maybe the arm vault works now that i base64 un-encode the ssh host key instead of re-encode?

This commit is contained in:
chaos 2023-09-20 17:31:36 +01:00
parent 350391eb47
commit 2af61a7dd3
No known key found for this signature in database
11 changed files with 19 additions and 153 deletions

View file

@ -1,23 +0,0 @@
rec {
# Mountpoints
mountpoint = "/";
bootMountpoint = "/boot";
# Partition Labels
bootLabel = "nixboot";
unencryptedLabel = "nixos";
encryptedPartLabel = "nixos_encrypted";
# Partition Filesystems
unencryptedFSType = "ext4";
bootFSType = "vfat";
# Mapper Name
mapperName = "cryptroot";
# FS Paths
encryptedPath = "/dev/disk/by-partlabel/${encryptedPartLabel}";
decryptedPath = "/dev/mapper/${mapperName}";
bootPath = "/dev/disk/by-label/${bootLabel}";
}

View file

@ -4,7 +4,7 @@ rec {
ipv6 = "2a01:4f9:c010:8beb::1";
};
"vault" = {
ipv4 = "65.21.0.145";
ipv6 = "2a01:4f9:c012:9b6b::1";
ipv4 = "65.21.145.62";
ipv6 = "2a01:4f9:c010:6a89::1";
};
}

View file

@ -1,48 +0,0 @@
{
tree,
modulesPath,
pkgs,
config,
lib,
...
}: let
inherit (lib.strings) escapeShellArgs;
in {
nixpkgs.overlays = [
(final: prev: {
# skips building zsh docs
zsh = prev.zsh.overrideAttrs {
nativeBuildInputs = with final; [autoreconfHook perl groff texinfo pcre util-linux];
};
})
];
imports = with tree; [
(modulesPath + "/installer/netboot/netboot-minimal.nix")
profiles.sshd
users.root
];
boot.kernelParams = ["console=tty0" "console=ttyAMA0,115200" "console=ttyS0,115200"];
documentation.enable = false;
netboot.squashfsCompression = "zstd -Xcompression-level 1";
system.build = {
kexecTarball = pkgs.runCommand "kexec-tarball" {} ''
mkdir kexec $out
cp "${config.system.build.netbootRamdisk}/initrd" kexec/initrd
cp "${config.system.build.kernel}/${config.system.boot.loader.kernelFile}" kexec/bzImage
install -D -m 0755 ${./run.sh} kexec/run
sed -i \
-e 's|@init@|${config.system.build.toplevel}/init|' \
-e 's|@kernelParams@|${escapeShellArgs config.boot.kernelParams}|' \
kexec/run
cp "${pkgs.pkgsStatic.kexec-tools}/bin/kexec" kexec/kexec
tar -cf $out/hetzner-arm-installer.tar kexec
'';
};
system.stateVersion = "23.11";
}

View file

@ -1,19 +0,0 @@
#!/bin/sh
set -ex
init="@init@"
kernelParams="@kernelParams@"
cd "$(dirname "$(readlink -f "$0")")"
if ! ./kexec --load ./bzImage \
--kexec-syscall-auto \
--initrd=./initrd --no-checks \
--command-line "init=$init $kernelParams"; then
echo "kexec failed, dumping dmesg"
dmesg | tail -n 100
exit 1
fi
./kexec -e

View file

@ -1,19 +0,0 @@
{
tree,
lib,
...
}: let
inherit (lib.lists) forEach;
in {
imports = with tree; [
presets.nixos.serverBase
presets.nixos.serverHetzner
./hardware.nix
./secrets.nix
];
networking.hostName = "hetzner-arm";
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
}

View file

@ -81,30 +81,6 @@ in {
modules = defaultModules ++ [./hetzner-vm/hetzner-vm.nix];
};
# hetzner-arm-installer.nix is generic, this just is for the machine hetzner-arm
# add hostname and IPs to serverIPs.nix
hetzner-arm-installer = nixosUnstableSystem {
specialArgs =
defaultSpecialArgs
// {
hostPath = ./hetzner-arm-installer;
};
system = "aarch64-linux";
# a more minimal module set
modules = with tree; [
profiles.base.hardware
profiles.base.terminals
profiles.base.nix
./hetzner-arm-installer/hetzner-arm-installer.nix
presets.nixos.serverHetzner
({...}: {
networking.hostName = "hetzner-arm";
})
];
};
vault = nixosUnstableSystem {
specialArgs =
defaultSpecialArgs
@ -116,10 +92,7 @@ in {
};
# nix build .#nixosConfigurations.nixos-live-x86_64.config.system.build.isoImage
nixos-live-x86_64 = nixosX86_64LiveWithExtraDepsForMachines [];
nixos-live-x86_64-laptops = nixosX86_64LiveWithExtraDepsForMachines ["lappy-t495"];
nixos-live-x86_64-servers = nixosX86_64LiveWithExtraDepsForMachines ["hetzner-vm" "vault"];
nixos-live-x86_64-all = nixosX86_64LiveWithExtraDepsForMachines ["lappy-t495" "vault" "hetzner-vm"];
nixos-live-x86_64 = nixosX86_64LiveWithExtraDepsForMachines ["lappy-t495"];
# nix --no-sandbox build .#nixosConfigurations.raspberry.config.system.build.sdImage
raspberry = nixosUnstableSystem {

View file

@ -3,4 +3,11 @@
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
#loader.grub = {
# enable = true;
# efiSupport = false;
# enableCryptodisk = true;
# device = "/dev/sda";
#};
}

View file

@ -31,7 +31,7 @@
path = "/ssh_host_ed25519_key";
permissions = "600";
fetchScript = ''
simple_get "/private-public-keys/ssh/root@vault-decrypt" .private | base64 > "$secretFile"
simple_get "/private-public-keys/ssh/root@vault-decrypt" .private | base64 -d > "$secretFile"
'';
};

View file

@ -36,8 +36,6 @@ in {
++ (lib.optionals (system == "x86_64_linux") ["aesni_intel"]);
secrets = {
# This will need to be generated before install or installed with secrets-init
# To keep it same across reinstalls add the ssh key and pubkey to secrets module
"/ssh_host_ed25519_key" = "/ssh_host_ed25519_key";
};

View file

@ -40,17 +40,13 @@ in {
"virtio_scsi"
];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.initrd.verbose = true;
boot.kernelParams =
[
"console=tty0"
#"ip=${serverIPs.ipv4}::${gateway}:${netmask}:${hostName}:enp1s0:any"
"ip=${serverIPs.ipv4}::${gateway}:${netmask}:${hostName}:enp1s0:any"
"boot.shell_on_fail"
"nohibernate"
"loglevel=5"
"verbose"
"loglevel=4"
]
++ (lib.optionals (system == "aarch64-linux") ["console=tty" "console=ttyAMA0,115200" "console=ttyS0,115200"]);

View file

@ -35,17 +35,18 @@ in {
privateKeyFile = "${secrets.wg_private.path}";
listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820;
peers = (map (
peers =
map (
hostName: let
host = wireguardHosts.${hostName};
in {
allowedIPs = ["${host.ip}/32"];
publicKey = host.public;
endpoint = host.endpoint or null;
allowedIPs = ["${host.ip}/32"];
publicKey = host.public;
endpoint = host.endpoint or null;
}
) (filter (
hostName: hostName != currentHostName
) (attrNames wireguardHosts)));
) (attrNames wireguardHosts));
};
};
}