chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

add encrypted server profile and move vault to it

Browse source
This commit is contained in:
Chaos 2022-12-14 12:04:21 +00:00
parent 8356332e0f
commit 60ec9fbd10
No known key found for this signature in database
3 changed files with 79 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
home/base/ssh.nix
View file

@ -2,7 +2,7 @@
programs.ssh.enable = true; programs.ssh.enable = true;
programs.ssh.matchBlocks = programs.ssh.matchBlocks =
lib.mkMerge lib.mkMerge
(lib.forEach ["hetzner-vm" "storage" "vault" "buildbox"] (hostname: { (lib.forEach ["hetzner-vm" "storage" "vault" "vault-decrypt" "buildbox"] (hostname: {
"${hostname}" = { "${hostname}" = {
user = "root"; user = "root";
hostname = "${hostname}.servers.genderfucked.monster"; hostname = "${hostname}.servers.genderfucked.monster";

19
hosts/vault/hardware.nix
View file

@ -1,11 +1,10 @@
{modulesPath, ...}: { {
imports = [(modulesPath + "/profiles/qemu-guest.nix")]; modulesPath,
tree,
boot.loader.grub.enable = true; ...
boot.loader.grub.device = "/dev/sda"; }: {
boot.initrd.kernelModules = ["nvme"]; imports = with tree; [
fileSystems."/" = { (modulesPath + "/profiles/qemu-guest.nix")
device = "/dev/sda1"; presets.nixos.server-encrypted-drive
fsType = "ext4"; ];
};
} }

69
presets/nixos/server-encrypted-drive.nix Normal file
View file

@ -0,0 +1,69 @@
{
config,
pkgs,
...
}: {
config.boot = {
loader.systemd-boot.enable = false;
loader.grub = {
enable = true;
efiSupport = false;
version = 2;
enableCryptodisk = true;
device = "/dev/sda";
};
initrd.availableKernelModules = [
"nvme"
"ahci"
"xhci_pci"
"virtio_pci"
"sd_mod"
"sr_mod" # For Storage
"virtio_net" # For Hetzner VMs Networking
# For Cryptography
"aesni_intel"
"cryptd"
];
loader.supportsInitrdSecrets = true;
initrd.luks.forceLuksSupportInInitrd = true;
initrd.network = {
enable = true;
ssh = {
enable = true;
port = 22;
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
hostKeys = ["/ssh_host_ed25519_key"];
};
postCommands = ''
echo 'cryptsetup-askpass' >> /root/.profile
'';
};
initrd.secrets = {
"/ssh_host_ed25519_key" = "/ssh_host_ed25519_key";
};
initrd.luks.devices = {
"nixos_unencrypted" = {
device = "/dev/sda3";
preLVM = false;
allowDiscards = true;
};
};
};
config.fileSystems = {
"/" = {
device = "/dev/mapper/nixos_unencrypted";
fsType = "ext4";
};
"/boot" = {
device = "/dev/sda2";
fsType = "vfat";
};
};
}