update just file, revisions to bootstrap.sh

This commit is contained in:
Sam 2024-05-16 16:54:21 +01:00
parent 0359491756
commit f6b48d0b25
8 changed files with 99 additions and 46 deletions

View File

@ -43,11 +43,11 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1715783829, "lastModified": 1715874814,
"narHash": "sha256-aNuuTd4nXt9SxYLgJSgBxuvIBmAyh5+2IT2iLepZKds=", "narHash": "sha256-6/+UqZ8szxgfDUqOoohJes3dp35N1S/WMMb3O5sXMxw=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "450e494f36a74c0786d1cb01db46731b01b713dc", "rev": "dc3f14aae4111cd318f4c42c91382bf884101556",
"revCount": 5, "revCount": 6,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },

View File

@ -74,7 +74,8 @@
inherit specialArgs; inherit specialArgs;
modules = [ modules = [
disko.nixosModules.disko disko.nixosModules.disko
./hosts/common/disks/gpt-bios-compact.nix #./hosts/common/disks/gpt-bios-compact.nix
./hosts/common/disks/std-disk-config.nix
./hosts/bootstrap ./hosts/bootstrap
]; ];
}; };

View File

@ -1,10 +1,12 @@
{ lib, pkgs, configLib, configVars, ... }: { lib, pkgs, modulesPath, inputs, ... }:
{ {
imports = [ imports = [
inputs.disko.nixosModules.disko
../common/disks/std-disk-config.nix
# Import core options # Import core options
./hardware-configuration.nix ./hardware-configuration.nix
../common/core ../common/core
# Import optional options # Import optional options
# ../common/optional/openssh # ../common/optional/openssh
@ -12,30 +14,25 @@
../common/users/admin ../common/users/admin
]; ];
#virtualisation.virtualbox.guest.enable = true; # #virtualisation.virtualbox.guest.enable = true;
virtualisation.libvirtd = { # virtualisation.libvirtd = {
qemu = { # qemu = {
package = pkgs.qemu_kvm; # only emulates host arch, smaller download # package = pkgs.qemu_kvm; # only emulates host arch, smaller download
swtpm.enable = true; # allows for creating emulated TPM # swtpm.enable = true; # allows for creating emulated TPM
ovmf.packages = [(pkgs.OVMF.override { # ovmf.packages = [(pkgs.OVMF.override {
secureBoot = true; # secureBoot = true;
tpmSupport = true; # tpmSupport = true;
}).fd]; # or use pkgs.OVMFFull.fd, which enables more stuff # }).fd]; # or use pkgs.OVMFFull.fd, which enables more stuff
# };
# };
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
timeout = 3;
}; };
}; };
#fileSystems."/boot".options = ["umask=0077"]; # Removes permissions and security warnings.
#boot.loader.efi.canTouchEfiVariables = true;
#boot.loader.grub.device = "/dev/vda";
boot.loader.grub.enable = true;
# boot.loader.systemd-boot = {
# enable = true;
# # we use Git for version control, so we don't need to keep too many generations.
# # FIXME lower this even more after testing complete
# configurationLimit = lib.mkDefault 10;
# # pick the highest resolution for systemd-boot's console.
# consoleMode = lib.mkDefault "max";
# };
boot.initrd.systemd.enable = true;
i18n.defaultLocale = "en_GB.UTF-8"; i18n.defaultLocale = "en_GB.UTF-8";
console = { console = {
@ -44,7 +41,6 @@
useXkbConfig = false; useXkbConfig = false;
}; };
networking = { networking = {
hostName = "bootstrap"; hostName = "bootstrap";
networkmanager.enable = true; networkmanager.enable = true;

View File

@ -10,17 +10,9 @@
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" "kvm-intel" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" =
{
};
swapDevices =
[
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction

View File

@ -0,0 +1,63 @@
{
disko.devices = {
disk = {
vdb = {
type = "disk";
device = "/dev/vdb";
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "crypted";
# disable settings.keyFile if you want to use interactive password entry
#passwordFile = "/tmp/secret.key"; # Interactive
settings = {
allowDiscards = true;
keyFile = "/tmp/secret.key";
};
additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/home" = {
mountpoint = "/home";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/swap" = {
mountpoint = "/.swapvol";
swap.swapfile.size = "20M";
};
};
};
};
};
};
};
};
};
};
}

View File

@ -2,10 +2,10 @@
disko.devices = { disko.devices = {
disk = { disk = {
#FIXME change to proper device or make dynamic like figdetingbits #FIXME change to proper device or make dynamic like figdetingbits
sda = { vda = {
type = "disk"; type = "disk";
# FIXME change to proper device or make dynamic like figdetingbits # FIXME change to proper device or make dynamic like figdetingbits
device = "/dev/sda"; device = "/dev/vda";
content = { content = {
type = "gpt"; type = "gpt";
partitions = { partitions = {

View File

@ -4,8 +4,8 @@ SOPS_FILE := "../nix-secrets/secrets.yaml"
default: default:
@just --list @just --list
# ensure the latest revisions of nix-secrets are used next time a rebuild occurs # fetches from remote and updates flake.lock with latest revisions of nix-secrets for next time a rebuild occurs
update-nix-secrets: update-flake-secrets:
(cd ../nix-secrets && git fetch && git rebase) || true (cd ../nix-secrets && git fetch && git rebase) || true
nix flake lock --update-input nix-secrets nix flake lock --update-input nix-secrets
@ -23,9 +23,10 @@ edit-sops:
echo "Editing {{SOPS_FILE}}" echo "Editing {{SOPS_FILE}}"
nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops {{SOPS_FILE}}" nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops {{SOPS_FILE}}"
# update # update keys in secrets.yaml and push to remote
update-secrets: update-sops-secrets:
cd $HOME/nix-secrets && (\ cd $HOME/nix-secrets && (\
nix-shell -p sops --run "sops updatekeys -y secrets.yaml" && \ nix-shell -p sops --run "sops updatekeys -y secrets.yaml" && \
git add -u && (git commit -m "updated secrets" || true) && git push \ git add -u && (git commit -m "updated secrets" || true) && git push \
) )

View File

@ -33,7 +33,7 @@ confirm_delete=""
overwrite="" overwrite=""
[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Key exists, would you like to overwrite it? (yes|no) " overwrite [ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Key exists, would you like to overwrite it? (yes|no) " overwrite
[ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$hostname@$ip" -N "" [ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$hostname@$ip" -N ""
echo "Copying ssh key to target host:" echo "Copying ssh key to target host:"
# Rsync currently not available in Nixos. Use scp instead. # Rsync currently not available in Nixos. Use scp instead.