From 9650198c392d7a36eeec2de4e72047dae071e2e4 Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Wed, 14 Dec 2022 23:53:18 +0300 Subject: [PATCH] machine configs update --- install/install-zfs-enc-boot.sh | 305 ++++++++++++++++++ install/install-zfs-nonenc-boot.sh | 275 ++++++++++++++++ machines/Flakes-ISO/default.nix | 47 ++- machines/Hypervisor-VM/boot.nix | 82 +++++ machines/Hypervisor-VM/default.nix | 129 +++----- .../Hypervisor-VM/hardware-configuration.nix | 13 +- 6 files changed, 750 insertions(+), 101 deletions(-) create mode 100755 install/install-zfs-enc-boot.sh create mode 100755 install/install-zfs-nonenc-boot.sh create mode 100644 machines/Hypervisor-VM/boot.nix diff --git a/install/install-zfs-enc-boot.sh b/install/install-zfs-enc-boot.sh new file mode 100755 index 0000000..c59e520 --- /dev/null +++ b/install/install-zfs-enc-boot.sh @@ -0,0 +1,305 @@ +#! /usr/bin/env nix-shell +#! nix-shell -i bash -p gptfdisk parted git + +set -e + +CONFIG_FOLDER="$(dirname "$(pwd)")" +LUKS_DEVICE_NAME=cryptroot +BOOT_DEVICE_NAME=cryptboot +DEVICE_NAME=Hypervisor-VM +# IS_VM=true +MAX_JOBS=2 +USE_SWAP=true +BOOT_POOL_SIZE=4GiB +SWAP_SIZE=1GiB +BOOT_RESERVATION=128M +ROOT_RESERVATION=1G +USE_ECNRYPTION=true +ITER_TIME=2000 +PERSIST_MODULE=true +PERSIST_ROOT=/persistent +MAINUSER_NAME=alukard + +if [[ "$IS_VM" = true ]]; then + DISK_DEV_NODES="/dev/disk/by-path" +else + DISK_DEV_NODES="/dev/disk/by-id" +fi + +clean_stdin() { + while read -r -t 0; do read -r; done +} + +pprint () { + local cyan="\e[96m" + local default="\e[39m" + local timestamp + timestamp=$(date +%FT%T.%3NZ) + echo -e "${cyan}${timestamp} $1${default}" 1>&2 +} + +# Create new partitions +create_new_part_table() { + select ENTRY in $(ls $DISK_DEV_NODES); + do + DISK="$DISK_DEV_NODES/$ENTRY" + echo "Installing system on $ENTRY" + break + done + + read -s -p "> Do you want to wipe all data on $ENTRY ?" -n 1 -r + echo + if [[ "$REPLY" =~ ^[Yy]$ ]] + then + sgdisk --zap-all "$DISK" + fi + + pprint "Creating boot (EFI) partition" + sgdisk -n1:1MiB:+512MiB -t1:EF00 "$DISK" + EFI="$DISK-part1" + + pprint "Creating boot (ZFS) partition" + if [[ "$USE_ECNRYPTION" = true ]] + then + sgdisk -n2:0:+$BOOT_POOL_SIZE -t2:8309 "$DISK" + else + sgdisk -n2:0:+$BOOT_POOL_SIZE -t2:BF00 "$DISK" + fi + BOOT="$DISK-part2" + + if [[ "$USE_SWAP" = true ]] + then + pprint "Creating SWAP partition" + sgdisk -n4:0:+$SWAP_SIZE -t4:8200 "$DISK" + fi + + if [[ "$USE_ECNRYPTION" = true ]] + then + pprint "Creating LUKS partition" + sgdisk -n3:0:0 -t3:8309 "$DISK" + else + pprint "Creating ROOT partition" + sgdisk -n3:0:0 -t3:BF00 "$DISK" + fi + ROOT="$DISK-part3" + + partprobe "$DISK" + sleep 1 + + pprint "Format EFI partition $EFI" + mkfs.vfat -n EFI "$EFI" +} + +### INSTALLATION BEGIN ### +create_new_part_table + +if [[ "$USE_ECNRYPTION" = true ]] +then + dd if=/dev/urandom of=./keyfile0.bin bs=1024 count=4 + + pprint "Creating LUKS container on $BOOT" + clean_stdin + cryptsetup --type luks2 --pbkdf argon2id --iter-time $ITER_TIME -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$BOOT" + clean_stdin + pprint "Add keyfile to LUKS container on $BOOT" + cryptsetup luksAddKey $BOOT keyfile0.bin + + pprint "Open LUKS container on $BOOT" + cryptsetup luksOpen --allow-discards "$BOOT" "$BOOT_DEVICE_NAME" -d keyfile0.bin + + pprint "Creating LUKS container on $ROOT" + clean_stdin + cryptsetup --type luks2 --pbkdf argon2id --iter-time $ITER_TIME -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$ROOT" + clean_stdin + pprint "Add keyfile to LUKS container on $ROOT" + cryptsetup luksAddKey $ROOT keyfile0.bin + + pprint "Open LUKS container on $ROOT" + cryptsetup luksOpen --allow-discards "$ROOT" "$LUKS_DEVICE_NAME" -d keyfile0.bin + + BOOT_POOL="$(ls /dev/disk/by-id/dm-uuid-*$BOOT_DEVICE_NAME)" + # BOOT_POOL="$BOOT" + ROOT_POOL="$(ls /dev/disk/by-id/dm-uuid-*$LUKS_DEVICE_NAME)" +else + BOOT_POOL="$BOOT" + ROOT_POOL="$ROOT" +fi + +pprint "Create ZFS root pool on $ROOT_POOL" +zpool create \ + -f \ + -o ashift=12 \ + -o autotrim=on \ + -O acltype=posixacl \ + -O atime=on \ + -O canmount=off \ + -O compression=zstd \ + -O dnodesize=auto \ + -O normalization=formD \ + -O relatime=on \ + -O xattr=sa \ + -O dedup=off \ + -O mountpoint=/ \ + -R /mnt \ + rpool "$ROOT_POOL" + +pprint "Create ZFS root datasets" + +zfs create -o refreservation=$ROOT_RESERVATION -o canmount=off -o mountpoint=none rpool/reserved +# top level datasets +zfs create -o canmount=off -o mountpoint=none rpool/nixos +zfs create -o canmount=off -o mountpoint=none rpool/user +zfs create -o canmount=off -o mountpoint=none rpool/persistent +# empty root +zfs create -o canmount=noauto -o mountpoint=/ rpool/nixos/root +zfs mount rpool/nixos/root +zfs create -o canmount=on -o mountpoint=/home rpool/user/home +# persistent across boots +zfs create -o canmount=on -o mountpoint=$PERSIST_ROOT rpool/persistent/impermanence +if [[ "$PERSIST_MODULE" = true ]]; then + mkdir -p /mnt$PERSIST_ROOT/home/$MAINUSER_NAME + chown 1000:100 /mnt$PERSIST_ROOT/home/$MAINUSER_NAME + chmod 755 /mnt$PERSIST_ROOT/home/$MAINUSER_NAME +fi +zfs create -o canmount=on -o mountpoint=/srv rpool/persistent/servers +zfs create -o canmount=on -o mountpoint=/etc/secrets rpool/persistent/secrets +zfs create -o canmount=on -o mountpoint=/nix rpool/persistent/nix +zfs create -o canmount=on -o mountpoint=/var/log rpool/persistent/log +zfs create -o canmount=noauto -o atime=off rpool/persistent/lxd +zfs create -o canmount=on -o mountpoint=/var/lib/docker -o atime=off rpool/persistent/docker +zfs create -o canmount=on -o mountpoint=/media/bittorrent -o atime=off -o recordsize=256K rpool/persistent/bittorrent +zfs create -o canmount=on -o mountpoint=/media/libvirt -o atime=off -o recordsize=64K rpool/persistent/libvirt + +# Create empty zfs snapshots +zfs snapshot rpool/nixos@empty +zfs snapshot rpool/nixos/root@empty +zfs snapshot rpool/user@empty +zfs snapshot rpool/user/home@empty +zfs snapshot rpool/persistent@empty +zfs snapshot rpool/persistent/impermanence@empty +zfs snapshot rpool/persistent/servers@empty +zfs snapshot rpool/persistent/secrets@empty +zfs snapshot rpool/persistent/nix@empty +zfs snapshot rpool/persistent/log@empty +zfs snapshot rpool/persistent/lxd@empty +zfs snapshot rpool/persistent/docker@empty +zfs snapshot rpool/persistent/bittorrent@empty +zfs snapshot rpool/persistent/libvirt@empty + + +pprint "Create ZFS boot pool on $BOOT_POOL" +zpool create \ + -f \ + -o compatibility=grub2 \ + -o ashift=12 \ + -o autotrim=on \ + -O acltype=posixacl \ + -O atime=on \ + -O canmount=off \ + -O compression=lz4 \ + -O devices=off \ + -O normalization=formD \ + -O relatime=on \ + -O xattr=sa \ + -O dedup=off \ + -O mountpoint=/boot \ + -R /mnt \ + bpool "$BOOT_POOL" + +pprint "Create ZFS boot datasets" + +zfs create -o refreservation=$BOOT_RESERVATION -o canmount=off -o mountpoint=none bpool/reserved +zfs create -o canmount=off -o mountpoint=none bpool/nixos +zfs create -o canmount=on -o mountpoint=/boot bpool/nixos/boot + +zfs snapshot bpool/nixos@empty +zfs snapshot bpool/nixos/boot@empty + +# Disable cache, stale cache will prevent system from booting +if [[ "$PERSIST_MODULE" = true ]]; then + mkdir -p /mnt"$PERSIST_ROOT"/etc/zfs/ + rm -f /mnt"$PERSIST_ROOT"/etc/zfs/zpool.cache + touch /mnt"$PERSIST_ROOT"/etc/zfs/zpool.cache + chmod a-w /mnt"$PERSIST_ROOT"/etc/zfs/zpool.cache + chattr +i /mnt"$PERSIST_ROOT"/etc/zfs/zpool.cache +else + mkdir -p /mnt/etc/zfs/ + rm -f /mnt/etc/zfs/zpool.cache + touch /mnt/etc/zfs/zpool.cache + chmod a-w /mnt/etc/zfs/zpool.cache + chattr +i /mnt/etc/zfs/zpool.cache +fi + +mkdir -p /mnt/boot/efi +mount -t vfat "$EFI" /mnt/boot/efi + +if [[ "$USE_SWAP" = true ]]; then + SWAP="$DISK-part4" + mkswap -L swap -f "$SWAP" +fi + +pprint "Generate NixOS configuration" +[[ -f $CONFIG_FOLDER/machines/$DEVICE_NAME/configuration.nix ]] && CONFIG_EXISTS=true +nixos-generate-config --root /mnt --dir $CONFIG_FOLDER/machines/$DEVICE_NAME +[[ -z "$CONFIG_EXISTS" ]] && rm -f $CONFIG_FOLDER/machines/$DEVICE_NAME/configuration.nix + +HOSTID=$(head -c8 /etc/machine-id) + +BOOT_PARTUUID=$(blkid --match-tag PARTUUID --output value "$BOOT") +ROOT_PARTUUID=$(blkid --match-tag PARTUUID --output value "$ROOT") +[[ ! -z "$SWAP" ]] && SWAP_PARTUUID=$(blkid --match-tag PARTUUID --output value "$SWAP") + +HARDWARE_CONFIG=$(mktemp) +if [[ "$USE_ECNRYPTION" = true ]] +then +cat < "$HARDWARE_CONFIG" + networking.hostId = "$HOSTID"; + boot.zfs.devNodes = "$DISK_DEV_NODES"; + boot.supportedFilesystems = [ "zfs" ]; + boot.initrd.luks.devices."$BOOT_DEVICE_NAME".device = "/dev/disk/by-partuuid/$BOOT_PARTUUID"; + boot.initrd.luks.devices."$LUKS_DEVICE_NAME".device = "/dev/disk/by-partuuid/$ROOT_PARTUUID"; +CONFIG +else +cat < "$HARDWARE_CONFIG" + networking.hostId = "$HOSTID"; + boot.zfs.devNodes = "$DISK_DEV_NODES"; + boot.supportedFilesystems = [ "zfs" ]; +CONFIG +fi + +pprint "Append ZFS configuration to hardware-configuration.nix" +sed -i "\$e cat $HARDWARE_CONFIG" $CONFIG_FOLDER/machines/$DEVICE_NAME/hardware-configuration.nix +sed -i 's|fsType = "zfs";|fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];|g' $CONFIG_FOLDER/machines/$DEVICE_NAME/hardware-configuration.nix +if [[ ! -z "$SWAP" ]]; then + sed -i "s|swapDevices = \[ \];|swapDevices = \[\n {\n device = \"/dev/disk/by-partuuid/$SWAP_PARTUUID\";\n randomEncryption.enable = true;\n randomEncryption.allowDiscards = true;\n }\n \];|" $CONFIG_FOLDER/machines/$DEVICE_NAME/hardware-configuration.nix +fi +chown 1000:100 $CONFIG_FOLDER/machines/$DEVICE_NAME/hardware-configuration.nix +git add -A + +pprint "Copy config to destination system" +mkdir -p /mnt/home/"$MAINUSER_NAME"/nixos-config +cp -aT $CONFIG_FOLDER /mnt/home/"$MAINUSER_NAME"/nixos-config + +pprint "Gen ssh host key for initrd" +ssh-keygen -t ed25519 -N "" -f /mnt/etc/secrets/ssh_host_key +chown root:root /mnt/etc/secrets/ssh_host_key +chmod 600 /mnt/etc/secrets/ssh_host_key + +if [[ "$USE_ECNRYPTION" = true ]] +then + cp keyfile0.bin /mnt/etc/secrets/keyfile0.bin + chmod 000 /mnt/etc/secrets/keyfile*.bin +fi + +clean_stdin +read -s -p "> Do you want to execute nixos-install command?" -n 1 -r +echo +if [[ "$REPLY" =~ ^[Yy]$ ]] +then + nixos-install --flake "../#$DEVICE_NAME" --root /mnt --no-root-passwd --max-jobs $MAX_JOBS +fi + +umount -Rl /mnt && \ +zpool export -a && \ +cryptsetup luksClose $BOOT_DEVICE_NAME && \ +cryptsetup luksClose $LUKS_DEVICE_NAME diff --git a/install/install-zfs-nonenc-boot.sh b/install/install-zfs-nonenc-boot.sh new file mode 100755 index 0000000..0dbba54 --- /dev/null +++ b/install/install-zfs-nonenc-boot.sh @@ -0,0 +1,275 @@ +#! /usr/bin/env nix-shell +#! nix-shell -i bash -p gptfdisk parted git + +set -e + +CONFIG_FOLDER="$(dirname "$(pwd)")" +LUKS_DEVICE_NAME=cryptroot +DEVICE_NAME=Hypervisor-VM +# IS_VM=true +MAX_JOBS=2 +USE_SWAP=true +BOOT_POOL_SIZE=4GiB +SWAP_SIZE=1GiB +BOOT_RESERVATION=128M +ROOT_RESERVATION=1G +USE_ECNRYPTION=true + + +if [[ "$IS_VM" = true ]]; then + DISK_DEV_NODES="/dev/disk/by-path" +else + DISK_DEV_NODES="/dev/disk/by-id" +fi + +clean_stdin() { + while read -r -t 0; do read -r; done +} + +pprint () { + local cyan="\e[96m" + local default="\e[39m" + local timestamp + timestamp=$(date +%FT%T.%3NZ) + echo -e "${cyan}${timestamp} $1${default}" 1>&2 +} + +# Create new partitions +create_new_part_table() { + select ENTRY in $(ls $DISK_DEV_NODES); + do + DISK="$DISK_DEV_NODES/$ENTRY" + echo "Installing system on $ENTRY" + break + done + + read -s -p "> Do you want to wipe all data on $ENTRY ?" -n 1 -r + echo + if [[ "$REPLY" =~ ^[Yy]$ ]] + then + sgdisk --zap-all "$DISK" + fi + + pprint "Creating boot (EFI) partition" + sgdisk -n1:1MiB:+512MiB -t1:EF00 "$DISK" + EFI="$DISK-part1" + + pprint "Creating boot (ZFS) partition" + sgdisk -n2:0:+$BOOT_POOL_SIZE -t2:BF00 "$DISK" + BOOT="$DISK-part2" + + if [[ "$USE_SWAP" = true ]] + then + pprint "Creating SWAP partition" + sgdisk -n4:0:+$SWAP_SIZE -t4:8200 "$DISK" + fi + + if [[ "$USE_ECNRYPTION" = true ]] + then + pprint "Creating LUKS partition" + sgdisk -n3:0:0 -t3:8309 "$DISK" + else + pprint "Creating ROOT partition" + sgdisk -n3:0:0 -t3:BF00 "$DISK" + fi + ROOT="$DISK-part3" + + partprobe "$DISK" + sleep 1 + + pprint "Format EFI partition $EFI" + mkfs.vfat -n EFI "$EFI" +} + +### INSTALLATION BEGIN ### +create_new_part_table + +if [[ "$USE_ECNRYPTION" = true ]] +then + dd if=/dev/urandom of=./keyfile0.bin bs=4096 count=4 + + pprint "Creating LUKS container on $ROOT" + clean_stdin + cryptsetup --type luks2 --pbkdf argon2id -i 20 -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$ROOT" + clean_stdin + pprint "Add keyfile to LUKS container on $ROOT" + cryptsetup luksAddKey $ROOT keyfile0.bin + + pprint "Open LUKS container on $ROOT" + cryptsetup luksOpen --allow-discards "$ROOT" "$LUKS_DEVICE_NAME" -d keyfile0.bin + + BOOT_POOL="$BOOT" + ROOT_POOL="$(ls /dev/disk/by-id/dm-uuid-*$LUKS_DEVICE_NAME)" +else + BOOT_POOL="$BOOT" + ROOT_POOL="$ROOT" +fi + +pprint "Create ZFS root pool on $ROOT_POOL" +zpool create \ + -f \ + -o ashift=12 \ + -o autotrim=on \ + -O acltype=posixacl \ + -O atime=on \ + -O canmount=off \ + -O compression=zstd \ + -O dnodesize=auto \ + -O normalization=formD \ + -O relatime=on \ + -O xattr=sa \ + -O dedup=off \ + -O mountpoint=/ \ + -R /mnt \ + rpool "$ROOT_POOL" + +pprint "Create ZFS root datasets" + +zfs create -o refreservation=$ROOT_RESERVATION -o canmount=off -o mountpoint=none rpool/reserved +# top level datasets +zfs create -o canmount=off -o mountpoint=none rpool/nixos +zfs create -o canmount=off -o mountpoint=none rpool/user +zfs create -o canmount=off -o mountpoint=none rpool/persistent +# empty root +zfs create -o canmount=noauto -o mountpoint=/ rpool/nixos/root +zfs mount rpool/nixos/root +zfs create -o canmount=on -o mountpoint=/home rpool/user/home +# persistent across boots +zfs create -o canmount=on -o mountpoint=/persistent rpool/persistent/impermanence +zfs create -o canmount=on -o mountpoint=/etc/secrets rpool/persistent/secrets +zfs create -o canmount=on -o mountpoint=/nix rpool/persistent/nix +# zfs create -o canmount=on -o mountpoint=/boot rpool/persistent/boot +zfs create -o canmount=on -o mountpoint=/var/log rpool/persistent/log +zfs create -o canmount=noauto -o atime=off rpool/persistent/lxd +zfs create -o canmount=on -o mountpoint=/var/lib/docker -o atime=off rpool/persistent/docker +zfs create -o canmount=on -o mountpoint=/media/bittorrent -o atime=off -o recordsize=256K rpool/persistent/bittorrent +zfs create -o canmount=on -o mountpoint=/media/libvirt -o atime=off -o recordsize=64K rpool/persistent/libvirt + +# Create empty zfs snapshots +zfs snapshot rpool/nixos@empty +zfs snapshot rpool/nixos/root@empty +zfs snapshot rpool/user@empty +zfs snapshot rpool/user/home@empty + +pprint "Create ZFS boot pool on $BOOT_POOL" +zpool create \ + -f \ + -o compatibility=grub2 \ + -o ashift=12 \ + -o autotrim=on \ + -O acltype=posixacl \ + -O atime=on \ + -O canmount=off \ + -O compression=lz4 \ + -O devices=off \ + -O normalization=formD \ + -O relatime=on \ + -O xattr=sa \ + -O dedup=off \ + -O mountpoint=/boot \ + -R /mnt \ + bpool "$BOOT_POOL" + +# zpool create \ +# -f \ +# -o ashift=12 \ +# -o autotrim=on \ +# -O acltype=posixacl \ +# -O atime=on \ +# -O canmount=off \ +# -O compression=zstd \ +# -O dnodesize=auto \ +# -O normalization=formD \ +# -O relatime=on \ +# -O xattr=sa \ +# -O dedup=off \ +# -O mountpoint=/boot \ +# -R /mnt \ +# bpool "$BOOT_POOL" + +pprint "Create ZFS boot datasets" + +zfs create -o refreservation=$BOOT_RESERVATION -o canmount=off -o mountpoint=none bpool/reserved +zfs create -o canmount=off -o mountpoint=none bpool/nixos +zfs create -o canmount=on -o mountpoint=/boot bpool/nixos/boot + +zfs snapshot bpool/nixos@empty +zfs snapshot bpool/nixos/boot@empty + +# Disable cache, stale cache will prevent system from booting +mkdir -p /mnt/etc/zfs/ +rm -f /mnt/etc/zfs/zpool.cache +touch /mnt/etc/zfs/zpool.cache +chmod a-w /mnt/etc/zfs/zpool.cache +chattr +i /mnt/etc/zfs/zpool.cache + +mkdir -p /mnt/boot/efi +mount -t vfat "$EFI" /mnt/boot/efi + +if [[ "$USE_SWAP" = true ]]; then + SWAP="$DISK-part4" + mkswap -L swap -f "$SWAP" +fi + +pprint "Generate NixOS configuration" +[[ -f $CONFIG_FOLDER/machines/$DEVICE_NAME/configuration.nix ]] && CONFIG_EXISTS=true +nixos-generate-config --root /mnt --dir $CONFIG_FOLDER/machines/$DEVICE_NAME +[[ -z "$CONFIG_EXISTS" ]] && rm -f $CONFIG_FOLDER/machines/$DEVICE_NAME/configuration.nix + +HOSTID=$(head -c8 /etc/machine-id) + +ROOT_PARTUUID=$(blkid --match-tag PARTUUID --output value "$ROOT") +[[ ! -z "$SWAP" ]] && SWAP_PARTUUID=$(blkid --match-tag PARTUUID --output value "$SWAP") + +HARDWARE_CONFIG=$(mktemp) +if [[ "$USE_ECNRYPTION" = true ]] +then +cat < "$HARDWARE_CONFIG" + networking.hostId = "$HOSTID"; + boot.zfs.devNodes = "$DISK_DEV_NODES"; + boot.supportedFilesystems = [ "zfs" ]; + boot.initrd.luks.devices."$LUKS_DEVICE_NAME".device = "/dev/disk/by-partuuid/$ROOT_PARTUUID"; +CONFIG +else +cat < "$HARDWARE_CONFIG" + networking.hostId = "$HOSTID"; + boot.zfs.devNodes = "$DISK_DEV_NODES"; + boot.supportedFilesystems = [ "zfs" ]; +CONFIG +fi + +pprint "Append ZFS configuration to hardware-configuration.nix" +sed -i "\$e cat $HARDWARE_CONFIG" $CONFIG_FOLDER/machines/$DEVICE_NAME/hardware-configuration.nix +sed -i 's|fsType = "zfs";|fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];|g' $CONFIG_FOLDER/machines/$DEVICE_NAME/hardware-configuration.nix +if [[ ! -z "$SWAP" ]]; then + sed -i "s|swapDevices = \[ \];|swapDevices = \[\n {\n device = \"/dev/disk/by-partuuid/$SWAP_PARTUUID\";\n randomEncryption.enable = true;\n randomEncryption.allowDiscards = true;\n }\n \];|" $CONFIG_FOLDER/machines/$DEVICE_NAME/hardware-configuration.nix +fi +chown 1000:100 $CONFIG_FOLDER/machines/$DEVICE_NAME/hardware-configuration.nix +git add -A + +pprint "Copy config to destination system" +mkdir -p /mnt/home/alukard/nixos-config +cp -aT $CONFIG_FOLDER /mnt/home/alukard/nixos-config + +pprint "Gen ssh host key for initrd" +ssh-keygen -t ed25519 -N "" -f /mnt/etc/secrets/ssh_host_key +chown root:root /mnt/etc/secrets/ssh_host_key +chmod 600 /mnt/etc/secrets/ssh_host_key + +if [[ "$USE_ECNRYPTION" = true ]] +then + cp keyfile0.bin /mnt/etc/secrets/keyfile0.bin + chmod 000 /mnt/etc/secrets/keyfile*.bin +fi + +clean_stdin +read -s -p "> Do you want to execute nixos-install command?" -n 1 -r +echo +if [[ "$REPLY" =~ ^[Yy]$ ]] +then + nixos-install --flake "../#$DEVICE_NAME" --root /mnt --max-jobs $MAX_JOBS --no-root-passwd +fi + +umount -Rl /mnt && \ +zpool export -a && \ +cryptsetup luksClose $LUKS_DEVICE_NAME diff --git a/machines/Flakes-ISO/default.nix b/machines/Flakes-ISO/default.nix index fe20b09..0005734 100644 --- a/machines/Flakes-ISO/default.nix +++ b/machines/Flakes-ISO/default.nix @@ -3,15 +3,42 @@ "${toString modulesPath}/installer/cd-dvd/installation-cd-graphical-plasma5.nix" ]; - environment.systemPackages = [ pkgs.git ]; - nix = { - nixPath = lib.mkForce [ "self=/etc/self/compat" "nixpkgs=/etc/nixpkgs" ]; - registry.self.flake = inputs.self; - registry.nixpkgs.flake = inputs.nixpkgs; - extraOptions = '' - experimental-features = nix-command flakes - ''; + options = { + device = lib.mkOption { type = lib.types.str; }; + }; + + config = { + networking.hostName = "Flakes-ISO"; + + programs.ssh.extraConfig = '' + Host nix-builder + hostname 192.168.0.100 + user ${config.mainuser} + identitiesOnly yes + identityFile /home/nixos/ssh-builder + ''; + + environment.systemPackages = [ pkgs.git ]; + nix = { + nixPath = lib.mkForce [ "self=/etc/self/compat" "nixpkgs=/etc/nixpkgs" ]; + registry.self.flake = inputs.self; + registry.nixpkgs.flake = inputs.nixpkgs; + extraOptions = '' + builders-use-substitutes = true + experimental-features = nix-command flakes + flake-registry = ${inputs.flake-registry}/flake-registry.json + ''; + buildMachines = [{ + hostName = "nix-builder"; + maxJobs = 8; + sshUser = config.mainuser; + sshKey = "/home/nixos/ssh-builder"; + systems = [ "x86_64-linux" "i686-linux" ]; + supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + }]; + distributedBuilds = true; + }; + environment.etc.nixpkgs.source = inputs.nixpkgs; + environment.etc.self.source = inputs.self; }; - environment.etc.nixpkgs.source = inputs.nixpkgs; - environment.etc.self.source = inputs.self; } \ No newline at end of file diff --git a/machines/Hypervisor-VM/boot.nix b/machines/Hypervisor-VM/boot.nix new file mode 100644 index 0000000..b1c77c5 --- /dev/null +++ b/machines/Hypervisor-VM/boot.nix @@ -0,0 +1,82 @@ +{ config, pkgs, lib, ... }: +let + zfs_arc_max = toString (1 * 1024 * 1024 * 1024); +in { + boot = { + zfs.forceImportAll = lib.mkForce false; + loader.efi.canTouchEfiVariables = false; + loader.efi.efiSysMountPoint = "/boot/efi"; + loader.generationsDir.copyKernels = true; + loader.grub = { + enable = true; + device = "nodev"; + version = 2; + efiSupport = true; + enableCryptodisk = true; + zfsSupport = true; + efiInstallAsRemovable = true; + copyKernels = true; + # # extraPrepareConfig = '' + # # ''; + }; + initrd = { + availableKernelModules = [ "tg3" ]; # for dell-laptop + # postMountCommands = '' + # ''; + luks.devices = { + "cryptboot" = { + preLVM = true; + keyFile = "/keyfile0.bin"; + allowDiscards = true; + bypassWorkqueues = config.deviceSpecific.isSSD; + fallbackToPassword = true; + # postOpenCommands = ""; + # preOpenCommands = ""; + }; + "cryptroot" = { + preLVM = true; + keyFile = "/keyfile0.bin"; + allowDiscards = true; + bypassWorkqueues = config.deviceSpecific.isSSD; + fallbackToPassword = true; + }; + }; + secrets = { + "keyfile0.bin" = "/etc/secrets/keyfile0.bin"; + }; + }; + kernelPackages = pkgs.linuxPackages_hardened; + kernelModules = [ "tcp_bbr" ]; + kernelParams = [ + "zfs.zfs_arc_max=${zfs_arc_max}" + "zswap.enabled=0" + "quiet" + "scsi_mod.use_blk_mq=1" + "modeset" + "nofb" + "pti=off" + "spectre_v2=off" + "kvm.ignore_msrs=1" + "rd.systemd.show_status=auto" + "rd.udev.log_priority=3" + ]; + kernel.sysctl = { + "kernel.sysrq" = false; + "net.core.default_qdisc" = "sch_fq_codel"; + "net.ipv4.conf.all.accept_source_route" = false; + "net.ipv4.icmp_ignore_bogus_error_responses" = true; + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.ipv4.tcp_fastopen" = 3; + "net.ipv4.tcp_rfc1337" = true; + "net.ipv4.tcp_syncookies" = true; + "net.ipv6.conf.all.accept_source_route" = false; + # disable ipv6 + "net.ipv6.conf.all.disable_ipv6" = true; + "net.ipv6.conf.default.disable_ipv6" = true; + }; + kernel.sysctl = { + "vm.swappiness" = if config.deviceSpecific.isSSD then 1 else 10; + }; + cleanTmpDir = true; + }; +} \ No newline at end of file diff --git a/machines/Hypervisor-VM/default.nix b/machines/Hypervisor-VM/default.nix index 1c489f0..a794684 100644 --- a/machines/Hypervisor-VM/default.nix +++ b/machines/Hypervisor-VM/default.nix @@ -1,15 +1,46 @@ -{ modulesPath, inputs, lib, pkgs, config, options, ... }: -let - zfs_arc_max = toString (1 * 1024 * 1024 * 1024); -in { +{ modulesPath, inputs, lib, pkgs, config, options, ... }: { imports = with inputs.self; [ "${toString modulesPath}/profiles/hardened.nix" ./hardware-configuration.nix + ./boot.nix + # ./persistent.nix nixosRoles.hypervisor nixosProfiles.direnv + nixosModules.persist ]; + fileSystems = { + "/home/alukard/conf" = { + fsType = "virtiofs"; + device = "viofs"; + options = [ + "defaults" + "nofail" + ]; + }; + }; + + zramSwap = { + enable = true; + algorithm = "zstd"; + memoryPercent = 80; + numDevices = 1; + }; + + # Impermanence + persist = { + enable = true; + cache.clean.enable = true; + state.files = [ "/etc/machine-id" ]; + }; + fileSystems."/home".neededForBoot = true; + fileSystems."/persistent".neededForBoot = true; + boot.initrd.postDeviceCommands = lib.mkAfter '' + zfs rollback -r rpool/nixos/root@empty + zfs rollback -r rpool/user/home@empty + ''; + # build hell environment.noXlibs = lib.mkForce false; # minimal profile @@ -21,88 +52,7 @@ in { xdg.sounds.enable = lib.mkForce false; services.udisks2.enable = lib.mkForce false; - # boot - boot = { - zfs.forceImportAll = lib.mkForce false; - loader.efi.canTouchEfiVariables = false; - loader.efi.efiSysMountPoint = "/boot/efi"; - loader.systemd-boot.enable = false; - loader.generationsDir.copyKernels = true; - loader.grub = { - enable = true; - device = "nodev"; - version = 2; - efiSupport = true; - enableCryptodisk = true; - zfsSupport = true; - efiInstallAsRemovable = true; - copyKernels = true; - # extraPrepareConfig = '' - # ''; - }; - initrd = { - supportedFilesystems = [ "zfs" ]; - luks.devices = { - "cryptboot" = { - preLVM = true; - keyFile = "/keyfile0.bin"; - allowDiscards = true; - bypassWorkqueues = config.deviceSpecific.isSSD; - fallbackToPassword = true; - # postOpenCommands = ""; - # preOpenCommands = ""; - }; - "cryptroot" = { - preLVM = true; - keyFile = "/keyfile0.bin"; - allowDiscards = true; - bypassWorkqueues = config.deviceSpecific.isSSD; - fallbackToPassword = true; - }; - }; - secrets = { - "keyfile0.bin" = "/etc/secrets/keyfile0.bin"; - }; - }; - kernelPackages = pkgs.linuxPackages_hardened; - kernelModules = [ "tcp_bbr" ]; - kernelParams = [ - "zfs.zfs_arc_max=${zfs_arc_max}" - "zswap.enabled=0" - "quiet" - "scsi_mod.use_blk_mq=1" - "modeset" - "nofb" - "pti=off" - "spectre_v2=off" - "kvm.ignore_msrs=1" - "rd.systemd.show_status=auto" - "rd.udev.log_priority=3" - ]; - kernel.sysctl = { - "kernel.sysrq" = false; - "net.core.default_qdisc" = "sch_fq_codel"; - "net.ipv4.conf.all.accept_source_route" = false; - "net.ipv4.icmp_ignore_bogus_error_responses" = true; - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.ipv4.tcp_fastopen" = 3; - "net.ipv4.tcp_rfc1337" = true; - "net.ipv4.tcp_syncookies" = true; - "net.ipv6.conf.all.accept_source_route" = false; - # disable ipv6 - "net.ipv6.conf.all.disable_ipv6" = true; - "net.ipv6.conf.default.disable_ipv6" = true; - }; - kernel.sysctl = { - "vm.swappiness" = 1; - }; - cleanTmpDir = true; - }; - # security.polkit.enable = true; - # system.nssModules = lib.mkForce [ ]; - - # services.nscd.enable = false; deviceSpecific.devInfo = { cpu = { @@ -120,13 +70,18 @@ in { }; bigScreen = false; ram = 12; + fileSystem = "zfs"; }; deviceSpecific.enableVirtualisation = true; deviceSpecific.wireguard.enable = false; deviceSpecific.isServer = true; - services.zfs.autoScrub.enable = true; - services.zfs.autoScrub.interval = "daily"; + services.zfs = { + autoScrub.enable = true; + autoScrub.interval = "daily"; + trim.enable = true; + trim.interval = "weekly"; + }; # hardened networking.firewall.enable = true; diff --git a/machines/Hypervisor-VM/hardware-configuration.nix b/machines/Hypervisor-VM/hardware-configuration.nix index 5060f84..ae5f6b0 100644 --- a/machines/Hypervisor-VM/hardware-configuration.nix +++ b/machines/Hypervisor-VM/hardware-configuration.nix @@ -28,6 +28,11 @@ fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ]; }; + fileSystems."/srv" = + { device = "rpool/persistent/servers"; + fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ]; + }; + fileSystems."/etc/secrets" = { device = "rpool/persistent/secrets"; fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ]; @@ -64,13 +69,13 @@ }; fileSystems."/boot/efi" = - { device = "/dev/disk/by-uuid/D76A-09CE"; + { device = "/dev/disk/by-uuid/AFFE-0DF3"; fsType = "vfat"; }; swapDevices = [ { - device = "/dev/disk/by-partuuid/d92c3ab0-8205-49fb-99ab-abe98a943d39"; + device = "/dev/disk/by-partuuid/7e8f2ee1-0f2e-4b77-9c4d-916804573ef7"; randomEncryption.enable = true; randomEncryption.allowDiscards = true; } @@ -88,6 +93,6 @@ networking.hostId = "41d97526"; boot.zfs.devNodes = "/dev/disk/by-id"; boot.supportedFilesystems = [ "zfs" ]; - boot.initrd.luks.devices."cryptboot".device = "/dev/disk/by-partuuid/45979da9-33b7-4c7a-8eaf-005e642a974d"; - boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-partuuid/74d318d9-1349-4281-8bbd-82ac718f052c"; + boot.initrd.luks.devices."cryptboot".device = "/dev/disk/by-partuuid/7df4b6a7-13a1-4600-806e-34d3aa1bfd93"; + boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-partuuid/4c8631b2-c925-49ea-8861-84e3071e0557"; }