From f6b48d0b25f51558d28d63e44eda494448cdca6b Mon Sep 17 00:00:00 2001 From: Sam Date: Thu, 16 May 2024 16:54:21 +0100 Subject: [PATCH] update just file, revisions to bootstrap.sh --- flake.lock | 8 +-- flake.nix | 3 +- hosts/bootstrap/default.nix | 46 +++++++------- hosts/bootstrap/hardware-configuration.nix | 10 +--- hosts/common/disks/luks-btrfs-subvolumes.nix | 63 ++++++++++++++++++++ hosts/common/disks/std-disk-config.nix | 4 +- justfile | 9 +-- scripts/bootstrap.sh | 2 +- 8 files changed, 99 insertions(+), 46 deletions(-) create mode 100644 hosts/common/disks/luks-btrfs-subvolumes.nix diff --git a/flake.lock b/flake.lock index 8f9536a..e6c6e94 100644 --- a/flake.lock +++ b/flake.lock @@ -43,11 +43,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1715783829, - "narHash": "sha256-aNuuTd4nXt9SxYLgJSgBxuvIBmAyh5+2IT2iLepZKds=", + "lastModified": 1715874814, + "narHash": "sha256-6/+UqZ8szxgfDUqOoohJes3dp35N1S/WMMb3O5sXMxw=", "ref": "refs/heads/master", - "rev": "450e494f36a74c0786d1cb01db46731b01b713dc", - "revCount": 5, + "rev": "dc3f14aae4111cd318f4c42c91382bf884101556", + "revCount": 6, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/flake.nix b/flake.nix index 46cf9a4..d7c29fa 100644 --- a/flake.nix +++ b/flake.nix @@ -74,7 +74,8 @@ inherit specialArgs; modules = [ disko.nixosModules.disko - ./hosts/common/disks/gpt-bios-compact.nix + #./hosts/common/disks/gpt-bios-compact.nix + ./hosts/common/disks/std-disk-config.nix ./hosts/bootstrap ]; }; diff --git a/hosts/bootstrap/default.nix b/hosts/bootstrap/default.nix index 65a7d82..cc09b4f 100644 --- a/hosts/bootstrap/default.nix +++ b/hosts/bootstrap/default.nix @@ -1,10 +1,12 @@ -{ lib, pkgs, configLib, configVars, ... }: +{ lib, pkgs, modulesPath, inputs, ... }: { imports = [ + inputs.disko.nixosModules.disko + ../common/disks/std-disk-config.nix + # Import core options ./hardware-configuration.nix ../common/core - # Import optional options # ../common/optional/openssh @@ -12,30 +14,25 @@ ../common/users/admin ]; - #virtualisation.virtualbox.guest.enable = true; - virtualisation.libvirtd = { - qemu = { - package = pkgs.qemu_kvm; # only emulates host arch, smaller download - swtpm.enable = true; # allows for creating emulated TPM - ovmf.packages = [(pkgs.OVMF.override { - secureBoot = true; - tpmSupport = true; - }).fd]; # or use pkgs.OVMFFull.fd, which enables more stuff +# #virtualisation.virtualbox.guest.enable = true; +# virtualisation.libvirtd = { +# qemu = { +# package = pkgs.qemu_kvm; # only emulates host arch, smaller download +# swtpm.enable = true; # allows for creating emulated TPM +# ovmf.packages = [(pkgs.OVMF.override { +# secureBoot = true; +# tpmSupport = true; +# }).fd]; # or use pkgs.OVMFFull.fd, which enables more stuff +# }; +# }; + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + timeout = 3; }; }; - #fileSystems."/boot".options = ["umask=0077"]; # Removes permissions and security warnings. - #boot.loader.efi.canTouchEfiVariables = true; - #boot.loader.grub.device = "/dev/vda"; - boot.loader.grub.enable = true; -# boot.loader.systemd-boot = { -# enable = true; -# # we use Git for version control, so we don't need to keep too many generations. -# # FIXME lower this even more after testing complete -# configurationLimit = lib.mkDefault 10; -# # pick the highest resolution for systemd-boot's console. -# consoleMode = lib.mkDefault "max"; -# }; - boot.initrd.systemd.enable = true; i18n.defaultLocale = "en_GB.UTF-8"; console = { @@ -44,7 +41,6 @@ useXkbConfig = false; }; - networking = { hostName = "bootstrap"; networkmanager.enable = true; diff --git a/hosts/bootstrap/hardware-configuration.nix b/hosts/bootstrap/hardware-configuration.nix index e1f3ff6..f9c2647 100644 --- a/hosts/bootstrap/hardware-configuration.nix +++ b/hosts/bootstrap/hardware-configuration.nix @@ -10,17 +10,9 @@ boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" "kvm-intel" ]; + boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { - }; - - swapDevices = - [ - ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction diff --git a/hosts/common/disks/luks-btrfs-subvolumes.nix b/hosts/common/disks/luks-btrfs-subvolumes.nix new file mode 100644 index 0000000..9191570 --- /dev/null +++ b/hosts/common/disks/luks-btrfs-subvolumes.nix @@ -0,0 +1,63 @@ +{ + disko.devices = { + disk = { + vdb = { + type = "disk"; + device = "/dev/vdb"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "crypted"; + # disable settings.keyFile if you want to use interactive password entry + #passwordFile = "/tmp/secret.key"; # Interactive + settings = { + allowDiscards = true; + keyFile = "/tmp/secret.key"; + }; + additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "20M"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/common/disks/std-disk-config.nix b/hosts/common/disks/std-disk-config.nix index 2b2ca81..e8b080e 100644 --- a/hosts/common/disks/std-disk-config.nix +++ b/hosts/common/disks/std-disk-config.nix @@ -2,10 +2,10 @@ disko.devices = { disk = { #FIXME change to proper device or make dynamic like figdetingbits - sda = { + vda = { type = "disk"; # FIXME change to proper device or make dynamic like figdetingbits - device = "/dev/sda"; + device = "/dev/vda"; content = { type = "gpt"; partitions = { diff --git a/justfile b/justfile index 7a3e5ee..f2313ca 100644 --- a/justfile +++ b/justfile @@ -4,8 +4,8 @@ SOPS_FILE := "../nix-secrets/secrets.yaml" default: @just --list -# ensure the latest revisions of nix-secrets are used next time a rebuild occurs -update-nix-secrets: +# fetches from remote and updates flake.lock with latest revisions of nix-secrets for next time a rebuild occurs +update-flake-secrets: (cd ../nix-secrets && git fetch && git rebase) || true nix flake lock --update-input nix-secrets @@ -23,9 +23,10 @@ edit-sops: echo "Editing {{SOPS_FILE}}" nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops {{SOPS_FILE}}" -# update -update-secrets: +# update keys in secrets.yaml and push to remote +update-sops-secrets: cd $HOME/nix-secrets && (\ nix-shell -p sops --run "sops updatekeys -y secrets.yaml" && \ git add -u && (git commit -m "updated secrets" || true) && git push \ ) + diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 7731d8e..d62f254 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -33,7 +33,7 @@ confirm_delete="" overwrite="" [ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Key exists, would you like to overwrite it? (yes|no) " overwrite -[ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$hostname@$ip" -N "" +[ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$hostname@$ip" -N "" echo "Copying ssh key to target host:" # Rsync currently not available in Nixos. Use scp instead.