AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

machine configs update

Browse Source
This commit is contained in:
Dmitriy Kholkin 2022-12-14 23:53:18 +03:00
parent ce3af3b61e
commit 9650198c39
6 changed files with 750 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

305
install/install-zfs-enc-boot.sh Executable file
View File

@ -0,0 +1,305 @@
#! /usr/bin/env nix-shell
#! nix-shell -i bash -p gptfdisk parted git
set -e
CONFIG_FOLDER="$(dirname "$(pwd)")"
LUKS_DEVICE_NAME=cryptroot
BOOT_DEVICE_NAME=cryptboot
DEVICE_NAME=Hypervisor-VM
# IS_VM=true
MAX_JOBS=2
USE_SWAP=true
BOOT_POOL_SIZE=4GiB
SWAP_SIZE=1GiB
BOOT_RESERVATION=128M
ROOT_RESERVATION=1G
USE_ECNRYPTION=true
ITER_TIME=2000
PERSIST_MODULE=true
PERSIST_ROOT=/persistent
MAINUSER_NAME=alukard
if [[ "$IS_VM" = true ]]; then
DISK_DEV_NODES="/dev/disk/by-path"
else
DISK_DEV_NODES="/dev/disk/by-id"
fi
clean_stdin() {
while read -r -t 0; do read -r; done
}
pprint () {
local cyan="\e[96m"
local default="\e[39m"
local timestamp
timestamp=$(date +%FT%T.%3NZ)
echo -e "${cyan}${timestamp} $1${default}" 1>&2
}
# Create new partitions
create_new_part_table() {
select ENTRY in $(ls $DISK_DEV_NODES);
do
DISK="$DISK_DEV_NODES/$ENTRY"
echo "Installing system on $ENTRY"
break
done
read -s -p "> Do you want to wipe all data on $ENTRY ?" -n 1 -r
echo
if [[ "$REPLY" =~ ^[Yy]$ ]]
then
sgdisk --zap-all "$DISK"
fi
pprint "Creating boot (EFI) partition"
sgdisk -n1:1MiB:+512MiB -t1:EF00 "$DISK"
EFI="$DISK-part1"
pprint "Creating boot (ZFS) partition"
if [[ "$USE_ECNRYPTION" = true ]]
then
sgdisk -n2:0:+$BOOT_POOL_SIZE -t2:8309 "$DISK"
else
sgdisk -n2:0:+$BOOT_POOL_SIZE -t2:BF00 "$DISK"
fi
BOOT="$DISK-part2"
if [[ "$USE_SWAP" = true ]]
then
pprint "Creating SWAP partition"
sgdisk -n4:0:+$SWAP_SIZE -t4:8200 "$DISK"
fi
if [[ "$USE_ECNRYPTION" = true ]]
then
pprint "Creating LUKS partition"
sgdisk -n3:0:0 -t3:8309 "$DISK"
else
pprint "Creating ROOT partition"
sgdisk -n3:0:0 -t3:BF00 "$DISK"
fi
ROOT="$DISK-part3"
partprobe "$DISK"
sleep 1
pprint "Format EFI partition $EFI"
mkfs.vfat -n EFI "$EFI"
}
### INSTALLATION BEGIN ###
create_new_part_table
if [[ "$USE_ECNRYPTION" = true ]]
then
dd if=/dev/urandom of=./keyfile0.bin bs=1024 count=4
pprint "Creating LUKS container on $BOOT"
clean_stdin
cryptsetup --type luks2 --pbkdf argon2id --iter-time $ITER_TIME -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$BOOT"
clean_stdin
pprint "Add keyfile to LUKS container on $BOOT"
cryptsetup luksAddKey $BOOT keyfile0.bin
pprint "Open LUKS container on $BOOT"
cryptsetup luksOpen --allow-discards "$BOOT" "$BOOT_DEVICE_NAME" -d keyfile0.bin
pprint "Creating LUKS container on $ROOT"
clean_stdin
cryptsetup --type luks2 --pbkdf argon2id --iter-time $ITER_TIME -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$ROOT"
clean_stdin
pprint "Add keyfile to LUKS container on $ROOT"
cryptsetup luksAddKey $ROOT keyfile0.bin
pprint "Open LUKS container on $ROOT"
cryptsetup luksOpen --allow-discards "$ROOT" "$LUKS_DEVICE_NAME" -d keyfile0.bin
BOOT_POOL="$(ls /dev/disk/by-id/dm-uuid-*$BOOT_DEVICE_NAME)"
# BOOT_POOL="$BOOT"
ROOT_POOL="$(ls /dev/disk/by-id/dm-uuid-*$LUKS_DEVICE_NAME)"
else
BOOT_POOL="$BOOT"
ROOT_POOL="$ROOT"
fi
pprint "Create ZFS root pool on $ROOT_POOL"
zpool create \
-f \
-o ashift=12 \
-o autotrim=on \
-O acltype=posixacl \
-O atime=on \
-O canmount=off \
-O compression=zstd \
-O dnodesize=auto \
-O normalization=formD \
-O relatime=on \
-O xattr=sa \
-O dedup=off \
-O mountpoint=/ \
-R /mnt \
rpool "$ROOT_POOL"
pprint "Create ZFS root datasets"
zfs create -o refreservation=$ROOT_RESERVATION -o canmount=off -o mountpoint=none rpool/reserved
# top level datasets
zfs create -o canmount=off -o mountpoint=none rpool/nixos
zfs create -o canmount=off -o mountpoint=none rpool/user
zfs create -o canmount=off -o mountpoint=none rpool/persistent
# empty root
zfs create -o canmount=noauto -o mountpoint=/ rpool/nixos/root
zfs mount rpool/nixos/root
zfs create -o canmount=on -o mountpoint=/home rpool/user/home
# persistent across boots
zfs create -o canmount=on -o mountpoint=$PERSIST_ROOT rpool/persistent/impermanence
if [[ "$PERSIST_MODULE" = true ]]; then
mkdir -p /mnt$PERSIST_ROOT/home/$MAINUSER_NAME
chown 1000:100 /mnt$PERSIST_ROOT/home/$MAINUSER_NAME
chmod 755 /mnt$PERSIST_ROOT/home/$MAINUSER_NAME
fi
zfs create -o canmount=on -o mountpoint=/srv rpool/persistent/servers
zfs create -o canmount=on -o mountpoint=/etc/secrets rpool/persistent/secrets
zfs create -o canmount=on -o mountpoint=/nix rpool/persistent/nix
zfs create -o canmount=on -o mountpoint=/var/log rpool/persistent/log
zfs create -o canmount=noauto -o atime=off rpool/persistent/lxd
zfs create -o canmount=on -o mountpoint=/var/lib/docker -o atime=off rpool/persistent/docker
zfs create -o canmount=on -o mountpoint=/media/bittorrent -o atime=off -o recordsize=256K rpool/persistent/bittorrent
zfs create -o canmount=on -o mountpoint=/media/libvirt -o atime=off -o recordsize=64K rpool/persistent/libvirt
# Create empty zfs snapshots
zfs snapshot rpool/nixos@empty
zfs snapshot rpool/nixos/root@empty
zfs snapshot rpool/user@empty
zfs snapshot rpool/user/home@empty
zfs snapshot rpool/persistent@empty
zfs snapshot rpool/persistent/impermanence@empty
zfs snapshot rpool/persistent/servers@empty
zfs snapshot rpool/persistent/secrets@empty
zfs snapshot rpool/persistent/nix@empty
zfs snapshot rpool/persistent/log@empty
zfs snapshot rpool/persistent/lxd@empty
zfs snapshot rpool/persistent/docker@empty
zfs snapshot rpool/persistent/bittorrent@empty
zfs snapshot rpool/persistent/libvirt@empty
pprint "Create ZFS boot pool on $BOOT_POOL"
zpool create \
-f \
-o compatibility=grub2 \
-o ashift=12 \
-o autotrim=on \
-O acltype=posixacl \
-O atime=on \
-O canmount=off \
-O compression=lz4 \
-O devices=off \
-O normalization=formD \
-O relatime=on \
-O xattr=sa \
-O dedup=off \
-O mountpoint=/boot \
-R /mnt \
bpool "$BOOT_POOL"
pprint "Create ZFS boot datasets"
zfs create -o refreservation=$BOOT_RESERVATION -o canmount=off -o mountpoint=none bpool/reserved
zfs create -o canmount=off -o mountpoint=none bpool/nixos
zfs create -o canmount=on -o mountpoint=/boot bpool/nixos/boot
zfs snapshot bpool/nixos@empty
zfs snapshot bpool/nixos/boot@empty
# Disable cache, stale cache will prevent system from booting
if [[ "$PERSIST_MODULE" = true ]]; then
mkdir -p /mnt"$PERSIST_ROOT"/etc/zfs/
rm -f /mnt"$PERSIST_ROOT"/etc/zfs/zpool.cache
touch /mnt"$PERSIST_ROOT"/etc/zfs/zpool.cache
chmod a-w /mnt"$PERSIST_ROOT"/etc/zfs/zpool.cache
chattr +i /mnt"$PERSIST_ROOT"/etc/zfs/zpool.cache
else
mkdir -p /mnt/etc/zfs/
rm -f /mnt/etc/zfs/zpool.cache
touch /mnt/etc/zfs/zpool.cache
chmod a-w /mnt/etc/zfs/zpool.cache
chattr +i /mnt/etc/zfs/zpool.cache
fi
mkdir -p /mnt/boot/efi
mount -t vfat "$EFI" /mnt/boot/efi
if [[ "$USE_SWAP" = true ]]; then
SWAP="$DISK-part4"
mkswap -L swap -f "$SWAP"
fi
pprint "Generate NixOS configuration"
[[ -f $CONFIG_FOLDER/machines/$DEVICE_NAME/configuration.nix ]] && CONFIG_EXISTS=true
nixos-generate-config --root /mnt --dir $CONFIG_FOLDER/machines/$DEVICE_NAME
[[ -z "$CONFIG_EXISTS" ]] && rm -f $CONFIG_FOLDER/machines/$DEVICE_NAME/configuration.nix
HOSTID=$(head -c8 /etc/machine-id)
BOOT_PARTUUID=$(blkid --match-tag PARTUUID --output value "$BOOT")
ROOT_PARTUUID=$(blkid --match-tag PARTUUID --output value "$ROOT")
[[ ! -z "$SWAP" ]] && SWAP_PARTUUID=$(blkid --match-tag PARTUUID --output value "$SWAP")
HARDWARE_CONFIG=$(mktemp)
if [[ "$USE_ECNRYPTION" = true ]]
then
cat <<CONFIG > "$HARDWARE_CONFIG"
networking.hostId = "$HOSTID";
boot.zfs.devNodes = "$DISK_DEV_NODES";
boot.supportedFilesystems = [ "zfs" ];
boot.initrd.luks.devices."$BOOT_DEVICE_NAME".device = "/dev/disk/by-partuuid/$BOOT_PARTUUID";
boot.initrd.luks.devices."$LUKS_DEVICE_NAME".device = "/dev/disk/by-partuuid/$ROOT_PARTUUID";
CONFIG
else
cat <<CONFIG > "$HARDWARE_CONFIG"
networking.hostId = "$HOSTID";
boot.zfs.devNodes = "$DISK_DEV_NODES";
boot.supportedFilesystems = [ "zfs" ];
CONFIG
fi
pprint "Append ZFS configuration to hardware-configuration.nix"
sed -i "\$e cat $HARDWARE_CONFIG" $CONFIG_FOLDER/machines/$DEVICE_NAME/hardware-configuration.nix
sed -i 's|fsType = "zfs";|fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];|g' $CONFIG_FOLDER/machines/$DEVICE_NAME/hardware-configuration.nix
if [[ ! -z "$SWAP" ]]; then
sed -i "s|swapDevices = \[ \];|swapDevices = \[\n {\n device = \"/dev/disk/by-partuuid/$SWAP_PARTUUID\";\n randomEncryption.enable = true;\n randomEncryption.allowDiscards = true;\n }\n \];|" $CONFIG_FOLDER/machines/$DEVICE_NAME/hardware-configuration.nix
fi
chown 1000:100 $CONFIG_FOLDER/machines/$DEVICE_NAME/hardware-configuration.nix
git add -A
pprint "Copy config to destination system"
mkdir -p /mnt/home/"$MAINUSER_NAME"/nixos-config
cp -aT $CONFIG_FOLDER /mnt/home/"$MAINUSER_NAME"/nixos-config
pprint "Gen ssh host key for initrd"
ssh-keygen -t ed25519 -N "" -f /mnt/etc/secrets/ssh_host_key
chown root:root /mnt/etc/secrets/ssh_host_key
chmod 600 /mnt/etc/secrets/ssh_host_key
if [[ "$USE_ECNRYPTION" = true ]]
then
cp keyfile0.bin /mnt/etc/secrets/keyfile0.bin
chmod 000 /mnt/etc/secrets/keyfile*.bin
fi
clean_stdin
read -s -p "> Do you want to execute nixos-install command?" -n 1 -r
echo
if [[ "$REPLY" =~ ^[Yy]$ ]]
then
nixos-install --flake "../#$DEVICE_NAME" --root /mnt --no-root-passwd --max-jobs $MAX_JOBS
fi
umount -Rl /mnt && \
zpool export -a && \
cryptsetup luksClose $BOOT_DEVICE_NAME && \
cryptsetup luksClose $LUKS_DEVICE_NAME

275
install/install-zfs-nonenc-boot.sh Executable file
View File

@ -0,0 +1,275 @@
#! /usr/bin/env nix-shell
#! nix-shell -i bash -p gptfdisk parted git
set -e
CONFIG_FOLDER="$(dirname "$(pwd)")"
LUKS_DEVICE_NAME=cryptroot
DEVICE_NAME=Hypervisor-VM
# IS_VM=true
MAX_JOBS=2
USE_SWAP=true
BOOT_POOL_SIZE=4GiB
SWAP_SIZE=1GiB
BOOT_RESERVATION=128M
ROOT_RESERVATION=1G
USE_ECNRYPTION=true
if [[ "$IS_VM" = true ]]; then
DISK_DEV_NODES="/dev/disk/by-path"
else
DISK_DEV_NODES="/dev/disk/by-id"
fi
clean_stdin() {
while read -r -t 0; do read -r; done
}
pprint () {
local cyan="\e[96m"
local default="\e[39m"
local timestamp
timestamp=$(date +%FT%T.%3NZ)
echo -e "${cyan}${timestamp} $1${default}" 1>&2
}
# Create new partitions
create_new_part_table() {
select ENTRY in $(ls $DISK_DEV_NODES);
do
DISK="$DISK_DEV_NODES/$ENTRY"
echo "Installing system on $ENTRY"
break
done
read -s -p "> Do you want to wipe all data on $ENTRY ?" -n 1 -r
echo
if [[ "$REPLY" =~ ^[Yy]$ ]]
then
sgdisk --zap-all "$DISK"
fi
pprint "Creating boot (EFI) partition"
sgdisk -n1:1MiB:+512MiB -t1:EF00 "$DISK"
EFI="$DISK-part1"
pprint "Creating boot (ZFS) partition"
sgdisk -n2:0:+$BOOT_POOL_SIZE -t2:BF00 "$DISK"
BOOT="$DISK-part2"
if [[ "$USE_SWAP" = true ]]
then
pprint "Creating SWAP partition"
sgdisk -n4:0:+$SWAP_SIZE -t4:8200 "$DISK"
fi
if [[ "$USE_ECNRYPTION" = true ]]
then
pprint "Creating LUKS partition"
sgdisk -n3:0:0 -t3:8309 "$DISK"
else
pprint "Creating ROOT partition"
sgdisk -n3:0:0 -t3:BF00 "$DISK"
fi
ROOT="$DISK-part3"
partprobe "$DISK"
sleep 1
pprint "Format EFI partition $EFI"
mkfs.vfat -n EFI "$EFI"
}
### INSTALLATION BEGIN ###
create_new_part_table
if [[ "$USE_ECNRYPTION" = true ]]
then
dd if=/dev/urandom of=./keyfile0.bin bs=4096 count=4
pprint "Creating LUKS container on $ROOT"
clean_stdin
cryptsetup --type luks2 --pbkdf argon2id -i 20 -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$ROOT"
clean_stdin
pprint "Add keyfile to LUKS container on $ROOT"
cryptsetup luksAddKey $ROOT keyfile0.bin
pprint "Open LUKS container on $ROOT"
cryptsetup luksOpen --allow-discards "$ROOT" "$LUKS_DEVICE_NAME" -d keyfile0.bin
BOOT_POOL="$BOOT"
ROOT_POOL="$(ls /dev/disk/by-id/dm-uuid-*$LUKS_DEVICE_NAME)"
else
BOOT_POOL="$BOOT"
ROOT_POOL="$ROOT"
fi
pprint "Create ZFS root pool on $ROOT_POOL"
zpool create \
-f \
-o ashift=12 \
-o autotrim=on \
-O acltype=posixacl \
-O atime=on \
-O canmount=off \
-O compression=zstd \
-O dnodesize=auto \
-O normalization=formD \
-O relatime=on \
-O xattr=sa \
-O dedup=off \
-O mountpoint=/ \
-R /mnt \
rpool "$ROOT_POOL"
pprint "Create ZFS root datasets"
zfs create -o refreservation=$ROOT_RESERVATION -o canmount=off -o mountpoint=none rpool/reserved
# top level datasets
zfs create -o canmount=off -o mountpoint=none rpool/nixos
zfs create -o canmount=off -o mountpoint=none rpool/user
zfs create -o canmount=off -o mountpoint=none rpool/persistent
# empty root
zfs create -o canmount=noauto -o mountpoint=/ rpool/nixos/root
zfs mount rpool/nixos/root
zfs create -o canmount=on -o mountpoint=/home rpool/user/home
# persistent across boots
zfs create -o canmount=on -o mountpoint=/persistent rpool/persistent/impermanence
zfs create -o canmount=on -o mountpoint=/etc/secrets rpool/persistent/secrets
zfs create -o canmount=on -o mountpoint=/nix rpool/persistent/nix
# zfs create -o canmount=on -o mountpoint=/boot rpool/persistent/boot
zfs create -o canmount=on -o mountpoint=/var/log rpool/persistent/log
zfs create -o canmount=noauto -o atime=off rpool/persistent/lxd
zfs create -o canmount=on -o mountpoint=/var/lib/docker -o atime=off rpool/persistent/docker
zfs create -o canmount=on -o mountpoint=/media/bittorrent -o atime=off -o recordsize=256K rpool/persistent/bittorrent
zfs create -o canmount=on -o mountpoint=/media/libvirt -o atime=off -o recordsize=64K rpool/persistent/libvirt
# Create empty zfs snapshots
zfs snapshot rpool/nixos@empty
zfs snapshot rpool/nixos/root@empty
zfs snapshot rpool/user@empty
zfs snapshot rpool/user/home@empty
pprint "Create ZFS boot pool on $BOOT_POOL"
zpool create \
-f \
-o compatibility=grub2 \
-o ashift=12 \
-o autotrim=on \
-O acltype=posixacl \
-O atime=on \
-O canmount=off \
-O compression=lz4 \
-O devices=off \
-O normalization=formD \
-O relatime=on \
-O xattr=sa \
-O dedup=off \
-O mountpoint=/boot \
-R /mnt \
bpool "$BOOT_POOL"
# zpool create \
# -f \
# -o ashift=12 \
# -o autotrim=on \
# -O acltype=posixacl \
# -O atime=on \
# -O canmount=off \
# -O compression=zstd \
# -O dnodesize=auto \
# -O normalization=formD \
# -O relatime=on \
# -O xattr=sa \
# -O dedup=off \
# -O mountpoint=/boot \
# -R /mnt \
# bpool "$BOOT_POOL"
pprint "Create ZFS boot datasets"
zfs create -o refreservation=$BOOT_RESERVATION -o canmount=off -o mountpoint=none bpool/reserved
zfs create -o canmount=off -o mountpoint=none bpool/nixos
zfs create -o canmount=on -o mountpoint=/boot bpool/nixos/boot
zfs snapshot bpool/nixos@empty
zfs snapshot bpool/nixos/boot@empty
# Disable cache, stale cache will prevent system from booting
mkdir -p /mnt/etc/zfs/
rm -f /mnt/etc/zfs/zpool.cache
touch /mnt/etc/zfs/zpool.cache
chmod a-w /mnt/etc/zfs/zpool.cache
chattr +i /mnt/etc/zfs/zpool.cache
mkdir -p /mnt/boot/efi
mount -t vfat "$EFI" /mnt/boot/efi
if [[ "$USE_SWAP" = true ]]; then
SWAP="$DISK-part4"
mkswap -L swap -f "$SWAP"
fi
pprint "Generate NixOS configuration"
[[ -f $CONFIG_FOLDER/machines/$DEVICE_NAME/configuration.nix ]] && CONFIG_EXISTS=true
nixos-generate-config --root /mnt --dir $CONFIG_FOLDER/machines/$DEVICE_NAME
[[ -z "$CONFIG_EXISTS" ]] && rm -f $CONFIG_FOLDER/machines/$DEVICE_NAME/configuration.nix
HOSTID=$(head -c8 /etc/machine-id)
ROOT_PARTUUID=$(blkid --match-tag PARTUUID --output value "$ROOT")
[[ ! -z "$SWAP" ]] && SWAP_PARTUUID=$(blkid --match-tag PARTUUID --output value "$SWAP")
HARDWARE_CONFIG=$(mktemp)
if [[ "$USE_ECNRYPTION" = true ]]
then
cat <<CONFIG > "$HARDWARE_CONFIG"
networking.hostId = "$HOSTID";
boot.zfs.devNodes = "$DISK_DEV_NODES";
boot.supportedFilesystems = [ "zfs" ];
boot.initrd.luks.devices."$LUKS_DEVICE_NAME".device = "/dev/disk/by-partuuid/$ROOT_PARTUUID";
CONFIG
else
cat <<CONFIG > "$HARDWARE_CONFIG"
networking.hostId = "$HOSTID";
boot.zfs.devNodes = "$DISK_DEV_NODES";
boot.supportedFilesystems = [ "zfs" ];
CONFIG
fi
pprint "Append ZFS configuration to hardware-configuration.nix"
sed -i "\$e cat $HARDWARE_CONFIG" $CONFIG_FOLDER/machines/$DEVICE_NAME/hardware-configuration.nix
sed -i 's|fsType = "zfs";|fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];|g' $CONFIG_FOLDER/machines/$DEVICE_NAME/hardware-configuration.nix
if [[ ! -z "$SWAP" ]]; then
sed -i "s|swapDevices = \[ \];|swapDevices = \[\n {\n device = \"/dev/disk/by-partuuid/$SWAP_PARTUUID\";\n randomEncryption.enable = true;\n randomEncryption.allowDiscards = true;\n }\n \];|" $CONFIG_FOLDER/machines/$DEVICE_NAME/hardware-configuration.nix
fi
chown 1000:100 $CONFIG_FOLDER/machines/$DEVICE_NAME/hardware-configuration.nix
git add -A
pprint "Copy config to destination system"
mkdir -p /mnt/home/alukard/nixos-config
cp -aT $CONFIG_FOLDER /mnt/home/alukard/nixos-config
pprint "Gen ssh host key for initrd"
ssh-keygen -t ed25519 -N "" -f /mnt/etc/secrets/ssh_host_key
chown root:root /mnt/etc/secrets/ssh_host_key
chmod 600 /mnt/etc/secrets/ssh_host_key
if [[ "$USE_ECNRYPTION" = true ]]
then
cp keyfile0.bin /mnt/etc/secrets/keyfile0.bin
chmod 000 /mnt/etc/secrets/keyfile*.bin
fi
clean_stdin
read -s -p "> Do you want to execute nixos-install command?" -n 1 -r
echo
if [[ "$REPLY" =~ ^[Yy]$ ]]
then
nixos-install --flake "../#$DEVICE_NAME" --root /mnt --max-jobs $MAX_JOBS --no-root-passwd
fi
umount -Rl /mnt && \
zpool export -a && \
cryptsetup luksClose $LUKS_DEVICE_NAME

47
machines/Flakes-ISO/default.nix
View File

@ -3,15 +3,42 @@
"${toString modulesPath}/installer/cd-dvd/installation-cd-graphical-plasma5.nix"
];
environment.systemPackages = [ pkgs.git ];
nix = {
nixPath = lib.mkForce [ "self=/etc/self/compat" "nixpkgs=/etc/nixpkgs" ];
registry.self.flake = inputs.self;
registry.nixpkgs.flake = inputs.nixpkgs;
extraOptions = ''
experimental-features = nix-command flakes
'';
options = {
device = lib.mkOption { type = lib.types.str; };
};
config = {
networking.hostName = "Flakes-ISO";
programs.ssh.extraConfig = ''
Host nix-builder
hostname 192.168.0.100
user ${config.mainuser}
identitiesOnly yes
identityFile /home/nixos/ssh-builder
'';
environment.systemPackages = [ pkgs.git ];
nix = {
nixPath = lib.mkForce [ "self=/etc/self/compat" "nixpkgs=/etc/nixpkgs" ];
registry.self.flake = inputs.self;
registry.nixpkgs.flake = inputs.nixpkgs;
extraOptions = ''
builders-use-substitutes = true
experimental-features = nix-command flakes
flake-registry = ${inputs.flake-registry}/flake-registry.json
'';
buildMachines = [{
hostName = "nix-builder";
maxJobs = 8;
sshUser = config.mainuser;
sshKey = "/home/nixos/ssh-builder";
systems = [ "x86_64-linux" "i686-linux" ];
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}];
distributedBuilds = true;
};
environment.etc.nixpkgs.source = inputs.nixpkgs;
environment.etc.self.source = inputs.self;
};
environment.etc.nixpkgs.source = inputs.nixpkgs;
environment.etc.self.source = inputs.self;
}

82
machines/Hypervisor-VM/boot.nix Normal file
View File

@ -0,0 +1,82 @@
{ config, pkgs, lib, ... }:
let
zfs_arc_max = toString (1 * 1024 * 1024 * 1024);
in {
boot = {
zfs.forceImportAll = lib.mkForce false;
loader.efi.canTouchEfiVariables = false;
loader.efi.efiSysMountPoint = "/boot/efi";
loader.generationsDir.copyKernels = true;
loader.grub = {
enable = true;
device = "nodev";
version = 2;
efiSupport = true;
enableCryptodisk = true;
zfsSupport = true;
efiInstallAsRemovable = true;
copyKernels = true;
# # extraPrepareConfig = ''
# # '';
};
initrd = {
availableKernelModules = [ "tg3" ]; # for dell-laptop
# postMountCommands = ''
# '';
luks.devices = {
"cryptboot" = {
preLVM = true;
keyFile = "/keyfile0.bin";
allowDiscards = true;
bypassWorkqueues = config.deviceSpecific.isSSD;
fallbackToPassword = true;
# postOpenCommands = "";
# preOpenCommands = "";
};
"cryptroot" = {
preLVM = true;
keyFile = "/keyfile0.bin";
allowDiscards = true;
bypassWorkqueues = config.deviceSpecific.isSSD;
fallbackToPassword = true;
};
};
secrets = {
"keyfile0.bin" = "/etc/secrets/keyfile0.bin";
};
};
kernelPackages = pkgs.linuxPackages_hardened;
kernelModules = [ "tcp_bbr" ];
kernelParams = [
"zfs.zfs_arc_max=${zfs_arc_max}"
"zswap.enabled=0"
"quiet"
"scsi_mod.use_blk_mq=1"
"modeset"
"nofb"
"pti=off"
"spectre_v2=off"
"kvm.ignore_msrs=1"
"rd.systemd.show_status=auto"
"rd.udev.log_priority=3"
];
kernel.sysctl = {
"kernel.sysrq" = false;
"net.core.default_qdisc" = "sch_fq_codel";
"net.ipv4.conf.all.accept_source_route" = false;
"net.ipv4.icmp_ignore_bogus_error_responses" = true;
"net.ipv4.tcp_congestion_control" = "bbr";
"net.ipv4.tcp_fastopen" = 3;
"net.ipv4.tcp_rfc1337" = true;
"net.ipv4.tcp_syncookies" = true;
"net.ipv6.conf.all.accept_source_route" = false;
# disable ipv6
"net.ipv6.conf.all.disable_ipv6" = true;
"net.ipv6.conf.default.disable_ipv6" = true;
};
kernel.sysctl = {
"vm.swappiness" = if config.deviceSpecific.isSSD then 1 else 10;
};
cleanTmpDir = true;
};
}

129
machines/Hypervisor-VM/default.nix
View File

@ -1,15 +1,46 @@
{ modulesPath, inputs, lib, pkgs, config, options, ... }:
let
zfs_arc_max = toString (1 * 1024 * 1024 * 1024);
in {
{ modulesPath, inputs, lib, pkgs, config, options, ... }: {
imports = with inputs.self; [
"${toString modulesPath}/profiles/hardened.nix"
./hardware-configuration.nix
./boot.nix
# ./persistent.nix
nixosRoles.hypervisor
nixosProfiles.direnv
nixosModules.persist
];
fileSystems = {
"/home/alukard/conf" = {
fsType = "virtiofs";
device = "viofs";
options = [
"defaults"
"nofail"
];
};
};
zramSwap = {
enable = true;
algorithm = "zstd";
memoryPercent = 80;
numDevices = 1;
};
# Impermanence
persist = {
enable = true;
cache.clean.enable = true;
state.files = [ "/etc/machine-id" ];
};
fileSystems."/home".neededForBoot = true;
fileSystems."/persistent".neededForBoot = true;
boot.initrd.postDeviceCommands = lib.mkAfter ''
zfs rollback -r rpool/nixos/root@empty
zfs rollback -r rpool/user/home@empty
'';
# build hell
environment.noXlibs = lib.mkForce false;
# minimal profile
@ -21,88 +52,7 @@ in {
xdg.sounds.enable = lib.mkForce false;
services.udisks2.enable = lib.mkForce false;
# boot
boot = {
zfs.forceImportAll = lib.mkForce false;
loader.efi.canTouchEfiVariables = false;
loader.efi.efiSysMountPoint = "/boot/efi";
loader.systemd-boot.enable = false;
loader.generationsDir.copyKernels = true;
loader.grub = {
enable = true;
device = "nodev";
version = 2;
efiSupport = true;
enableCryptodisk = true;
zfsSupport = true;
efiInstallAsRemovable = true;
copyKernels = true;
# extraPrepareConfig = ''
# '';
};
initrd = {
supportedFilesystems = [ "zfs" ];
luks.devices = {
"cryptboot" = {
preLVM = true;
keyFile = "/keyfile0.bin";
allowDiscards = true;
bypassWorkqueues = config.deviceSpecific.isSSD;
fallbackToPassword = true;
# postOpenCommands = "";
# preOpenCommands = "";
};
"cryptroot" = {
preLVM = true;
keyFile = "/keyfile0.bin";
allowDiscards = true;
bypassWorkqueues = config.deviceSpecific.isSSD;
fallbackToPassword = true;
};
};
secrets = {
"keyfile0.bin" = "/etc/secrets/keyfile0.bin";
};
};
kernelPackages = pkgs.linuxPackages_hardened;
kernelModules = [ "tcp_bbr" ];
kernelParams = [
"zfs.zfs_arc_max=${zfs_arc_max}"
"zswap.enabled=0"
"quiet"
"scsi_mod.use_blk_mq=1"
"modeset"
"nofb"
"pti=off"
"spectre_v2=off"
"kvm.ignore_msrs=1"
"rd.systemd.show_status=auto"
"rd.udev.log_priority=3"
];
kernel.sysctl = {
"kernel.sysrq" = false;
"net.core.default_qdisc" = "sch_fq_codel";
"net.ipv4.conf.all.accept_source_route" = false;
"net.ipv4.icmp_ignore_bogus_error_responses" = true;
"net.ipv4.tcp_congestion_control" = "bbr";
"net.ipv4.tcp_fastopen" = 3;
"net.ipv4.tcp_rfc1337" = true;
"net.ipv4.tcp_syncookies" = true;
"net.ipv6.conf.all.accept_source_route" = false;
# disable ipv6
"net.ipv6.conf.all.disable_ipv6" = true;
"net.ipv6.conf.default.disable_ipv6" = true;
};
kernel.sysctl = {
"vm.swappiness" = 1;
};
cleanTmpDir = true;
};
# security.polkit.enable = true;
# system.nssModules = lib.mkForce [ ];
# services.nscd.enable = false;
deviceSpecific.devInfo = {
cpu = {
@ -120,13 +70,18 @@ in {
};
bigScreen = false;
ram = 12;
fileSystem = "zfs";
};
deviceSpecific.enableVirtualisation = true;
deviceSpecific.wireguard.enable = false;
deviceSpecific.isServer = true;
services.zfs.autoScrub.enable = true;
services.zfs.autoScrub.interval = "daily";
services.zfs = {
autoScrub.enable = true;
autoScrub.interval = "daily";
trim.enable = true;
trim.interval = "weekly";
};
# hardened
networking.firewall.enable = true;

13
machines/Hypervisor-VM/hardware-configuration.nix
View File

@ -28,6 +28,11 @@
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/srv" =
{ device = "rpool/persistent/servers";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/etc/secrets" =
{ device = "rpool/persistent/secrets";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
@ -64,13 +69,13 @@
};
fileSystems."/boot/efi" =
{ device = "/dev/disk/by-uuid/D76A-09CE";
{ device = "/dev/disk/by-uuid/AFFE-0DF3";
fsType = "vfat";
};
swapDevices = [
{
device = "/dev/disk/by-partuuid/d92c3ab0-8205-49fb-99ab-abe98a943d39";
device = "/dev/disk/by-partuuid/7e8f2ee1-0f2e-4b77-9c4d-916804573ef7";
randomEncryption.enable = true;
randomEncryption.allowDiscards = true;
}
@ -88,6 +93,6 @@
networking.hostId = "41d97526";
boot.zfs.devNodes = "/dev/disk/by-id";
boot.supportedFilesystems = [ "zfs" ];
boot.initrd.luks.devices."cryptboot".device = "/dev/disk/by-partuuid/45979da9-33b7-4c7a-8eaf-005e642a974d";
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-partuuid/74d318d9-1349-4281-8bbd-82ac718f052c";
boot.initrd.luks.devices."cryptboot".device = "/dev/disk/by-partuuid/7df4b6a7-13a1-4600-806e-34d3aa1bfd93";
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-partuuid/4c8631b2-c925-49ea-8861-84e3071e0557";
}