maybe the arm vault works now that i base64 un-encode the ssh host key instead of re-encode?

2023-09-20 17:31:36 +01:00 · 2023-09-20 17:31:36 +01:00 · 2af61a7dd3
parent 350391eb47
commit 2af61a7dd3
11 changed files with 19 additions and 153 deletions
--- a/data/serverEncryptedDrive.nix
+++ b/data/serverEncryptedDrive.nix
@ -1,23 +0,0 @@
 rec {
  # Mountpoints
  mountpoint = "/";
  bootMountpoint = "/boot";
  # Partition Labels
  bootLabel = "nixboot";
  unencryptedLabel = "nixos";
  encryptedPartLabel = "nixos_encrypted";
  # Partition Filesystems
  unencryptedFSType = "ext4";
  bootFSType = "vfat";
  # Mapper Name
  mapperName = "cryptroot";
  # FS Paths
  encryptedPath = "/dev/disk/by-partlabel/${encryptedPartLabel}";
  decryptedPath = "/dev/mapper/${mapperName}";
  bootPath = "/dev/disk/by-label/${bootLabel}";
 }
--- a/data/serverIPs.nix
+++ b/data/serverIPs.nix
@ -4,7 +4,7 @@ rec {
    ipv6 = "2a01:4f9:c010:8beb::1";
  };
  "vault" = {
-    ipv4 = "65.21.0.145";
+    ipv4 = "65.21.145.62";
-    ipv6 = "2a01:4f9:c012:9b6b::1";
+    ipv6 = "2a01:4f9:c010:6a89::1";
  };
 }
--- a/hosts/hetzner-arm-installer/hetzner-arm-installer.nix
+++ b/hosts/hetzner-arm-installer/hetzner-arm-installer.nix
@ -1,48 +0,0 @@
 {
  tree,
  modulesPath,
  pkgs,
  config,
  lib,
  ...
 }: let
  inherit (lib.strings) escapeShellArgs;
 in {
  nixpkgs.overlays = [
    (final: prev: {
      # skips building zsh docs
      zsh = prev.zsh.overrideAttrs {
        nativeBuildInputs = with final; [autoreconfHook perl groff texinfo pcre util-linux];
      };
    })
  ];
  imports = with tree; [
    (modulesPath + "/installer/netboot/netboot-minimal.nix")
    profiles.sshd
    users.root
  ];
  boot.kernelParams = ["console=tty0" "console=ttyAMA0,115200" "console=ttyS0,115200"];
  documentation.enable = false;
  netboot.squashfsCompression = "zstd -Xcompression-level 1";
  system.build = {
    kexecTarball = pkgs.runCommand "kexec-tarball" {} ''
      mkdir kexec $out
      cp "${config.system.build.netbootRamdisk}/initrd" kexec/initrd
      cp "${config.system.build.kernel}/${config.system.boot.loader.kernelFile}" kexec/bzImage
      install -D -m 0755 ${./run.sh} kexec/run
        sed -i \
        -e 's|@init@|${config.system.build.toplevel}/init|' \
        -e 's|@kernelParams@|${escapeShellArgs config.boot.kernelParams}|' \
        kexec/run
      cp "${pkgs.pkgsStatic.kexec-tools}/bin/kexec" kexec/kexec
      tar -cf $out/hetzner-arm-installer.tar kexec
    '';
  };
  system.stateVersion = "23.11";
 }
--- a/hosts/hetzner-arm-installer/run.sh
+++ b/hosts/hetzner-arm-installer/run.sh
@ -1,19 +0,0 @@
 #!/bin/sh
 set -ex
 init="@init@"
 kernelParams="@kernelParams@"
 cd "$(dirname "$(readlink -f "$0")")"
 if ! ./kexec --load ./bzImage \
  --kexec-syscall-auto \
  --initrd=./initrd --no-checks \
  --command-line "init=$init $kernelParams"; then
  echo "kexec failed, dumping dmesg"
  dmesg | tail -n 100
  exit 1
 fi
 ./kexec -e
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ b/hosts/hetzner-arm/hetzner-arm.nix
@ -1,19 +0,0 @@
 {
  tree,
  lib,
  ...
 }: let
  inherit (lib.lists) forEach;
 in {
  imports = with tree; [
    presets.nixos.serverBase
    presets.nixos.serverHetzner
    ./hardware.nix
    ./secrets.nix
  ];
  networking.hostName = "hetzner-arm";
  home-manager.users.root.home.stateVersion = "23.05";
  system.stateVersion = "23.05";
 }
--- a/hosts/nixos.nix
+++ b/hosts/nixos.nix
@ -81,30 +81,6 @@ in {
    modules = defaultModules ++ [./hetzner-vm/hetzner-vm.nix];
  };
  # hetzner-arm-installer.nix is generic, this just is for the machine hetzner-arm
  # add hostname and IPs to serverIPs.nix
  hetzner-arm-installer = nixosUnstableSystem {
    specialArgs =
      defaultSpecialArgs
      // {
        hostPath = ./hetzner-arm-installer;
      };
    system = "aarch64-linux";
    # a more minimal module set
    modules = with tree; [
      profiles.base.hardware
      profiles.base.terminals
      profiles.base.nix
      ./hetzner-arm-installer/hetzner-arm-installer.nix
      presets.nixos.serverHetzner
      ({...}: {
        networking.hostName = "hetzner-arm";
      })
    ];
  };
  vault = nixosUnstableSystem {
    specialArgs =
      defaultSpecialArgs
@ -116,10 +92,7 @@ in {
  };
  # nix build .#nixosConfigurations.nixos-live-x86_64.config.system.build.isoImage
-  nixos-live-x86_64 = nixosX86_64LiveWithExtraDepsForMachines [];
+  nixos-live-x86_64 = nixosX86_64LiveWithExtraDepsForMachines ["lappy-t495"];
  nixos-live-x86_64-laptops = nixosX86_64LiveWithExtraDepsForMachines ["lappy-t495"];
  nixos-live-x86_64-servers = nixosX86_64LiveWithExtraDepsForMachines ["hetzner-vm" "vault"];
  nixos-live-x86_64-all = nixosX86_64LiveWithExtraDepsForMachines ["lappy-t495" "vault" "hetzner-vm"];
  # nix --no-sandbox build .#nixosConfigurations.raspberry.config.system.build.sdImage
  raspberry = nixosUnstableSystem {
--- a/hosts/vault/hardware.nix
+++ b/hosts/vault/hardware.nix
@ -3,4 +3,11 @@
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
  };
  #loader.grub = {
  #  enable = true;
  #  efiSupport = false;
  #  enableCryptodisk = true;
  #  device = "/dev/sda";
  #};
 }
--- a/hosts/vault/secrets.nix
+++ b/hosts/vault/secrets.nix
@ -31,7 +31,7 @@
        path = "/ssh_host_ed25519_key";
        permissions = "600";
        fetchScript = ''
-          simple_get "/private-public-keys/ssh/root@vault-decrypt" .private | base64 > "$secretFile"
+          simple_get "/private-public-keys/ssh/root@vault-decrypt" .private | base64 -d > "$secretFile"
        '';
      };
--- a/presets/nixos/serverEncryptedDrive.nix
+++ b/presets/nixos/serverEncryptedDrive.nix
@ -36,8 +36,6 @@ in {
        ++ (lib.optionals (system == "x86_64_linux") ["aesni_intel"]);
      secrets = {
        # This will need to be generated before install or installed with secrets-init
        # To keep it same across reinstalls add the ssh key and pubkey to secrets module
        "/ssh_host_ed25519_key" = "/ssh_host_ed25519_key";
      };
--- a/presets/nixos/serverHetzner.nix
+++ b/presets/nixos/serverHetzner.nix
@ -40,17 +40,13 @@ in {
    "virtio_scsi"
  ];
  boot.kernelPackages = pkgs.linuxPackages_latest;
  boot.initrd.verbose = true;
  boot.kernelParams =
    [
      "console=tty0"
-      #"ip=${serverIPs.ipv4}::${gateway}:${netmask}:${hostName}:enp1s0:any"
+      "ip=${serverIPs.ipv4}::${gateway}:${netmask}:${hostName}:enp1s0:any"
      "boot.shell_on_fail"
      "nohibernate"
-      "loglevel=5"
+      "loglevel=4"
      "verbose"
    ]
    ++ (lib.optionals (system == "aarch64-linux") ["console=tty" "console=ttyAMA0,115200" "console=ttyS0,115200"]);
--- a/profiles/chaosInternalWireGuard/wireguard.nix
+++ b/profiles/chaosInternalWireGuard/wireguard.nix
@ -35,17 +35,18 @@ in {
      privateKeyFile = "${secrets.wg_private.path}";
      listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820;
-      peers = (map (
+      peers =
        map (
          hostName: let
            host = wireguardHosts.${hostName};
          in {
-              allowedIPs = ["${host.ip}/32"];
+            allowedIPs = ["${host.ip}/32"];
-              publicKey = host.public;
+            publicKey = host.public;
-              endpoint = host.endpoint or null;
+            endpoint = host.endpoint or null;
          }
        ) (filter (
          hostName: hostName != currentHostName
-        ) (attrNames wireguardHosts)));
+        ) (attrNames wireguardHosts));
    };
  };
 }