maybe the arm vault works now that i base64 un-encode the ssh host key instead of re-encode?

2023-09-20 17:31:36 +01:00 · 2023-09-20 17:31:36 +01:00 · 2af61a7dd3
parent 350391eb47
commit 2af61a7dd3
11 changed files with 19 additions and 153 deletions
--- a/data/serverEncryptedDrive.nix
+++ b/data/serverEncryptedDrive.nix
@ -1,23 +0,0 @@
-rec {
-  # Mountpoints
-  mountpoint = "/";
-  bootMountpoint = "/boot";
-
-  # Partition Labels
-  bootLabel = "nixboot";
-  unencryptedLabel = "nixos";
-  encryptedPartLabel = "nixos_encrypted";
-
-  # Partition Filesystems
-  unencryptedFSType = "ext4";
-  bootFSType = "vfat";
-
-  # Mapper Name
-  mapperName = "cryptroot";
-
-  # FS Paths
-  encryptedPath = "/dev/disk/by-partlabel/${encryptedPartLabel}";
-  decryptedPath = "/dev/mapper/${mapperName}";
-
-  bootPath = "/dev/disk/by-label/${bootLabel}";
-}
--- a/data/serverIPs.nix
+++ b/data/serverIPs.nix
@ -4,7 +4,7 @@ rec {
    ipv6 = "2a01:4f9:c010:8beb::1";
  };
  "vault" = {
-    ipv4 = "65.21.0.145";
-    ipv6 = "2a01:4f9:c012:9b6b::1";
+    ipv4 = "65.21.145.62";
+    ipv6 = "2a01:4f9:c010:6a89::1";
  };
 }
--- a/hosts/hetzner-arm-installer/hetzner-arm-installer.nix
+++ b/hosts/hetzner-arm-installer/hetzner-arm-installer.nix
@ -1,48 +0,0 @@
-{
-  tree,
-  modulesPath,
-  pkgs,
-  config,
-  lib,
-  ...
-}: let
-  inherit (lib.strings) escapeShellArgs;
-in {
-  nixpkgs.overlays = [
-    (final: prev: {
-      # skips building zsh docs
-      zsh = prev.zsh.overrideAttrs {
-        nativeBuildInputs = with final; [autoreconfHook perl groff texinfo pcre util-linux];
-      };
-    })
-  ];
-
-  imports = with tree; [
-    (modulesPath + "/installer/netboot/netboot-minimal.nix")
-    profiles.sshd
-    users.root
-  ];
-
-  boot.kernelParams = ["console=tty0" "console=ttyAMA0,115200" "console=ttyS0,115200"];
-
-  documentation.enable = false;
-
-  netboot.squashfsCompression = "zstd -Xcompression-level 1";
-
-  system.build = {
-    kexecTarball = pkgs.runCommand "kexec-tarball" {} ''
-      mkdir kexec $out
-      cp "${config.system.build.netbootRamdisk}/initrd" kexec/initrd
-      cp "${config.system.build.kernel}/${config.system.boot.loader.kernelFile}" kexec/bzImage
-      install -D -m 0755 ${./run.sh} kexec/run
-        sed -i \
-        -e 's|@init@|${config.system.build.toplevel}/init|' \
-        -e 's|@kernelParams@|${escapeShellArgs config.boot.kernelParams}|' \
-        kexec/run
-      cp "${pkgs.pkgsStatic.kexec-tools}/bin/kexec" kexec/kexec
-      tar -cf $out/hetzner-arm-installer.tar kexec
-    '';
-  };
-
-  system.stateVersion = "23.11";
-}
--- a/hosts/hetzner-arm-installer/run.sh
+++ b/hosts/hetzner-arm-installer/run.sh
@ -1,19 +0,0 @@
-#!/bin/sh
-
-set -ex
-
-init="@init@"
-kernelParams="@kernelParams@"
-
-cd "$(dirname "$(readlink -f "$0")")"
-
-if ! ./kexec --load ./bzImage \
-  --kexec-syscall-auto \
-  --initrd=./initrd --no-checks \
-  --command-line "init=$init $kernelParams"; then
-  echo "kexec failed, dumping dmesg"
-  dmesg | tail -n 100
-  exit 1
-fi
-
-./kexec -e
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ b/hosts/hetzner-arm/hetzner-arm.nix
@ -1,19 +0,0 @@
-{
-  tree,
-  lib,
-  ...
-}: let
-  inherit (lib.lists) forEach;
-in {
-  imports = with tree; [
-    presets.nixos.serverBase
-    presets.nixos.serverHetzner
-    ./hardware.nix
-    ./secrets.nix
-  ];
-
-  networking.hostName = "hetzner-arm";
-
-  home-manager.users.root.home.stateVersion = "23.05";
-  system.stateVersion = "23.05";
-}
--- a/hosts/nixos.nix
+++ b/hosts/nixos.nix
@ -81,30 +81,6 @@ in {
    modules = defaultModules ++ [./hetzner-vm/hetzner-vm.nix];
  };

-  # hetzner-arm-installer.nix is generic, this just is for the machine hetzner-arm
-  # add hostname and IPs to serverIPs.nix
-  hetzner-arm-installer = nixosUnstableSystem {
-    specialArgs =
-      defaultSpecialArgs
-      // {
-        hostPath = ./hetzner-arm-installer;
-      };
-    system = "aarch64-linux";
-    # a more minimal module set
-    modules = with tree; [
-      profiles.base.hardware
-      profiles.base.terminals
-      profiles.base.nix
-      ./hetzner-arm-installer/hetzner-arm-installer.nix
-
-      presets.nixos.serverHetzner
-
-      ({...}: {
-        networking.hostName = "hetzner-arm";
-      })
-    ];
-  };
-
  vault = nixosUnstableSystem {
    specialArgs =
      defaultSpecialArgs
@ -116,10 +92,7 @@ in {
  };

  # nix build .#nixosConfigurations.nixos-live-x86_64.config.system.build.isoImage
-  nixos-live-x86_64 = nixosX86_64LiveWithExtraDepsForMachines [];
-  nixos-live-x86_64-laptops = nixosX86_64LiveWithExtraDepsForMachines ["lappy-t495"];
-  nixos-live-x86_64-servers = nixosX86_64LiveWithExtraDepsForMachines ["hetzner-vm" "vault"];
-  nixos-live-x86_64-all = nixosX86_64LiveWithExtraDepsForMachines ["lappy-t495" "vault" "hetzner-vm"];
+  nixos-live-x86_64 = nixosX86_64LiveWithExtraDepsForMachines ["lappy-t495"];

  # nix --no-sandbox build .#nixosConfigurations.raspberry.config.system.build.sdImage
  raspberry = nixosUnstableSystem {
--- a/hosts/vault/hardware.nix
+++ b/hosts/vault/hardware.nix
@ -3,4 +3,11 @@
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
  };
+
+  #loader.grub = {
+  #  enable = true;
+  #  efiSupport = false;
+  #  enableCryptodisk = true;
+  #  device = "/dev/sda";
+  #};
 }
--- a/hosts/vault/secrets.nix
+++ b/hosts/vault/secrets.nix
@ -31,7 +31,7 @@
        path = "/ssh_host_ed25519_key";
        permissions = "600";
        fetchScript = ''
-          simple_get "/private-public-keys/ssh/root@vault-decrypt" .private | base64 > "$secretFile"
+          simple_get "/private-public-keys/ssh/root@vault-decrypt" .private | base64 -d > "$secretFile"
        '';
      };

--- a/presets/nixos/serverEncryptedDrive.nix
+++ b/presets/nixos/serverEncryptedDrive.nix
@ -36,8 +36,6 @@ in {
        ++ (lib.optionals (system == "x86_64_linux") ["aesni_intel"]);

      secrets = {
-        # This will need to be generated before install or installed with secrets-init
-        # To keep it same across reinstalls add the ssh key and pubkey to secrets module
        "/ssh_host_ed25519_key" = "/ssh_host_ed25519_key";
      };

--- a/presets/nixos/serverHetzner.nix
+++ b/presets/nixos/serverHetzner.nix
@ -40,17 +40,13 @@ in {
    "virtio_scsi"
  ];

-  boot.kernelPackages = pkgs.linuxPackages_latest;
-  boot.initrd.verbose = true;
-
  boot.kernelParams =
    [
      "console=tty0"
-      #"ip=${serverIPs.ipv4}::${gateway}:${netmask}:${hostName}:enp1s0:any"
+      "ip=${serverIPs.ipv4}::${gateway}:${netmask}:${hostName}:enp1s0:any"
      "boot.shell_on_fail"
      "nohibernate"
-      "loglevel=5"
-      "verbose"
+      "loglevel=4"
    ]
    ++ (lib.optionals (system == "aarch64-linux") ["console=tty" "console=ttyAMA0,115200" "console=ttyS0,115200"]);

--- a/profiles/chaosInternalWireGuard/wireguard.nix
+++ b/profiles/chaosInternalWireGuard/wireguard.nix
@ -35,17 +35,18 @@ in {
      privateKeyFile = "${secrets.wg_private.path}";
      listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820;

-      peers = (map (
+      peers =
+        map (
          hostName: let
            host = wireguardHosts.${hostName};
          in {
-              allowedIPs = ["${host.ip}/32"];
-              publicKey = host.public;
-              endpoint = host.endpoint or null;
+            allowedIPs = ["${host.ip}/32"];
+            publicKey = host.public;
+            endpoint = host.endpoint or null;
          }
        ) (filter (
          hostName: hostName != currentHostName
-        ) (attrNames wireguardHosts)));
+        ) (attrNames wireguardHosts));
    };
  };
 }