tidied disks
This commit is contained in:
mrsu
parent
05ee6da5ee
commit
e6f0770f97
14
flake.lock
14
flake.lock
|
|
@ -278,11 +278,11 @@
|
||||||
"nix-secrets": {
|
"nix-secrets": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719594307,
|
"lastModified": 1719601133,
|
||||||
"narHash": "sha256-n2fZDRl/X5rlx0fer7MMKAevtqflDKDsqKvHYuI9iR8=",
|
"narHash": "sha256-2+e92LyX1fFj3mIZft+K8OzR9NT/1xtheO8hO/3DyRc=",
|
||||||
"ref": "refs/heads/master",
|
"ref": "refs/heads/master",
|
||||||
"rev": "97a12374b7ab681794f8cc7b1bee0414136cbf51",
|
"rev": "278ccbbd646e86cab5fd38d43d9134270d8123d0",
|
||||||
"revCount": 131,
|
"revCount": 141,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
|
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
|
||||||
},
|
},
|
||||||
|
|
@ -384,11 +384,11 @@
|
||||||
},
|
},
|
||||||
"nur": {
|
"nur": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719592641,
|
"lastModified": 1719596768,
|
||||||
"narHash": "sha256-xgz6AcTVH1i8G3LPSitKNOQflfYU7wMTfAcUrO5FG+Y=",
|
"narHash": "sha256-quSWztqqMxvSJIKddYp1D0GdR7Kg8JjEVCIzMbtBTQ4=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "NUR",
|
"repo": "NUR",
|
||||||
"rev": "ee1f0944028ebd11098d45c8e13658cffcac3550",
|
"rev": "35e48702118124ec52a071e300f55c78a4b7b338",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,21 @@
|
||||||
|
{
|
||||||
|
type = "btrfs";
|
||||||
|
extraArgs = ["-f"];
|
||||||
|
subvolumes = {
|
||||||
|
"/root" = {
|
||||||
|
mountpoint = "/";
|
||||||
|
mountOptions = [ "compress=zstd" "noatime" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
"/nix" = {
|
||||||
|
mountOptions = [ "subvol=nix" "noatime" ];
|
||||||
|
mountpoint = "/nix";
|
||||||
|
};
|
||||||
|
|
||||||
|
"/swap" = {
|
||||||
|
mountOptions = [ "noatime" ];
|
||||||
|
mountpoint = "/.swapvol";
|
||||||
|
swap.swapfile.size = "8192M";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
@ -1,11 +1,11 @@
|
||||||
{ device, fsType, encrypted, ... }:
|
{ device, fsType, encrypted, impermanence, ... }:
|
||||||
let
|
let
|
||||||
# basic and perists configs. basic fs = ext4, persist fs = btrfs either encrypted or under lvm
|
fsModule = if impermanence then ./${fsType}/persist.nix else ./${fsType}/standard.nix;
|
||||||
basic = import ./gpt-bios-compact.nix { inherit device; };
|
basic = import ./${fsType}/basic.nix { inherit device; };
|
||||||
btrfs-persist-lvm = import ./btrfs-lvm.nix { inherit device; };
|
lvm = import ./lvm.nix { inherit device; fsModule = fsModule; };
|
||||||
btrfs-persist-luks = import ./btrfs-luks.nix { inherit device; };
|
luks = import ./luks.nix { inherit device; fsModule = fsModule; };
|
||||||
in
|
in
|
||||||
if fsType == "ext4" then basic
|
if fsType == "ext4" then basic
|
||||||
else if fsType == "btrfs" && encrypted then btrfs-persist-luks
|
else if fsType == "btrfs" && encrypted then luks
|
||||||
else if fsType == "btrfs" then btrfs-persist-lvm
|
else if fsType == "btrfs" then lvm
|
||||||
else null # or some default value
|
else null
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,7 @@
|
||||||
{device ? throw "Must define a devices, e.g. /dev/sda"}:
|
{
|
||||||
|
device ? throw "Must define a device, e.g. /dev/sda",
|
||||||
|
fsModule ? "Must specify submodule"
|
||||||
|
}:
|
||||||
{
|
{
|
||||||
disko.devices = {
|
disko.devices = {
|
||||||
disk = {
|
disk = {
|
||||||
|
|
@ -26,7 +29,7 @@
|
||||||
type = "luks";
|
type = "luks";
|
||||||
name = "crypted";
|
name = "crypted";
|
||||||
passwordFile = "/tmp/luks_secret.key"; # Interactive
|
passwordFile = "/tmp/luks_secret.key"; # Interactive
|
||||||
content = (import ./btrfs-persist.nix);
|
content = (import "${fsModule}");
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
@ -1,4 +1,7 @@
|
||||||
{device ? throw "Must define a device, e.g. /dev/sda"}:
|
{
|
||||||
|
device ? throw "Must define a device, e.g. /dev/sda",
|
||||||
|
fsModule ? "Must specify submodule"
|
||||||
|
}:
|
||||||
{
|
{
|
||||||
disko.devices = {
|
disko.devices = {
|
||||||
disk.main = {
|
disk.main = {
|
||||||
|
|
@ -36,7 +39,7 @@
|
||||||
lvs = {
|
lvs = {
|
||||||
root = {
|
root = {
|
||||||
size = "100%FREE";
|
size = "100%FREE";
|
||||||
content = (import ./btrfs-persist.nix);
|
content = (import "${fsModule}");
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
@ -1,8 +1,6 @@
|
||||||
{enable}:
|
|
||||||
{
|
{
|
||||||
fileSystems."/persist".neededForBoot = true;
|
fileSystems."/persist".neededForBoot = true;
|
||||||
environment.persistence."/persist" = {
|
environment.persistence."/persist" = {
|
||||||
inherit enable;
|
|
||||||
hideMounts = true;
|
hideMounts = true;
|
||||||
directories = [
|
directories = [
|
||||||
"/etc/nixos"
|
"/etc/nixos"
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,7 @@ let
|
||||||
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
|
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
|
||||||
dev = "/dev/sda"; # depends on target hardware
|
dev = "/dev/sda"; # depends on target hardware
|
||||||
encrypted = false; # currrently only applies to btrfs
|
encrypted = false; # currrently only applies to btrfs
|
||||||
|
impermanence = false; # currrently only applies to btrfs
|
||||||
btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
|
btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
|
||||||
user = "admin";
|
user = "admin";
|
||||||
in
|
in
|
||||||
|
|
@ -15,7 +16,7 @@ in
|
||||||
|
|
||||||
# Disk configuration
|
# Disk configuration
|
||||||
inputs.disko.nixosModules.disko
|
inputs.disko.nixosModules.disko
|
||||||
(import ../common/disks { device = dev; fsType = fsType; encrypted = encrypted; })
|
(import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; })
|
||||||
|
|
||||||
# Import core options
|
# Import core options
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
|
|
||||||
|
|
@ -6,6 +6,7 @@ let
|
||||||
encrypted = true; # currrently only applies to btrfs
|
encrypted = true; # currrently only applies to btrfs
|
||||||
btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
|
btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
|
||||||
user = "sam";
|
user = "sam";
|
||||||
|
impermanence = true;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports =
|
imports =
|
||||||
|
|
@ -15,10 +16,10 @@ in
|
||||||
|
|
||||||
# Disk configuration
|
# Disk configuration
|
||||||
inputs.disko.nixosModules.disko
|
inputs.disko.nixosModules.disko
|
||||||
(import ../common/disks { device = dev; fsType = fsType; encrypted = encrypted; })
|
(import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; })
|
||||||
|
|
||||||
# Impermanence
|
# Impermanence
|
||||||
(import ../common/disks/btrfs-impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; })
|
(import ../common/disks/btrfs/impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; })
|
||||||
|
|
||||||
# Import core options
|
# Import core options
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,7 @@ let
|
||||||
dev = "/dev/sda"; # depends on target hardware
|
dev = "/dev/sda"; # depends on target hardware
|
||||||
encrypted = false; # currrently only applies to btrfs
|
encrypted = false; # currrently only applies to btrfs
|
||||||
btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
|
btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
|
||||||
|
impermanence = true;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports =
|
imports =
|
||||||
|
|
@ -14,10 +15,10 @@ in
|
||||||
|
|
||||||
# Disk configuration
|
# Disk configuration
|
||||||
inputs.disko.nixosModules.disko
|
inputs.disko.nixosModules.disko
|
||||||
(import ../common/disks { device = dev; fsType = fsType; encrypted = encrypted; })
|
(import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; })
|
||||||
|
|
||||||
# Impermanence
|
# Impermanence
|
||||||
(import ../common/disks/btrfs-impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; })
|
(import ../common/disks/btrfs/impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; })
|
||||||
|
|
||||||
# Import core options
|
# Import core options
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,8 @@ read -p "Enter hostname of target: " hostname
|
||||||
read -p "Enter IP of target: " ip
|
read -p "Enter IP of target: " ip
|
||||||
read -p "Enter config to install on target: " config
|
read -p "Enter config to install on target: " config
|
||||||
read -p "Enter username (if none, use 'root'): " username
|
read -p "Enter username (if none, use 'root'): " username
|
||||||
|
read -p "Using impermanence? (yes|no): " impermanence
|
||||||
|
[ "$impermanence" = "yes" ] && persist="/persist"
|
||||||
|
|
||||||
# Delete key in known hosts if exists
|
# Delete key in known hosts if exists
|
||||||
sed -i "/$ip/d" ~/.ssh/known_hosts
|
sed -i "/$ip/d" ~/.ssh/known_hosts
|
||||||
|
|
@ -36,11 +38,11 @@ cleanup() {
|
||||||
trap cleanup EXIT
|
trap cleanup EXIT
|
||||||
|
|
||||||
# Create the directory for target host keys
|
# Create the directory for target host keys
|
||||||
install -d -m755 "$temp/persist/etc/ssh"
|
install -d -m755 "$temp$persist/etc/ssh"
|
||||||
|
|
||||||
# Create ssh keys
|
# Create ssh keys
|
||||||
echo "Creating '$hostname' ssh keys"
|
echo "Creating '$hostname' ssh keys"
|
||||||
ssh-keygen -t ed25519 -f "$temp/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
|
ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
|
||||||
|
|
||||||
# Extract luks key from secrets
|
# Extract luks key from secrets
|
||||||
luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ../nix-secrets/secrets.yaml")
|
luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ../nix-secrets/secrets.yaml")
|
||||||
|
|
@ -48,7 +50,7 @@ echo "$luks_secret" > /tmp/luks_secret.key
|
||||||
|
|
||||||
# Generate age key from target host and user public ssh key
|
# Generate age key from target host and user public ssh key
|
||||||
echo "Generating age key from target host and user ssh key"
|
echo "Generating age key from target host and user ssh key"
|
||||||
HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
|
HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
|
||||||
echo -e "Host age key:\n$HOST_AGE_KEY\n"
|
echo -e "Host age key:\n$HOST_AGE_KEY\n"
|
||||||
|
|
||||||
# Update .sops.yaml with new age key:
|
# Update .sops.yaml with new age key:
|
||||||
|
|
@ -67,7 +69,7 @@ sed -i "{
|
||||||
just update-sops-secrets && just update-flake-secrets && just update-flake
|
just update-sops-secrets && just update-flake-secrets && just update-flake
|
||||||
|
|
||||||
# Copy current nix config over to target
|
# Copy current nix config over to target
|
||||||
cp -prv . "$temp/persist/etc/nixos"
|
cp -prv . "$temp$persist/etc/nixos"
|
||||||
|
|
||||||
# Install Nixos to target
|
# Install Nixos to target
|
||||||
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/1.3.0 -- --extra-files "$temp" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
|
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/1.3.0 -- --extra-files "$temp" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue