39b2411f43e4388", - "revCount": 38, + "rev": "2cead67c686ddfb8c5c450ab5b56c545b661005c", + "revCount": 39, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/hosts/bootstrap/default.nix b/hosts/bootstrap/default.nix index acb8b38..408b9f8 100644 --- a/hosts/bootstrap/default.nix +++ b/hosts/bootstrap/default.nix @@ -3,6 +3,7 @@ let pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys); secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; + sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path; in { imports = @@ -10,7 +11,7 @@ in # Disk configuration inputs.sops-nix.nixosModules.sops inputs.disko.nixosModules.disko - (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda"; }) + (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda"; keyFile = "${sopsHashedPasswordFile}"; }) ../common/optional/btrfs-impermanence.nix inputs.impermanence.nixosModules.impermanence diff --git a/hosts/common/disks/luks-btrfs-subvolumes.nix b/hosts/common/disks/luks-btrfs-subvolumes.nix index 4686f0d..b1f6851 100644 --- a/hosts/common/disks/luks-btrfs-subvolumes.nix +++ b/hosts/common/disks/luks-btrfs-subvolumes.nix @@ -1,6 +1,5 @@ -{lib, inputs, config, device ? throw "Must define a device, e.g. /dev/sda", ...}: +{device ? throw "Must define a device, e.g. /dev/sda", keyFile ? throw "LUKS password file not specified"}: let - sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path; in { disko.devices = { @@ -32,7 +31,7 @@ in #passwordFile = "/tmp/secret.key"; # Interactive settings = { allowDiscards = true; - keyFile = "${sopsHashedPasswordFile}"; + inherit keyFile; }; content = { type = "btrfs"; diff --git a/hosts/sparky/default.nix b/hosts/sparky/default.nix index 9781027..fa203dd 100644 --- a/hosts/sparky/default.nix +++ b/hosts/sparky/default.nix @@ -1,10 +1,10 @@ { inputs, config, lib, pkgs, outputs,... }: let dev = "/dev/vda"; -in +in { imports = - [ + [ # Disk configuration inputs.disko.nixosModules.disko (import ../common/disks/std-disk-config.nix { device = dev; }) From b7d7f40171a31755e5411f3df7aa1517fbb79d47 Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 26 May 2024 13:25:20 +0100 Subject: [PATCH 05/16] auto: bootstrapping sparky --- flake.lock | 8 ++++---- scripts/bootstrap.sh | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index a1d6717..15fbae1 100644 --- a/flake.lock +++ b/flake.lock @@ -228,11 +228,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716726210, - "narHash": "sha256-usCA/GuvvERo5tcSIYFet5sF0GhKdewcbHfJNNsnNrw=", + "lastModified": 1716726314, + "narHash": "sha256-51OoLeW7G0MgtY6veCsbPxN+SMg6RjMzNAj9jb0QWNk=", "ref": "refs/heads/master", - "rev": "2cead67c686ddfb8c5c450ab5b56c545b661005c", - "revCount": 39, + "rev": "1260e25cdc7057ca61f947ec67b3aaf4de013852", + "revCount": 40, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index f61af5c..028935b 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -5,7 +5,7 @@ Before using this tool, ensure that the host has been setup correctly. Boot the latest Nixos-minimal install ISO on the host and access the tty. Use 'ip a' to get the ip address, then 'sudo su' to change to root. Finally -Run 'passwd' and set a temporary password (something simple like '1234') +Run 'passwd' and set a temporary password (something simple like '1234') for the root user. " @@ -13,11 +13,11 @@ read -p "Confirm host had been setup using the above steps...(yes|no): " confirm [ "$confirm" != "yes" ] && echo "Exiting" && exit 0 hostname="sparky" -ip="192.168.122.192" +ip="192.168.122.193" config="bootstrap" # Delete key in known hosts if exists -sed -i "/$ip/d" ~/.ssh/known_hosts +sed -i "/$ip/d" ~/.ssh/known_hosts # Authorise source public key echo "Copying pubkey to target host" From dbcadf5315d3a5bb7b57eaffb5c47e01e9998069 Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 26 May 2024 13:52:51 +0100 Subject: [PATCH 06/16] auto: bootstrapping sparky --- flake.lock | 8 +++--- hosts/common/disks/luks-btrfs-subvolumes.nix | 14 +++++----- scripts/bootstrap.sh | 27 ++++++++++++-------- 3 files changed, 27 insertions(+), 22 deletions(-) diff --git a/flake.lock b/flake.lock index 15fbae1..f24f0a6 100644 --- a/flake.lock +++ b/flake.lock @@ -228,11 +228,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716726314, - "narHash": "sha256-51OoLeW7G0MgtY6veCsbPxN+SMg6RjMzNAj9jb0QWNk=", + "lastModified": 1716727965, + "narHash": "sha256-NTsv/rWrB2coS62aKKD9GDR2mhzL1MMU+5VYDhh1y6w=", "ref": "refs/heads/master", - "rev": "1260e25cdc7057ca61f947ec67b3aaf4de013852", - "revCount": 40, + "rev": "4973f9b8652f9a829510593f8b17448783054b5e", + "revCount": 41, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/hosts/common/disks/luks-btrfs-subvolumes.nix b/hosts/common/disks/luks-btrfs-subvolumes.nix index b1f6851..e5e2953 100644 --- a/hosts/common/disks/luks-btrfs-subvolumes.nix +++ b/hosts/common/disks/luks-btrfs-subvolumes.nix @@ -1,6 +1,4 @@ -{device ? throw "Must define a device, e.g. /dev/sda", keyFile ? throw "LUKS password file not specified"}: -let -in +{device ? throw "Must define a device, e.g. /dev/sda"}: { disko.devices = { disk = { @@ -28,11 +26,11 @@ in type = "luks"; name = "crypted"; # disable settings.keyFile if you want to use interactive password entry - #passwordFile = "/tmp/secret.key"; # Interactive - settings = { - allowDiscards = true; - inherit keyFile; - }; + passwordFile = "/tmp/luks_secret.key"; # Interactive +# settings = { +# allowDiscards = true; +# keyFile = "${sopsHashedPasswordFile}"; +# }; content = { type = "btrfs"; extraArgs = ["-f"]; diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 028935b..ba01811 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -23,28 +23,35 @@ sed -i "/$ip/d" ~/.ssh/known_hosts echo "Copying pubkey to target host" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip" -# Create temp directory for ssh keys to be copied to host: -temp=$(mktemp -d) +# Create temp directory for ssh and luks to be copied to host: +temp_ssh=$(mktemp -d) +temp_luks=$(mktemp -d) # Function to cleanup temporary directory on exit cleanup() { - rm -rf "$temp" + rm -rf "$temp_ssh" "$temp_luks" } trap cleanup EXIT -# Create the directory where sshd expects to find the host keys -install -d -m755 "$temp/persist/etc/ssh" +# Create the directory where services are to find the host keys +install -d -m755 "$temp_ssh/persist/etc/ssh" +install -d -m755 "$temp_luks/tmp" + +# Extract luks key from secrets +luks_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"passwords""\"][""\"root""\"]' ../nix-secrets/secrets.yaml") +echo "$luks_key" > "$temp_luks/luks_secrets.key" # Create ssh keys if not exists echo "Creating '$hostname' ssh keys" -ssh-keygen -t ed25519 -f "$temp/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" +ssh-keygen -t ed25519 -f "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" -chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key" -chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub" +# Change permissions +chmod 600 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" +chmod 644 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub" # Generate age key from target host and user public ssh key echo "Generating age key from target host and user ssh key" -HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") +HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") echo -e "Host age key:\n$HOST_AGE_KEY\n" # Update .sops.yaml with new age key: @@ -65,7 +72,7 @@ just update-sops-secrets && just update-flake-secrets && just update-flake cd "$HOME/nixos" git add . && git commit -m "auto: bootstrapping $hostname" && git push -SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" +SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp_ssh" "$temp_luks" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" [ $? != 0 ] && echo "Error installing Nixos" && exit 1 ## Delete keys from local known_hosts From 29ef28945606192864e582c1b77fa7a63dbf0379 Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 26 May 2024 13:55:47 +0100 Subject: [PATCH 07/16] auto: bootstrapping sparky --- flake.lock | 8 ++++---- scripts/bootstrap.sh | 21 ++++++++++----------- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index f24f0a6..b6f2596 100644 --- a/flake.lock +++ b/flake.lock @@ -228,11 +228,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716727965, - "narHash": "sha256-NTsv/rWrB2coS62aKKD9GDR2mhzL1MMU+5VYDhh1y6w=", + "lastModified": 1716728141, + "narHash": "sha256-p9o7xF5Q1II/ngoYw0R+LMTXX3Mehy16e+cs6f1AZgI=", "ref": "refs/heads/master", - "rev": "4973f9b8652f9a829510593f8b17448783054b5e", - "revCount": 41, + "rev": "5a984789ff07c749772ece6fcb80373bc218048e", + "revCount": 42, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index ba01811..b3c0f18 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -24,34 +24,33 @@ echo "Copying pubkey to target host" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip" # Create temp directory for ssh and luks to be copied to host: -temp_ssh=$(mktemp -d) -temp_luks=$(mktemp -d) +temp=$(mktemp -d) # Function to cleanup temporary directory on exit cleanup() { - rm -rf "$temp_ssh" "$temp_luks" + rm -rf "$temp" } trap cleanup EXIT # Create the directory where services are to find the host keys -install -d -m755 "$temp_ssh/persist/etc/ssh" -install -d -m755 "$temp_luks/tmp" +install -d -m755 "$temp/persist/etc/ssh" +install -d -m755 "$temp/tmp" # Extract luks key from secrets luks_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"passwords""\"][""\"root""\"]' ../nix-secrets/secrets.yaml") -echo "$luks_key" > "$temp_luks/luks_secrets.key" +echo "$luks_key" > "$temp/tmp/luks_secrets.key" # Create ssh keys if not exists echo "Creating '$hostname' ssh keys" -ssh-keygen -t ed25519 -f "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" +ssh-keygen -t ed25519 -f "$temp/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" # Change permissions -chmod 600 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" -chmod 644 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub" +chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key" +chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub" # Generate age key from target host and user public ssh key echo "Generating age key from target host and user ssh key" -HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") +HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") echo -e "Host age key:\n$HOST_AGE_KEY\n" # Update .sops.yaml with new age key: @@ -72,7 +71,7 @@ just update-sops-secrets && just update-flake-secrets && just update-flake cd "$HOME/nixos" git add . && git commit -m "auto: bootstrapping $hostname" && git push -SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp_ssh" "$temp_luks" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" +SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" [ $? != 0 ] && echo "Error installing Nixos" && exit 1 ## Delete keys from local known_hosts From 280d7a62136bbb7da9fe73355f77af9cb8b65fa8 Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 26 May 2024 13:57:10 +0100 Subject: [PATCH 08/16] auto: bootstrapping sparky --- flake.lock | 8 ++++---- hosts/bootstrap/default.nix | 3 +-- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index b6f2596..6af5765 100644 --- a/flake.lock +++ b/flake.lock @@ -228,11 +228,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716728141, - "narHash": "sha256-p9o7xF5Q1II/ngoYw0R+LMTXX3Mehy16e+cs6f1AZgI=", + "lastModified": 1716728224, + "narHash": "sha256-dgsNHeMkH4z++dpZvNXEDySvJdalXmz4Xz7JNyWxH1w=", "ref": "refs/heads/master", - "rev": "5a984789ff07c749772ece6fcb80373bc218048e", - "revCount": 42, + "rev": "d0273ccbae8ca91ff7684a7b65f328eb28a3cb79", + "revCount": 43, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/hosts/bootstrap/default.nix b/hosts/bootstrap/default.nix index 408b9f8..68db5da 100644 --- a/hosts/bootstrap/default.nix +++ b/hosts/bootstrap/default.nix @@ -3,7 +3,6 @@ let pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys); secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; - sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path; in { imports = @@ -11,7 +10,7 @@ in # Disk configuration inputs.sops-nix.nixosModules.sops inputs.disko.nixosModules.disko - (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda"; keyFile = "${sopsHashedPasswordFile}"; }) + (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda" ; }) ../common/optional/btrfs-impermanence.nix inputs.impermanence.nixosModules.impermanence From 95a5f258f9315deeec0ac4abf3c8e54759fd1b8d Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 26 May 2024 14:07:26 +0100 Subject: [PATCH 09/16] auto: bootstrapping sparky --- flake.lock | 8 ++++---- scripts/bootstrap.sh | 17 +++++++++-------- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 6af5765..677f564 100644 --- a/flake.lock +++ b/flake.lock @@ -228,11 +228,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716728224, - "narHash": "sha256-dgsNHeMkH4z++dpZvNXEDySvJdalXmz4Xz7JNyWxH1w=", + "lastModified": 1716728838, + "narHash": "sha256-Gmsb1Bovwg+6XTwuyohpv1Ez8em0phLDEPWyh1Z4vS4=", "ref": "refs/heads/master", - "rev": "d0273ccbae8ca91ff7684a7b65f328eb28a3cb79", - "revCount": 43, + "rev": "46bedb594c7f12f800a3d224e549dede64da968b", + "revCount": 44, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index b3c0f18..2846640 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -23,7 +23,7 @@ sed -i "/$ip/d" ~/.ssh/known_hosts echo "Copying pubkey to target host" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip" -# Create temp directory for ssh and luks to be copied to host: +# Create temp directory for ssh keys to be copied to host: temp=$(mktemp -d) # Function to cleanup temporary directory on exit @@ -32,19 +32,13 @@ cleanup() { } trap cleanup EXIT -# Create the directory where services are to find the host keys +# Create the directory where sshd expects to find the host keys install -d -m755 "$temp/persist/etc/ssh" -install -d -m755 "$temp/tmp" - -# Extract luks key from secrets -luks_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"passwords""\"][""\"root""\"]' ../nix-secrets/secrets.yaml") -echo "$luks_key" > "$temp/tmp/luks_secrets.key" # Create ssh keys if not exists echo "Creating '$hostname' ssh keys" ssh-keygen -t ed25519 -f "$temp/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" -# Change permissions chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key" chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub" @@ -67,6 +61,10 @@ sed -i "{ just update-sops-secrets && just update-flake-secrets && just update-flake +# Extract luks key from secrets +luks_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"passwords""\"][""\"root""\"]' ../nix-secrets/secrets.yaml") +echo "$luks_key" > /tmp/luks_secret.key + # Install Nixos to target cd "$HOME/nixos" git add . && git commit -m "auto: bootstrapping $hostname" && git push @@ -74,6 +72,9 @@ git add . && git commit -m "auto: bootstrapping $hostname" && git push SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" [ $? != 0 ] && echo "Error installing Nixos" && exit 1 +# Delete luks key +rm /tmp/luks_secret.key + ## Delete keys from local known_hosts echo "Deleting host from known_hosts" sed -i "/$ip/d" ~/.ssh/known_hosts From b7e0b6bc84ea5a091ae00fa82e52a3942b3e1c76 Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 26 May 2024 14:18:14 +0100 Subject: [PATCH 10/16] auto: bootstrapping sparky --- flake.lock | 8 ++++---- scripts/bootstrap.sh | 26 ++++++++++++-------------- 2 files changed, 16 insertions(+), 18 deletions(-) diff --git a/flake.lock b/flake.lock index 677f564..f294d97 100644 --- a/flake.lock +++ b/flake.lock @@ -228,11 +228,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716728838, - "narHash": "sha256-Gmsb1Bovwg+6XTwuyohpv1Ez8em0phLDEPWyh1Z4vS4=", + "lastModified": 1716729487, + "narHash": "sha256-mf+lK/G5cuJjXlsBTlLpOqBw7Qx+H1ZQ8x4MohX6OO8=", "ref": "refs/heads/master", - "rev": "46bedb594c7f12f800a3d224e549dede64da968b", - "revCount": 44, + "rev": "36900f87c79f7b63a39b7c134963c5c17063a616", + "revCount": 45, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 2846640..577afbf 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -23,28 +23,29 @@ sed -i "/$ip/d" ~/.ssh/known_hosts echo "Copying pubkey to target host" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip" -# Create temp directory for ssh keys to be copied to host: -temp=$(mktemp -d) +# Create temp directory for ssh and luks keys to be copied to host: +temp_ssh=$(mktemp -d) +touch /tmp/luks_secret.key # Function to cleanup temporary directory on exit cleanup() { - rm -rf "$temp" + rm -rf "$temp_ssh" /tmp/luks_secret.key } trap cleanup EXIT # Create the directory where sshd expects to find the host keys -install -d -m755 "$temp/persist/etc/ssh" +install -d -m755 "$temp_ssh/persist/etc/ssh" # Create ssh keys if not exists echo "Creating '$hostname' ssh keys" -ssh-keygen -t ed25519 -f "$temp/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" +ssh-keygen -t ed25519 -f "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" -chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key" -chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub" +chmod 600 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" +chmod 644 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub" # Generate age key from target host and user public ssh key echo "Generating age key from target host and user ssh key" -HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") +HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") echo -e "Host age key:\n$HOST_AGE_KEY\n" # Update .sops.yaml with new age key: @@ -62,19 +63,16 @@ sed -i "{ just update-sops-secrets && just update-flake-secrets && just update-flake # Extract luks key from secrets -luks_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"passwords""\"][""\"root""\"]' ../nix-secrets/secrets.yaml") -echo "$luks_key" > /tmp/luks_secret.key +luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"passwords""\"][""\"root""\"]' ../nix-secrets/secrets.yaml") +echo "$luks_secret" > /tmp/luks_secret.key # Install Nixos to target cd "$HOME/nixos" git add . && git commit -m "auto: bootstrapping $hostname" && git push -SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" +SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp_ssh" --disk-encryption-keys /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" [ $? != 0 ] && echo "Error installing Nixos" && exit 1 -# Delete luks key -rm /tmp/luks_secret.key - ## Delete keys from local known_hosts echo "Deleting host from known_hosts" sed -i "/$ip/d" ~/.ssh/known_hosts From 6a8c8a98c47716cb2a5fb41b641de128223a59d3 Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 26 May 2024 14:19:32 +0100 Subject: [PATCH 11/16] auto: bootstrapping sparky --- flake.lock | 8 ++++---- scripts/bootstrap.sh | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index f294d97..9ad97ef 100644 --- a/flake.lock +++ b/flake.lock @@ -228,11 +228,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716729487, - "narHash": "sha256-mf+lK/G5cuJjXlsBTlLpOqBw7Qx+H1ZQ8x4MohX6OO8=", + "lastModified": 1716729565, + "narHash": "sha256-ubpkD1U0ZNNREFo8XSh3M/arcQZKgNXiTq1cSNijQ+U=", "ref": "refs/heads/master", - "rev": "36900f87c79f7b63a39b7c134963c5c17063a616", - "revCount": 45, + "rev": "66fef743001650925899d14cdd9ef28825428c93", + "revCount": 46, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 577afbf..a9dc986 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -70,7 +70,7 @@ echo "$luks_secret" > /tmp/luks_secret.key cd "$HOME/nixos" git add . && git commit -m "auto: bootstrapping $hostname" && git push -SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp_ssh" --disk-encryption-keys /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" +SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp_ssh" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" [ $? != 0 ] && echo "Error installing Nixos" && exit 1 ## Delete keys from local known_hosts From f94ab6584e7c511c8d4722c83c7b3f6e2bd37529 Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 26 May 2024 14:32:19 +0100 Subject: [PATCH 12/16] auto: bootstrapping sparky --- flake.lock | 8 ++++---- scripts/bootstrap.sh | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index 9ad97ef..48328b7 100644 --- a/flake.lock +++ b/flake.lock @@ -228,11 +228,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716729565, - "narHash": "sha256-ubpkD1U0ZNNREFo8XSh3M/arcQZKgNXiTq1cSNijQ+U=", + "lastModified": 1716730332, + "narHash": "sha256-KUdQWCCJkTctzdkADAAp4EdNCVKLDoshcHxnIvMnOrw=", "ref": "refs/heads/master", - "rev": "66fef743001650925899d14cdd9ef28825428c93", - "revCount": 46, + "rev": "d335a49209f735f6cdb472bd8f4ad4ea84645845", + "revCount": 47, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index a9dc986..bfd74e1 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -63,7 +63,7 @@ sed -i "{ just update-sops-secrets && just update-flake-secrets && just update-flake # Extract luks key from secrets -luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"passwords""\"][""\"root""\"]' ../nix-secrets/secrets.yaml") +luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"sparky""\"]' ../nix-secrets/secrets.yaml") echo "$luks_secret" > /tmp/luks_secret.key # Install Nixos to target From b0021b5f832daff5c10862a06354d62e0a73844b Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 26 May 2024 15:52:08 +0100 Subject: [PATCH 13/16] encryption-keys to nixos-anywhere --- hosts/bootstrap/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/bootstrap/default.nix b/hosts/bootstrap/default.nix index 68db5da..3b6588d 100644 --- a/hosts/bootstrap/default.nix +++ b/hosts/bootstrap/default.nix @@ -10,7 +10,8 @@ in # Disk configuration inputs.sops-nix.nixosModules.sops inputs.disko.nixosModules.disko - (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda" ; }) + #(import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda" ; }) + (import ../common/disks/std-disk-config.nix { device = "/dev/vda" ; }) ../common/optional/btrfs-impermanence.nix inputs.impermanence.nixosModules.impermanence From 767c6ac5aa62e82798d15c7f8c45b1bc0c3b556c Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 26 May 2024 15:52:58 +0100 Subject: [PATCH 14/16] auto: bootstrapping sparky --- flake.lock | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index 48328b7..544472c 100644 --- a/flake.lock +++ b/flake.lock @@ -228,11 +228,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716730332, - "narHash": "sha256-KUdQWCCJkTctzdkADAAp4EdNCVKLDoshcHxnIvMnOrw=", + "lastModified": 1716735171, + "narHash": "sha256-xHshDVHKC4KICpe9vyLF7KHG1eAOczlLh5O8afCq87s=", "ref": "refs/heads/master", - "rev": "d335a49209f735f6cdb472bd8f4ad4ea84645845", - "revCount": 47, + "rev": "042f6242e61c00d5a2e7b05464762d8f62fb736a", + "revCount": 48, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, @@ -300,11 +300,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1716717390, - "narHash": "sha256-Hd8ky86xAFDrUqNPPx0bO/1x6WUEyWNLrdTEVShAMb8=", + "lastModified": 1716733566, + "narHash": "sha256-Zu0fn7bC+M/LwOOkR1RmeoOuCIbvvFwuqTldVBVe4WY=", "owner": "nix-community", "repo": "nixvim", - "rev": "beb86eec7cad226d100d2841aae09fc2d4e152a8", + "rev": "8212bf1cd2d2dfe6ba521dd8c65a13b67e562d1a", "type": "github" }, "original": { From dbbd0321914ceaaf114493b49d131214eb0dba1e Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 26 May 2024 21:26:19 +0100 Subject: [PATCH 15/16] auto: bootstrapping sparky --- flake.lock | 20 ++++++++++---------- hosts/bootstrap/default.nix | 4 ++-- hosts/common/optional/btrfs-impermanence.nix | 1 - scripts/bootstrap.sh | 2 +- 4 files changed, 13 insertions(+), 14 deletions(-) diff --git a/flake.lock b/flake.lock index 544472c..1671d03 100644 --- a/flake.lock +++ b/flake.lock @@ -155,11 +155,11 @@ ] }, "locked": { - "lastModified": 1716711219, - "narHash": "sha256-TnZETiQPXbyT5mdCHMOyrJnx2+BwroMBRrguciz1vEo=", + "lastModified": 1716736760, + "narHash": "sha256-h3RmnNknKYtVA+EvUSra6QAwfZjC2q1G8YA7W0gat8Y=", "owner": "nix-community", "repo": "home-manager", - "rev": "05e6ba83eb3585ce0aff7b41e4bd0e317d05ad4a", + "rev": "5d151429e1e79107acf6d06dcc5ace4e642ec239", "type": "github" }, "original": { @@ -228,11 +228,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716735171, - "narHash": "sha256-xHshDVHKC4KICpe9vyLF7KHG1eAOczlLh5O8afCq87s=", + "lastModified": 1716755172, + "narHash": "sha256-os5wQsYjysS9Fd28GegNim+OOE3WoK5ETDYSaFMqd14=", "ref": "refs/heads/master", - "rev": "042f6242e61c00d5a2e7b05464762d8f62fb736a", - "revCount": 48, + "rev": "6772ccd68afefc0b456625112b4ca4bb65a3aa76", + "revCount": 58, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, @@ -300,11 +300,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1716733566, - "narHash": "sha256-Zu0fn7bC+M/LwOOkR1RmeoOuCIbvvFwuqTldVBVe4WY=", + "lastModified": 1716746631, + "narHash": "sha256-0/G9FQaVm321BoCKREwRqr4l93ZwtvW+4x8gjN67bWs=", "owner": "nix-community", "repo": "nixvim", - "rev": "8212bf1cd2d2dfe6ba521dd8c65a13b67e562d1a", + "rev": "9697385115fe557468b2ddcbd1277602b3e58d5e", "type": "github" }, "original": { diff --git a/hosts/bootstrap/default.nix b/hosts/bootstrap/default.nix index 3b6588d..7199bfc 100644 --- a/hosts/bootstrap/default.nix +++ b/hosts/bootstrap/default.nix @@ -10,8 +10,8 @@ in # Disk configuration inputs.sops-nix.nixosModules.sops inputs.disko.nixosModules.disko - #(import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda" ; }) - (import ../common/disks/std-disk-config.nix { device = "/dev/vda" ; }) + (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda" ; }) + #(import ../common/disks/std-disk-config.nix { device = "/dev/vda" ; }) ../common/optional/btrfs-impermanence.nix inputs.impermanence.nixosModules.impermanence diff --git a/hosts/common/optional/btrfs-impermanence.nix b/hosts/common/optional/btrfs-impermanence.nix index e812848..0365397 100644 --- a/hosts/common/optional/btrfs-impermanence.nix +++ b/hosts/common/optional/btrfs-impermanence.nix @@ -2,7 +2,6 @@ { boot.initrd.postDeviceCommands = lib.mkAfter '' mkdir /btrfs_tmp - mount /dev/root_vg/root /btrfs_tmp if [[ -e /btrfs_tmp/root ]]; then mkdir -p /btrfs_tmp/old_roots timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index bfd74e1..3fde864 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -70,7 +70,7 @@ echo "$luks_secret" > /tmp/luks_secret.key cd "$HOME/nixos" git add . && git commit -m "auto: bootstrapping $hostname" && git push -SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp_ssh" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" +SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/242444d228636b1f0e89d3681f04a75254c29f66 -- --extra-files "$temp_ssh" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" [ $? != 0 ] && echo "Error installing Nixos" && exit 1 ## Delete keys from local known_hosts From 8b4da0e70d05da04896bebe2e9e18f700c62702b Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 26 May 2024 21:39:04 +0100 Subject: [PATCH 16/16] auto: bootstrapping sparky --- flake.lock | 8 ++++---- hosts/common/optional/btrfs-impermanence.nix | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 1671d03..0c706c4 100644 --- a/flake.lock +++ b/flake.lock @@ -228,11 +228,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716755172, - "narHash": "sha256-os5wQsYjysS9Fd28GegNim+OOE3WoK5ETDYSaFMqd14=", + "lastModified": 1716755938, + "narHash": "sha256-x2XbBriM3ZBt6sodNgCvq68gy9lGFanWSGgh8weTB4I=", "ref": "refs/heads/master", - "rev": "6772ccd68afefc0b456625112b4ca4bb65a3aa76", - "revCount": 58, + "rev": "b32b7f37f6e4a31b99d1cc4ce2e70778f363e43e", + "revCount": 59, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/hosts/common/optional/btrfs-impermanence.nix b/hosts/common/optional/btrfs-impermanence.nix index 0365397..ab94fb2 100644 --- a/hosts/common/optional/btrfs-impermanence.nix +++ b/hosts/common/optional/btrfs-impermanence.nix @@ -2,6 +2,7 @@ { boot.initrd.postDeviceCommands = lib.mkAfter '' mkdir /btrfs_tmp + mount /dev/mapper/crypted /btrfs_tmp if [[ -e /btrfs_tmp/root ]]; then mkdir -p /btrfs_tmp/old_roots timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")