From 2b01c332826d2d59b7fdbf4a7924e827338920f9 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 26 Jan 2023 16:14:47 +0100 Subject: l hilum.r: create with disko, add script --- lass/1systems/hilum/disk.nix | 53 ++++++++++++++++++++++++++++++++++++++ lass/1systems/hilum/flash-stick.sh | 27 +++++++++++++++++++ lass/1systems/hilum/physical.nix | 29 +++++++++++---------- 3 files changed, 95 insertions(+), 14 deletions(-) create mode 100644 lass/1systems/hilum/disk.nix create mode 100644 lass/1systems/hilum/flash-stick.sh (limited to 'lass/1systems/hilum') diff --git a/lass/1systems/hilum/disk.nix b/lass/1systems/hilum/disk.nix new file mode 100644 index 000000000..4a7253bab --- /dev/null +++ b/lass/1systems/hilum/disk.nix @@ -0,0 +1,53 @@ +{ lib, disk, ... }: +{ + disk = { + main = { + type = "disk"; + device = disk; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "boot"; + type = "partition"; + start = "0"; + end = "1M"; + part-type = "primary"; + flags = ["bios_grub"]; + } + { + type = "partition"; + name = "ESP"; + start = "1MiB"; + end = "50%"; + fs-type = "fat32"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } + { + name = "root"; + type = "partition"; + start = "50%"; + end = "100%"; + content = { + type = "luks"; + name = "hilum_luks"; + # keyFile = "/tmp/secret.key"; + content = { + type = "filesystem"; + format = "xfs"; + mountpoint = "/"; + }; + }; + } + ]; + }; + }; + }; +} + diff --git a/lass/1systems/hilum/flash-stick.sh b/lass/1systems/hilum/flash-stick.sh new file mode 100644 index 000000000..7b787f92a --- /dev/null +++ b/lass/1systems/hilum/flash-stick.sh @@ -0,0 +1,27 @@ +#!/bin/sh +set -efux + +disk=$1 + +export NIXPKGS_ALLOW_UNFREE=1 +stockholm_root=$(git rev-parse --show-toplevel) +ssh root@localhost -t -- $(nix-build \ + --no-out-link \ + -I nixpkgs=/var/src/nixpkgs \ + -I stockholm="$stockholm_root" \ + -I secrets="$stockholm_root"/lass/2configs/tests/dummy-secrets \ + -E "with import {}; (pkgs.nixos [ { mainDisk = \"$disk\"; disko.rootMountPoint = \"/mnt/hilum\"; } ./physical.nix ]).mountScript" +) +$(nix-build \ + --no-out-link \ + -I nixpkgs=/var/src/nixpkgs \ + "$stockholm_root"/lass/krops.nix -A populate \ + --argstr name hilum \ + --argstr target "root@localhost/mnt/hilum/var/src" \ + --arg force true +) +ssh root@localhost << SSH +nixos-install --no-root-password --root /mnt/hilum -I /var/src +nixos-enter --root /mnt/hilum -- nixos-rebuild -I /var/src switch --install-bootloader +umount -Rv /mnt/hilum +SSH diff --git a/lass/1systems/hilum/physical.nix b/lass/1systems/hilum/physical.nix index f8bab57d6..e6860a496 100644 --- a/lass/1systems/hilum/physical.nix +++ b/lass/1systems/hilum/physical.nix @@ -1,11 +1,24 @@ -{ lib, pkgs, ... }: +{ config, lib, pkgs, ... }: { imports = [ ./config.nix + { + # nice hack to carry around state passed impurely at the beginning + options.mainDisk = lib.mkOption { + type = lib.types.str; + default = builtins.readFile "/etc/hilum-disk"; + }; + config.environment.etc.hilum-disk.text = config.mainDisk; + } ]; + disko.devices = import ./disk.nix { + inherit lib; + disk = config.mainDisk; + }; + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ "kvm-intel" ]; @@ -13,21 +26,9 @@ boot.loader.grub.enable = true; boot.loader.grub.efiSupport = true; - boot.loader.grub.device = "/dev/disk/by-id/usb-General_USB_Flash_Disk_0374116060006128-0:0"; + boot.loader.grub.device = config.mainDisk; boot.loader.grub.efiInstallAsRemovable = true; - fileSystems."/" = - { device = "/dev/disk/by-uuid/6db29cdd-ff64-496d-b541-5f1616665dc2"; - fsType = "ext4"; - }; - - boot.initrd.luks.devices."usb_nix".device = "/dev/disk/by-uuid/3c8ab3af-57fb-4564-9e27-b2766404f5d4"; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/2B9E-5131"; - fsType = "vfat"; - }; - swapDevices = [ ]; nix.maxJobs = lib.mkDefault 4; -- cgit v1.2.3 From 34360eb931e89b09512091fe819fb59568852441 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 26 Jan 2023 23:46:51 +0100 Subject: l hilum.r: pass luks passphrase in flash script --- lass/1systems/hilum/disk.nix | 4 ++-- lass/1systems/hilum/flash-stick.sh | 14 ++++++++++++-- lass/1systems/hilum/physical.nix | 7 +++++++ 3 files changed, 21 insertions(+), 4 deletions(-) mode change 100644 => 100755 lass/1systems/hilum/flash-stick.sh (limited to 'lass/1systems/hilum') diff --git a/lass/1systems/hilum/disk.nix b/lass/1systems/hilum/disk.nix index 4a7253bab..926401648 100644 --- a/lass/1systems/hilum/disk.nix +++ b/lass/1systems/hilum/disk.nix @@ -1,4 +1,4 @@ -{ lib, disk, ... }: +{ lib, disk, keyFile, ... }: { disk = { main = { @@ -37,7 +37,7 @@ content = { type = "luks"; name = "hilum_luks"; - # keyFile = "/tmp/secret.key"; + keyFile = keyFile; content = { type = "filesystem"; format = "xfs"; diff --git a/lass/1systems/hilum/flash-stick.sh b/lass/1systems/hilum/flash-stick.sh old mode 100644 new mode 100755 index 7b787f92a..17a5fc580 --- a/lass/1systems/hilum/flash-stick.sh +++ b/lass/1systems/hilum/flash-stick.sh @@ -4,14 +4,24 @@ set -efux disk=$1 export NIXPKGS_ALLOW_UNFREE=1 +(umask 077; pass show admin/hilum/luks > /tmp/hilum.luks) +trap 'rm -f /tmp/hilum.luks' EXIT stockholm_root=$(git rev-parse --show-toplevel) ssh root@localhost -t -- $(nix-build \ --no-out-link \ -I nixpkgs=/var/src/nixpkgs \ -I stockholm="$stockholm_root" \ -I secrets="$stockholm_root"/lass/2configs/tests/dummy-secrets \ - -E "with import {}; (pkgs.nixos [ { mainDisk = \"$disk\"; disko.rootMountPoint = \"/mnt/hilum\"; } ./physical.nix ]).mountScript" + -E "with import {}; (pkgs.nixos [ + { + luksPassFile = \"/tmp/hilum.luks\"; + mainDisk = \"$disk\"; + disko.rootMountPoint = \"/mnt/hilum\"; + } + ./physical.nix + ]).disko" ) +rm -f /tmp/hilum.luks $(nix-build \ --no-out-link \ -I nixpkgs=/var/src/nixpkgs \ @@ -21,7 +31,7 @@ $(nix-build \ --arg force true ) ssh root@localhost << SSH -nixos-install --no-root-password --root /mnt/hilum -I /var/src +NIXOS_CONFIG=/mnt/hilum/var/src/nixos-config nixos-install --no-root-password --root /mnt/hilum -I /var/src nixos-enter --root /mnt/hilum -- nixos-rebuild -I /var/src switch --install-bootloader umount -Rv /mnt/hilum SSH diff --git a/lass/1systems/hilum/physical.nix b/lass/1systems/hilum/physical.nix index e6860a496..f97873aa9 100644 --- a/lass/1systems/hilum/physical.nix +++ b/lass/1systems/hilum/physical.nix @@ -12,11 +12,18 @@ }; config.environment.etc.hilum-disk.text = config.mainDisk; } + { + options.luksPassFile = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + } ]; disko.devices = import ./disk.nix { inherit lib; disk = config.mainDisk; + keyFile = config.luksPassFile; }; boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; -- cgit v1.2.3 From d0b3d234e57c3960ee278c5e29feef448f958c4a Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 26 Jan 2023 23:47:07 +0100 Subject: l hilum.r: introduce tryFile --- lass/1systems/hilum/physical.nix | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'lass/1systems/hilum') diff --git a/lass/1systems/hilum/physical.nix b/lass/1systems/hilum/physical.nix index f97873aa9..6f160062d 100644 --- a/lass/1systems/hilum/physical.nix +++ b/lass/1systems/hilum/physical.nix @@ -6,9 +6,16 @@ { # nice hack to carry around state passed impurely at the beginning - options.mainDisk = lib.mkOption { + options.mainDisk = let + tryFile = path: default: + if lib.elem (builtins.baseNameOf path) (lib.attrNames (builtins.readDir (builtins.dirOf path))) then + builtins.readFile path + else + default + ; + in lib.mkOption { type = lib.types.str; - default = builtins.readFile "/etc/hilum-disk"; + default = tryFile "/etc/hilum-disk" "/dev/sdz"; }; config.environment.etc.hilum-disk.text = config.mainDisk; } -- cgit v1.2.3