From 2af61a7dd3a575629fc93d1b29cd14a990896a47 Mon Sep 17 00:00:00 2001
From: chaos <chaoticryptidz@owo.monster>
Date: Wed, 20 Sep 2023 17:31:36 +0100
Subject: [PATCH] maybe the arm vault works now that i base64 un-encode the ssh
 host key instead of re-encode?

---
 data/serverEncryptedDrive.nix                 | 23 ---------
 data/serverIPs.nix                            |  4 +-
 .../hetzner-arm-installer.nix                 | 48 -------------------
 hosts/hetzner-arm-installer/run.sh            | 19 --------
 hosts/hetzner-arm/hetzner-arm.nix             | 19 --------
 hosts/nixos.nix                               | 29 +----------
 hosts/vault/hardware.nix                      |  7 +++
 hosts/vault/secrets.nix                       |  2 +-
 presets/nixos/serverEncryptedDrive.nix        |  2 -
 presets/nixos/serverHetzner.nix               |  8 +---
 profiles/chaosInternalWireGuard/wireguard.nix | 11 +++--
 11 files changed, 19 insertions(+), 153 deletions(-)
 delete mode 100644 data/serverEncryptedDrive.nix
 delete mode 100644 hosts/hetzner-arm-installer/hetzner-arm-installer.nix
 delete mode 100644 hosts/hetzner-arm-installer/run.sh
 delete mode 100644 hosts/hetzner-arm/hetzner-arm.nix

diff --git a/data/serverEncryptedDrive.nix b/data/serverEncryptedDrive.nix
deleted file mode 100644
index da55ae1..0000000
--- a/data/serverEncryptedDrive.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-rec {
-  # Mountpoints
-  mountpoint = "/";
-  bootMountpoint = "/boot";
-
-  # Partition Labels
-  bootLabel = "nixboot";
-  unencryptedLabel = "nixos";
-  encryptedPartLabel = "nixos_encrypted";
-
-  # Partition Filesystems
-  unencryptedFSType = "ext4";
-  bootFSType = "vfat";
-
-  # Mapper Name
-  mapperName = "cryptroot";
-
-  # FS Paths
-  encryptedPath = "/dev/disk/by-partlabel/${encryptedPartLabel}";
-  decryptedPath = "/dev/mapper/${mapperName}";
-
-  bootPath = "/dev/disk/by-label/${bootLabel}";
-}
\ No newline at end of file
diff --git a/data/serverIPs.nix b/data/serverIPs.nix
index 880f156..72bb22b 100644
--- a/data/serverIPs.nix
+++ b/data/serverIPs.nix
@@ -4,7 +4,7 @@ rec {
     ipv6 = "2a01:4f9:c010:8beb::1";
   };
   "vault" = {
-    ipv4 = "65.21.0.145";
-    ipv6 = "2a01:4f9:c012:9b6b::1";
+    ipv4 = "65.21.145.62";
+    ipv6 = "2a01:4f9:c010:6a89::1";
   };
 }
diff --git a/hosts/hetzner-arm-installer/hetzner-arm-installer.nix b/hosts/hetzner-arm-installer/hetzner-arm-installer.nix
deleted file mode 100644
index 94c66e5..0000000
--- a/hosts/hetzner-arm-installer/hetzner-arm-installer.nix
+++ /dev/null
@@ -1,48 +0,0 @@
-{
-  tree,
-  modulesPath,
-  pkgs,
-  config,
-  lib,
-  ...
-}: let
-  inherit (lib.strings) escapeShellArgs;
-in {
-  nixpkgs.overlays = [
-    (final: prev: {
-      # skips building zsh docs
-      zsh = prev.zsh.overrideAttrs {
-        nativeBuildInputs = with final; [autoreconfHook perl groff texinfo pcre util-linux];
-      };
-    })
-  ];
-
-  imports = with tree; [
-    (modulesPath + "/installer/netboot/netboot-minimal.nix")
-    profiles.sshd
-    users.root
-  ];
-
-  boot.kernelParams = ["console=tty0" "console=ttyAMA0,115200" "console=ttyS0,115200"];
-
-  documentation.enable = false;
-
-  netboot.squashfsCompression = "zstd -Xcompression-level 1";
-
-  system.build = {
-    kexecTarball = pkgs.runCommand "kexec-tarball" {} ''
-      mkdir kexec $out
-      cp "${config.system.build.netbootRamdisk}/initrd" kexec/initrd
-      cp "${config.system.build.kernel}/${config.system.boot.loader.kernelFile}" kexec/bzImage
-      install -D -m 0755 ${./run.sh} kexec/run
-        sed -i \
-        -e 's|@init@|${config.system.build.toplevel}/init|' \
-        -e 's|@kernelParams@|${escapeShellArgs config.boot.kernelParams}|' \
-        kexec/run
-      cp "${pkgs.pkgsStatic.kexec-tools}/bin/kexec" kexec/kexec
-      tar -cf $out/hetzner-arm-installer.tar kexec
-    '';
-  };
-
-  system.stateVersion = "23.11";
-}
diff --git a/hosts/hetzner-arm-installer/run.sh b/hosts/hetzner-arm-installer/run.sh
deleted file mode 100644
index eda1ed6..0000000
--- a/hosts/hetzner-arm-installer/run.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/sh
-
-set -ex
-
-init="@init@"
-kernelParams="@kernelParams@"
-
-cd "$(dirname "$(readlink -f "$0")")"
-
-if ! ./kexec --load ./bzImage \
-  --kexec-syscall-auto \
-  --initrd=./initrd --no-checks \
-  --command-line "init=$init $kernelParams"; then
-  echo "kexec failed, dumping dmesg"
-  dmesg | tail -n 100
-  exit 1
-fi
-
-./kexec -e
diff --git a/hosts/hetzner-arm/hetzner-arm.nix b/hosts/hetzner-arm/hetzner-arm.nix
deleted file mode 100644
index 1d5575d..0000000
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ /dev/null
@@ -1,19 +0,0 @@
-{
-  tree,
-  lib,
-  ...
-}: let
-  inherit (lib.lists) forEach;
-in {
-  imports = with tree; [
-    presets.nixos.serverBase
-    presets.nixos.serverHetzner
-    ./hardware.nix
-    ./secrets.nix
-  ];
-
-  networking.hostName = "hetzner-arm";
-
-  home-manager.users.root.home.stateVersion = "23.05";
-  system.stateVersion = "23.05";
-}
diff --git a/hosts/nixos.nix b/hosts/nixos.nix
index d33dde8..040740e 100644
--- a/hosts/nixos.nix
+++ b/hosts/nixos.nix
@@ -81,30 +81,6 @@ in {
     modules = defaultModules ++ [./hetzner-vm/hetzner-vm.nix];
   };
 
-  # hetzner-arm-installer.nix is generic, this just is for the machine hetzner-arm
-  # add hostname and IPs to serverIPs.nix
-  hetzner-arm-installer = nixosUnstableSystem {
-    specialArgs =
-      defaultSpecialArgs
-      // {
-        hostPath = ./hetzner-arm-installer;
-      };
-    system = "aarch64-linux";
-    # a more minimal module set
-    modules = with tree; [
-      profiles.base.hardware
-      profiles.base.terminals
-      profiles.base.nix
-      ./hetzner-arm-installer/hetzner-arm-installer.nix
-
-      presets.nixos.serverHetzner
-
-      ({...}: {
-        networking.hostName = "hetzner-arm";
-      })
-    ];
-  };
-
   vault = nixosUnstableSystem {
     specialArgs =
       defaultSpecialArgs
@@ -116,10 +92,7 @@ in {
   };
 
   # nix build .#nixosConfigurations.nixos-live-x86_64.config.system.build.isoImage
-  nixos-live-x86_64 = nixosX86_64LiveWithExtraDepsForMachines [];
-  nixos-live-x86_64-laptops = nixosX86_64LiveWithExtraDepsForMachines ["lappy-t495"];
-  nixos-live-x86_64-servers = nixosX86_64LiveWithExtraDepsForMachines ["hetzner-vm" "vault"];
-  nixos-live-x86_64-all = nixosX86_64LiveWithExtraDepsForMachines ["lappy-t495" "vault" "hetzner-vm"];
+  nixos-live-x86_64 = nixosX86_64LiveWithExtraDepsForMachines ["lappy-t495"];
 
   # nix --no-sandbox build .#nixosConfigurations.raspberry.config.system.build.sdImage
   raspberry = nixosUnstableSystem {
diff --git a/hosts/vault/hardware.nix b/hosts/vault/hardware.nix
index 2b0447b..a19553d 100644
--- a/hosts/vault/hardware.nix
+++ b/hosts/vault/hardware.nix
@@ -3,4 +3,11 @@
     systemd-boot.enable = true;
     efi.canTouchEfiVariables = true;
   };
+
+  #loader.grub = {
+  #  enable = true;
+  #  efiSupport = false;
+  #  enableCryptodisk = true;
+  #  device = "/dev/sda";
+  #};
 }
diff --git a/hosts/vault/secrets.nix b/hosts/vault/secrets.nix
index 3ad7728..05b5050 100644
--- a/hosts/vault/secrets.nix
+++ b/hosts/vault/secrets.nix
@@ -31,7 +31,7 @@
         path = "/ssh_host_ed25519_key";
         permissions = "600";
         fetchScript = ''
-          simple_get "/private-public-keys/ssh/root@vault-decrypt" .private | base64 > "$secretFile"
+          simple_get "/private-public-keys/ssh/root@vault-decrypt" .private | base64 -d > "$secretFile"
         '';
       };
 
diff --git a/presets/nixos/serverEncryptedDrive.nix b/presets/nixos/serverEncryptedDrive.nix
index 211a562..17287be 100644
--- a/presets/nixos/serverEncryptedDrive.nix
+++ b/presets/nixos/serverEncryptedDrive.nix
@@ -36,8 +36,6 @@ in {
         ++ (lib.optionals (system == "x86_64_linux") ["aesni_intel"]);
 
       secrets = {
-        # This will need to be generated before install or installed with secrets-init
-        # To keep it same across reinstalls add the ssh key and pubkey to secrets module
         "/ssh_host_ed25519_key" = "/ssh_host_ed25519_key";
       };
 
diff --git a/presets/nixos/serverHetzner.nix b/presets/nixos/serverHetzner.nix
index 3714ea8..78b682b 100644
--- a/presets/nixos/serverHetzner.nix
+++ b/presets/nixos/serverHetzner.nix
@@ -40,17 +40,13 @@ in {
     "virtio_scsi"
   ];
 
-  boot.kernelPackages = pkgs.linuxPackages_latest;
-  boot.initrd.verbose = true;
-
   boot.kernelParams =
     [
       "console=tty0"
-      #"ip=${serverIPs.ipv4}::${gateway}:${netmask}:${hostName}:enp1s0:any"
+      "ip=${serverIPs.ipv4}::${gateway}:${netmask}:${hostName}:enp1s0:any"
       "boot.shell_on_fail"
       "nohibernate"
-      "loglevel=5"
-      "verbose"
+      "loglevel=4"
     ]
     ++ (lib.optionals (system == "aarch64-linux") ["console=tty" "console=ttyAMA0,115200" "console=ttyS0,115200"]);
 
diff --git a/profiles/chaosInternalWireGuard/wireguard.nix b/profiles/chaosInternalWireGuard/wireguard.nix
index a7204ba..b8cfb63 100644
--- a/profiles/chaosInternalWireGuard/wireguard.nix
+++ b/profiles/chaosInternalWireGuard/wireguard.nix
@@ -35,17 +35,18 @@ in {
       privateKeyFile = "${secrets.wg_private.path}";
       listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820;
 
-      peers = (map (
+      peers =
+        map (
           hostName: let
             host = wireguardHosts.${hostName};
           in {
-              allowedIPs = ["${host.ip}/32"];
-              publicKey = host.public;
-              endpoint = host.endpoint or null;
+            allowedIPs = ["${host.ip}/32"];
+            publicKey = host.public;
+            endpoint = host.endpoint or null;
           }
         ) (filter (
           hostName: hostName != currentHostName
-        ) (attrNames wireguardHosts)));
+        ) (attrNames wireguardHosts));
     };
   };
 }