merge development add luks encryption

hosts/bootstrap/default.nix

@@ -8,11 +8,12 @@ in
   imports =
     [
       # Disk configuration
+      inputs.sops-nix.nixosModules.sops
       inputs.disko.nixosModules.disko
-      (import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })
+      (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda" ; })
+      #(import ../common/disks/std-disk-config.nix { device = "/dev/vda" ; })
       ../common/optional/btrfs-impermanence.nix
       inputs.impermanence.nixosModules.impermanence
-      inputs.sops-nix.nixosModules.sops
 
       # Import core options
       ./hardware-configuration.nix

hosts/common/disks/luks-btrfs-subvolumes.nix

@@ -1,9 +1,10 @@
+{device ? throw "Must define a device, e.g. /dev/sda"}:
 {
   disko.devices = {
     disk = {
       vdb = {
         type = "disk";
-        device = "/dev/vdb";
+        inherit device;
         content = {
           type = "gpt";
           partitions = {
@@ -25,31 +26,33 @@
                 type = "luks";
                 name = "crypted";
                 # disable settings.keyFile if you want to use interactive password entry
-                #passwordFile = "/tmp/secret.key"; # Interactive
+                passwordFile = "/tmp/luks_secret.key"; # Interactive
-                settings = {
+#                settings = {
-                  allowDiscards = true;
+#                  allowDiscards = true;
-                  keyFile = "/tmp/secret.key";
+#                  keyFile = "${sopsHashedPasswordFile}";
-                };
+#                };
-                additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
                   content = {
                     type = "btrfs";
                     extraArgs = ["-f"];
                       subvolumes = {
                         "/root" = {
                           mountpoint = "/";
-                      mountOptions = [ "compress=zstd" "noatime" ];
                         };
-                    "/home" = {
+
-                      mountpoint = "/home";
+                        "/persist" = {
-                      mountOptions = [ "compress=zstd" "noatime" ];
+                          mountOptions = [ "subvol=persist" ];
+                          mountpoint = "/persist";
                         };
+
                         "/nix" = {
+                          mountOptions = [ "subvol=nix" "noatime" ];
                           mountpoint = "/nix";
-                      mountOptions = [ "compress=zstd" "noatime" ];
                         };
+
                         "/swap" = {
+                          mountOptions = [ "noatime" ];
                           mountpoint = "/.swapvol";
-                      swap.swapfile.size = "20M";
+                          swap.swapfile.size = "8192M";
                         };
                       };
                   };

hosts/common/optional/btrfs-impermanence.nix

@@ -2,7 +2,7 @@
 {
 boot.initrd.postDeviceCommands = lib.mkAfter ''
   mkdir /btrfs_tmp
-    mount /dev/root_vg/root /btrfs_tmp
+    mount /dev/mapper/crypted /btrfs_tmp
     if [[ -e /btrfs_tmp/root ]]; then
         mkdir -p /btrfs_tmp/old_roots
         timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")

scripts/bootstrap.sh

@@ -23,28 +23,29 @@ sed -i "/$ip/d" ~/.ssh/known_hosts
 echo "Copying pubkey to target host"
 ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
 
-# Create temp directory for ssh keys to be copied to host:
+# Create temp directory for ssh and luks keys to be copied to host:
-temp=$(mktemp -d)
+temp_ssh=$(mktemp -d)
+touch /tmp/luks_secret.key
 
 # Function to cleanup temporary directory on exit
 cleanup() {
-  rm -rf "$temp"
+  rm -rf "$temp_ssh" /tmp/luks_secret.key
 }
 trap cleanup EXIT
 
 # Create the directory where sshd expects to find the host keys
-install -d -m755 "$temp/persist/etc/ssh"
+install -d -m755 "$temp_ssh/persist/etc/ssh"
 
 # Create ssh keys if not exists
 echo "Creating '$hostname' ssh keys"
-ssh-keygen -t ed25519 -f "$temp/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
+ssh-keygen -t ed25519 -f "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
 
-chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key"
+chmod 600 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key"
-chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub"
+chmod 644 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub"
 
 # Generate age key from target host and user public ssh key
 echo "Generating age key from target host and user ssh key"
-HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
+HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
 echo -e "Host age key:\n$HOST_AGE_KEY\n"
 
 # Update .sops.yaml with new age key:
@@ -61,13 +62,15 @@ sed -i "{
 
 just update-sops-secrets && just update-flake-secrets && just update-flake
 
-echo -e "\nNeed to change ownership of temp directories, enter sudo password if prompted:\n"
+# Extract luks key from secrets
+luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"sparky""\"]' ../nix-secrets/secrets.yaml")
+echo "$luks_secret" > /tmp/luks_secret.key
 
 # Install Nixos to target
 cd "$HOME/nixos"
 git add . && git commit -m "auto: bootstrapping $hostname" && git push
 
-nix run github:nix-community/nixos-anywhere/242444d228636b1f0e89d3681f04a75254c29f66 -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
+SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/242444d228636b1f0e89d3681f04a75254c29f66 -- --extra-files "$temp_ssh" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
 [ $? != 0 ] && echo "Error installing Nixos" && exit 1
 
 ## Delete keys from local known_hosts