Compare commits

..

17 Commits

Author SHA1 Message Date
Sam 93e5c04d21 merge development add luks encryption 2024-05-26 22:09:38 +01:00
Sam 8b4da0e70d auto: bootstrapping sparky 2024-05-26 21:39:04 +01:00
Sam dbbd032191 auto: bootstrapping sparky 2024-05-26 21:26:19 +01:00
Sam 767c6ac5aa auto: bootstrapping sparky 2024-05-26 15:52:58 +01:00
Sam b0021b5f83 encryption-keys to nixos-anywhere 2024-05-26 15:52:08 +01:00
Sam f94ab6584e auto: bootstrapping sparky 2024-05-26 14:32:19 +01:00
Sam 6a8c8a98c4 auto: bootstrapping sparky 2024-05-26 14:19:32 +01:00
Sam b7e0b6bc84 auto: bootstrapping sparky 2024-05-26 14:18:14 +01:00
Sam 95a5f258f9 auto: bootstrapping sparky 2024-05-26 14:07:26 +01:00
Sam 280d7a6213 auto: bootstrapping sparky 2024-05-26 13:57:10 +01:00
Sam 29ef289456 auto: bootstrapping sparky 2024-05-26 13:55:47 +01:00
Sam dbcadf5315 auto: bootstrapping sparky 2024-05-26 13:52:51 +01:00
Sam b7d7f40171 auto: bootstrapping sparky 2024-05-26 13:25:20 +01:00
Sam 7bb5689128 auto: bootstrapping sparky 2024-05-26 13:23:35 +01:00
Sam 15291a162d auto: bootstrapping sparky 2024-05-26 13:16:16 +01:00
Sam 7739e82f8e auto: bootstrapping sparky 2024-05-26 13:13:35 +01:00
Sam 245bbb8de6 auto: bootstrapping sparky 2024-05-26 13:11:54 +01:00
5 changed files with 60 additions and 53 deletions

View File

@ -3,16 +3,17 @@ let
pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys); pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys);
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml"; secretsFile = "${secretsDirectory}/secrets.yaml";
in in
{ {
imports = imports =
[ [
# Disk configuration # Disk configuration
inputs.sops-nix.nixosModules.sops
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; }) (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda" ; })
#(import ../common/disks/std-disk-config.nix { device = "/dev/vda" ; })
../common/optional/btrfs-impermanence.nix ../common/optional/btrfs-impermanence.nix
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
inputs.sops-nix.nixosModules.sops
# Import core options # Import core options
./hardware-configuration.nix ./hardware-configuration.nix
@ -42,14 +43,14 @@ in
]; ];
}; };
i18n.defaultLocale = "en_GB.UTF-8"; i18n.defaultLocale = "en_GB.UTF-8";
console = { console = {
font = "Lat2-Terminus16"; font = "Lat2-Terminus16";
keyMap = "uk"; keyMap = "uk";
useXkbConfig = false; useXkbConfig = false;
}; };
boot = { boot = {
loader = { loader = {
@ -96,7 +97,7 @@ in
pkgs.just pkgs.just
pkgs.git pkgs.git
pkgs.neovim pkgs.neovim
]; ];
services.openssh = { services.openssh = {
enable = true; enable = true;
@ -115,7 +116,7 @@ in
}; };
}; };
programs.ssh.extraConfig = '' programs.ssh.extraConfig = ''
Host git.bitlab21.com Host git.bitlab21.com
IdentitiesOnly yes IdentitiesOnly yes
StrictHostKeyChecking no StrictHostKeyChecking no
@ -125,7 +126,7 @@ in
security.pam = { security.pam = {
sshAgentAuth.enable = true; sshAgentAuth.enable = true;
}; };
networking.firewall.allowedTCPPorts = [ 22 ]; networking.firewall.allowedTCPPorts = [ 22 ];
services = { services = {

View File

@ -1,9 +1,10 @@
{device ? throw "Must define a device, e.g. /dev/sda"}:
{ {
disko.devices = { disko.devices = {
disk = { disk = {
vdb = { vdb = {
type = "disk"; type = "disk";
device = "/dev/vdb"; inherit device;
content = { content = {
type = "gpt"; type = "gpt";
partitions = { partitions = {
@ -25,36 +26,38 @@
type = "luks"; type = "luks";
name = "crypted"; name = "crypted";
# disable settings.keyFile if you want to use interactive password entry # disable settings.keyFile if you want to use interactive password entry
#passwordFile = "/tmp/secret.key"; # Interactive passwordFile = "/tmp/luks_secret.key"; # Interactive
settings = { # settings = {
allowDiscards = true; # allowDiscards = true;
keyFile = "/tmp/secret.key"; # keyFile = "${sopsHashedPasswordFile}";
}; # };
additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; content = {
content = { type = "btrfs";
type = "btrfs"; extraArgs = ["-f"];
extraArgs = [ "-f" ]; subvolumes = {
subvolumes = { "/root" = {
"/root" = { mountpoint = "/";
mountpoint = "/"; };
mountOptions = [ "compress=zstd" "noatime" ];
}; "/persist" = {
"/home" = { mountOptions = [ "subvol=persist" ];
mountpoint = "/home"; mountpoint = "/persist";
mountOptions = [ "compress=zstd" "noatime" ]; };
};
"/nix" = { "/nix" = {
mountpoint = "/nix"; mountOptions = [ "subvol=nix" "noatime" ];
mountOptions = [ "compress=zstd" "noatime" ]; mountpoint = "/nix";
}; };
"/swap" = {
mountpoint = "/.swapvol"; "/swap" = {
swap.swapfile.size = "20M"; mountOptions = [ "noatime" ];
}; mountpoint = "/.swapvol";
swap.swapfile.size = "8192M";
};
};
}; };
}; };
}; };
};
}; };
}; };
}; };

View File

@ -2,7 +2,7 @@
{ {
boot.initrd.postDeviceCommands = lib.mkAfter '' boot.initrd.postDeviceCommands = lib.mkAfter ''
mkdir /btrfs_tmp mkdir /btrfs_tmp
mount /dev/root_vg/root /btrfs_tmp mount /dev/mapper/crypted /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")

View File

@ -1,10 +1,10 @@
{ inputs, config, lib, pkgs, outputs,... }: { inputs, config, lib, pkgs, outputs,... }:
let let
dev = "/dev/vda"; dev = "/dev/vda";
in in
{ {
imports = imports =
[ [
# Disk configuration # Disk configuration
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
(import ../common/disks/std-disk-config.nix { device = dev; }) (import ../common/disks/std-disk-config.nix { device = dev; })

View File

@ -5,7 +5,7 @@ Before using this tool, ensure that the host has been setup correctly.
Boot the latest Nixos-minimal install ISO on the host and access the tty. Boot the latest Nixos-minimal install ISO on the host and access the tty.
Use 'ip a' to get the ip address, then 'sudo su' to change to root. Finally Use 'ip a' to get the ip address, then 'sudo su' to change to root. Finally
Run 'passwd' and set a temporary password (something simple like '1234') Run 'passwd' and set a temporary password (something simple like '1234')
for the root user. for the root user.
" "
@ -17,34 +17,35 @@ ip="192.168.122.193"
config="bootstrap" config="bootstrap"
# Delete key in known hosts if exists # Delete key in known hosts if exists
sed -i "/$ip/d" ~/.ssh/known_hosts sed -i "/$ip/d" ~/.ssh/known_hosts
# Authorise source public key # Authorise source public key
echo "Copying pubkey to target host" echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
# Create temp directory for ssh keys to be copied to host: # Create temp directory for ssh and luks keys to be copied to host:
temp=$(mktemp -d) temp_ssh=$(mktemp -d)
touch /tmp/luks_secret.key
# Function to cleanup temporary directory on exit # Function to cleanup temporary directory on exit
cleanup() { cleanup() {
rm -rf "$temp" rm -rf "$temp_ssh" /tmp/luks_secret.key
} }
trap cleanup EXIT trap cleanup EXIT
# Create the directory where sshd expects to find the host keys # Create the directory where sshd expects to find the host keys
install -d -m755 "$temp/persist/etc/ssh" install -d -m755 "$temp_ssh/persist/etc/ssh"
# Create ssh keys if not exists # Create ssh keys if not exists
echo "Creating '$hostname' ssh keys" echo "Creating '$hostname' ssh keys"
ssh-keygen -t ed25519 -f "$temp/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" ssh-keygen -t ed25519 -f "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key" chmod 600 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key"
chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub" chmod 644 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub"
# Generate age key from target host and user public ssh key # Generate age key from target host and user public ssh key
echo "Generating age key from target host and user ssh key" echo "Generating age key from target host and user ssh key"
HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
echo -e "Host age key:\n$HOST_AGE_KEY\n" echo -e "Host age key:\n$HOST_AGE_KEY\n"
# Update .sops.yaml with new age key: # Update .sops.yaml with new age key:
@ -61,13 +62,15 @@ sed -i "{
just update-sops-secrets && just update-flake-secrets && just update-flake just update-sops-secrets && just update-flake-secrets && just update-flake
echo -e "\nNeed to change ownership of temp directories, enter sudo password if prompted:\n" # Extract luks key from secrets
luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"sparky""\"]' ../nix-secrets/secrets.yaml")
echo "$luks_secret" > /tmp/luks_secret.key
# Install Nixos to target # Install Nixos to target
cd "$HOME/nixos" cd "$HOME/nixos"
git add . && git commit -m "auto: bootstrapping $hostname" && git push git add . && git commit -m "auto: bootstrapping $hostname" && git push
nix run github:nix-community/nixos-anywhere/242444d228636b1f0e89d3681f04a75254c29f66 -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/242444d228636b1f0e89d3681f04a75254c29f66 -- --extra-files "$temp_ssh" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
[ $? != 0 ] && echo "Error installing Nixos" && exit 1 [ $? != 0 ] && echo "Error installing Nixos" && exit 1
## Delete keys from local known_hosts ## Delete keys from local known_hosts