merge development add luks encryption

This commit is contained in:
Sam 2024-05-26 22:09:38 +01:00
commit 93e5c04d21
5 changed files with 60 additions and 53 deletions

View File

@ -8,11 +8,12 @@ in
imports = imports =
[ [
# Disk configuration # Disk configuration
inputs.sops-nix.nixosModules.sops
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; }) (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda" ; })
#(import ../common/disks/std-disk-config.nix { device = "/dev/vda" ; })
../common/optional/btrfs-impermanence.nix ../common/optional/btrfs-impermanence.nix
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
inputs.sops-nix.nixosModules.sops
# Import core options # Import core options
./hardware-configuration.nix ./hardware-configuration.nix

View File

@ -1,9 +1,10 @@
{device ? throw "Must define a device, e.g. /dev/sda"}:
{ {
disko.devices = { disko.devices = {
disk = { disk = {
vdb = { vdb = {
type = "disk"; type = "disk";
device = "/dev/vdb"; inherit device;
content = { content = {
type = "gpt"; type = "gpt";
partitions = { partitions = {
@ -25,31 +26,33 @@
type = "luks"; type = "luks";
name = "crypted"; name = "crypted";
# disable settings.keyFile if you want to use interactive password entry # disable settings.keyFile if you want to use interactive password entry
#passwordFile = "/tmp/secret.key"; # Interactive passwordFile = "/tmp/luks_secret.key"; # Interactive
settings = { # settings = {
allowDiscards = true; # allowDiscards = true;
keyFile = "/tmp/secret.key"; # keyFile = "${sopsHashedPasswordFile}";
}; # };
additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
content = { content = {
type = "btrfs"; type = "btrfs";
extraArgs = ["-f"]; extraArgs = ["-f"];
subvolumes = { subvolumes = {
"/root" = { "/root" = {
mountpoint = "/"; mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" ];
}; };
"/home" = {
mountpoint = "/home"; "/persist" = {
mountOptions = [ "compress=zstd" "noatime" ]; mountOptions = [ "subvol=persist" ];
mountpoint = "/persist";
}; };
"/nix" = { "/nix" = {
mountOptions = [ "subvol=nix" "noatime" ];
mountpoint = "/nix"; mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" ];
}; };
"/swap" = { "/swap" = {
mountOptions = [ "noatime" ];
mountpoint = "/.swapvol"; mountpoint = "/.swapvol";
swap.swapfile.size = "20M"; swap.swapfile.size = "8192M";
}; };
}; };
}; };

View File

@ -2,7 +2,7 @@
{ {
boot.initrd.postDeviceCommands = lib.mkAfter '' boot.initrd.postDeviceCommands = lib.mkAfter ''
mkdir /btrfs_tmp mkdir /btrfs_tmp
mount /dev/root_vg/root /btrfs_tmp mount /dev/mapper/crypted /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")

View File

@ -23,28 +23,29 @@ sed -i "/$ip/d" ~/.ssh/known_hosts
echo "Copying pubkey to target host" echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
# Create temp directory for ssh keys to be copied to host: # Create temp directory for ssh and luks keys to be copied to host:
temp=$(mktemp -d) temp_ssh=$(mktemp -d)
touch /tmp/luks_secret.key
# Function to cleanup temporary directory on exit # Function to cleanup temporary directory on exit
cleanup() { cleanup() {
rm -rf "$temp" rm -rf "$temp_ssh" /tmp/luks_secret.key
} }
trap cleanup EXIT trap cleanup EXIT
# Create the directory where sshd expects to find the host keys # Create the directory where sshd expects to find the host keys
install -d -m755 "$temp/persist/etc/ssh" install -d -m755 "$temp_ssh/persist/etc/ssh"
# Create ssh keys if not exists # Create ssh keys if not exists
echo "Creating '$hostname' ssh keys" echo "Creating '$hostname' ssh keys"
ssh-keygen -t ed25519 -f "$temp/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" ssh-keygen -t ed25519 -f "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key" chmod 600 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key"
chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub" chmod 644 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub"
# Generate age key from target host and user public ssh key # Generate age key from target host and user public ssh key
echo "Generating age key from target host and user ssh key" echo "Generating age key from target host and user ssh key"
HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
echo -e "Host age key:\n$HOST_AGE_KEY\n" echo -e "Host age key:\n$HOST_AGE_KEY\n"
# Update .sops.yaml with new age key: # Update .sops.yaml with new age key:
@ -61,13 +62,15 @@ sed -i "{
just update-sops-secrets && just update-flake-secrets && just update-flake just update-sops-secrets && just update-flake-secrets && just update-flake
echo -e "\nNeed to change ownership of temp directories, enter sudo password if prompted:\n" # Extract luks key from secrets
luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"sparky""\"]' ../nix-secrets/secrets.yaml")
echo "$luks_secret" > /tmp/luks_secret.key
# Install Nixos to target # Install Nixos to target
cd "$HOME/nixos" cd "$HOME/nixos"
git add . && git commit -m "auto: bootstrapping $hostname" && git push git add . && git commit -m "auto: bootstrapping $hostname" && git push
nix run github:nix-community/nixos-anywhere/242444d228636b1f0e89d3681f04a75254c29f66 -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/242444d228636b1f0e89d3681f04a75254c29f66 -- --extra-files "$temp_ssh" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
[ $? != 0 ] && echo "Error installing Nixos" && exit 1 [ $? != 0 ] && echo "Error installing Nixos" && exit 1
## Delete keys from local known_hosts ## Delete keys from local known_hosts