add encrypted server profile and move vault to it

2022-12-14 12:04:21 +00:00 · 2022-12-14 12:04:21 +00:00 · 60ec9fbd10
parent 8356332e0f
commit 60ec9fbd10
3 changed files with 79 additions and 11 deletions
--- a/home/base/ssh.nix
+++ b/home/base/ssh.nix
@ -2,7 +2,7 @@
  programs.ssh.enable = true;
  programs.ssh.matchBlocks =
    lib.mkMerge
-    (lib.forEach ["hetzner-vm" "storage" "vault" "buildbox"] (hostname: {
+    (lib.forEach ["hetzner-vm" "storage" "vault" "vault-decrypt" "buildbox"] (hostname: {
      "${hostname}" = {
        user = "root";
        hostname = "${hostname}.servers.genderfucked.monster";
--- a/hosts/vault/hardware.nix
+++ b/hosts/vault/hardware.nix
@ -1,11 +1,10 @@
-{modulesPath, ...}: {
-  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
-
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
-  boot.initrd.kernelModules = ["nvme"];
-  fileSystems."/" = {
-    device = "/dev/sda1";
-    fsType = "ext4";
-  };
+{
+  modulesPath,
+  tree,
+  ...
+}: {
+  imports = with tree; [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    presets.nixos.server-encrypted-drive
+  ];
 }
--- a/presets/nixos/server-encrypted-drive.nix
+++ b/presets/nixos/server-encrypted-drive.nix
@ -0,0 +1,69 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  config.boot = {
+    loader.systemd-boot.enable = false;
+
+    loader.grub = {
+      enable = true;
+      efiSupport = false;
+      version = 2;
+      enableCryptodisk = true;
+      device = "/dev/sda";
+    };
+
+    initrd.availableKernelModules = [
+      "nvme"
+      "ahci"
+      "xhci_pci"
+      "virtio_pci"
+      "sd_mod"
+      "sr_mod" # For Storage
+      "virtio_net" # For Hetzner VMs Networking
+
+      # For Cryptography
+      "aesni_intel"
+      "cryptd"
+    ];
+
+    loader.supportsInitrdSecrets = true;
+    initrd.luks.forceLuksSupportInInitrd = true;
+    initrd.network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = 22;
+        authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
+        hostKeys = ["/ssh_host_ed25519_key"];
+      };
+      postCommands = ''
+        echo 'cryptsetup-askpass' >> /root/.profile
+      '';
+    };
+
+    initrd.secrets = {
+      "/ssh_host_ed25519_key" = "/ssh_host_ed25519_key";
+    };
+
+    initrd.luks.devices = {
+      "nixos_unencrypted" = {
+        device = "/dev/sda3";
+        preLVM = false;
+        allowDiscards = true;
+      };
+    };
+  };
+
+  config.fileSystems = {
+    "/" = {
+      device = "/dev/mapper/nixos_unencrypted";
+      fsType = "ext4";
+    };
+    "/boot" = {
+      device = "/dev/sda2";
+      fsType = "vfat";
+    };
+  };
+}