diff --git a/machines/AMD-Workstation/autoinstall.nix b/machines/AMD-Workstation/autoinstall.nix new file mode 100644 index 0000000..b9d6d21 --- /dev/null +++ b/machines/AMD-Workstation/autoinstall.nix @@ -0,0 +1,20 @@ +{ ... }: { + autoinstall.AMD-Workstation = { + mainuser = "ataraxia"; + flakesPath = "/home/nixos/nixos-config"; + encryption.ecryptBoot = false; + encryption.ecryptRoot = true; + encryption.passwordFile = "/home/nixos/pass"; + encryption.argonIterTime = "4000"; + partitioning.useEntireDisk = true; + partitioning.disk = "/dev/disk/by-id/nvme-XPG_GAMMIX_S11_Pro_2K342L2BBNUY"; + partitioning.nullifyDisk = false; + partitioning.emptySpace = "100GiB"; + swapPartition.enable = true; + swapPartition.size = "16GiB"; + zfsOpts.ashift = 13; + zfsOpts.bootPoolReservation = "256M"; + zfsOpts.rootPoolReservation = "45G"; + persist.enable = true; + }; +} \ No newline at end of file diff --git a/machines/Home-Hypervisor/autoinstall.nix b/machines/Home-Hypervisor/autoinstall.nix index 8f68f3a..f7e4738 100644 --- a/machines/Home-Hypervisor/autoinstall.nix +++ b/machines/Home-Hypervisor/autoinstall.nix @@ -3,7 +3,8 @@ debug = false; mainuser = "ataraxia"; flakesPath = "/home/nixos/nixos-config"; - encryption.enable = true; + encryption.encryptBoot = true; + encryption.encryptRoot = true; encryption.passwordFile = "/home/nixos/pass"; encryption.argonIterTime = "4000"; partitioning.useEntireDisk = true; diff --git a/modules/autoinstall/default.nix b/modules/autoinstall/default.nix index 6c53f3b..9595b63 100644 --- a/modules/autoinstall/default.nix +++ b/modules/autoinstall/default.nix @@ -27,6 +27,11 @@ let default = ""; description = "Path to the disk to wipe"; }; + emptySpace = mkOption { + type = types.str; + default = "0"; + description = "Empty space at the end of the disk`"; + }; # partitions = mkOption { # type = types.nullOr attrsOf partitionsAttrs; # default = null; @@ -40,7 +45,7 @@ let }; mainuser = mkOption { type = types.str; - default = "alukard"; + default = "ataraxia"; description = "Name of the main user (used for creation of home folder)"; }; flakesPath = mkOption { @@ -76,10 +81,15 @@ let }; }; encryption = { - enable = mkOption { + encryptBoot = mkOption { type = types.bool; default = false; - description = "Use luks full-disk encryption"; + description = "Encrypt boot partition"; + }; + encryptRoot = mkOption { + type = types.bool; + default = false; + description = "Encrypt boot partition"; }; argonIterTime = mkOption { type = types.str; @@ -163,6 +173,14 @@ let }; serviceConfig = { Type = "oneshot"; }; }; + + # asserts = opt: [{ + # assertion = opt.flakesPath != ""; + # message = "flakesPath can't be empty"; + # } { + # assertion = !(opt.encryption.enable && opt.encryption.passwordFile == ""); + # message = "If you use encryption, you need to set path to password file"; + # }]; in { options.autoinstall = mkOption { default = {}; diff --git a/modules/autoinstall/install.nix b/modules/autoinstall/install.nix index 03f0ad3..5696b83 100755 --- a/modules/autoinstall/install.nix +++ b/modules/autoinstall/install.nix @@ -9,9 +9,11 @@ with lib; let bootPartition = opt.partitioning.partitions.bootPartition or "0"; rootPartition = opt.partitioning.partitions.rootPartition or "0"; swapPartition = opt.partitioning.partitions.swapPartition or "0"; + emptySpace = opt.partitioning.emptySpace or "0"; debug = boolToString opt.debug; useSwap = boolToString opt.swapPartition.enable; - useEncryption = boolToString opt.encryption.enable; + encryptRoot = boolToString opt.encryption.encryptRoot; + encryptBoot = boolToString opt.encryption.encryptBoot; swapSize = opt.swapPartition.size or "0"; zfsAshift = toString opt.zfsOpts.ashift; usePersistModule = boolToString opt.persist.enable; @@ -45,7 +47,8 @@ in '' bootSize="${cfg.bootSize}" rootSize="${cfg.rootSize}" swapSize="${cfg.swapSize}" - useEncryption="${cfg.useEncryption}" + encryptRoot="${cfg.encryptRoot}" + encryptBoot="${cfg.encryptBoot}" useSwap="${cfg.useSwap}" argonIterTime="${cfg.argonIterTime}" cryptRoot="${cfg.cryptRoot}" @@ -72,7 +75,7 @@ in '' exit 2 fi - if [ "${cfg.useEncryption}" = "true" && ! -f "${cfg.passwordFile}" ]; then + if [ "${cfg.encryptBoot}" = "true" || "${cfg.encryptRoot}" = "true" && ! -f "${cfg.passwordFile}" ]; then pprint "passwordFile does not exists!" exit 2 fi @@ -121,20 +124,25 @@ in '' efiPart="$diskByID-part1" pprint "Creating boot (ZFS) partition" - if [ "${cfg.useEncryption}" = "true" ]; then + if [ "${cfg.encryptBoot}" = "true" ]; then sgdisk -n2:0:+${cfg.bootSize} -t2:8309 "$diskByID" else sgdisk -n2:0:+${cfg.bootSize} -t2:BF00 "$diskByID" fi bootPart="$diskByID-part2" + if [ "${cfg.emptySpace}" != "0" ]; then + pprint "Creating temp empty partition at the end of the disk" + sgdisk -n5:-${cfg.emptySpace}:0 -t5:8300 "$diskByID" + fi + if [ "${cfg.useSwap}" = "true" ]; then pprint "Creating SWAP partition" sgdisk -n4:0:+${cfg.swapSize} -t4:8200 "$diskByID" swapPart="$diskByID-part4" fi - if [ "${cfg.useEncryption}" = "true" ]; then + if [ "${cfg.encryptRoot}" = "true" ]; then pprint "Creating LUKS partition" sgdisk -n3:0:${cfg.rootSize} -t3:8309 "$diskByID" else @@ -143,6 +151,11 @@ in '' fi rootPart="$diskByID-part3" + if [ "${cfg.emptySpace}" != "0" ]; then + pprint "Remove temp partition" + sgdisk -d 5 -s "$diskByID" + fi + partprobe "$diskByID" sleep 1 @@ -158,28 +171,31 @@ in '' use_existing_part_table fi - if [ "${cfg.useEncryption}" = "true" ]; then + if [ "${cfg.encryptBoot}" = "true" || "${cfg.encryptRoot}" = "true" ]; then password=$(cat ${cfg.passwordFile}) dd if=/dev/urandom of=/tmp/keyfile0.bin bs=1024 count=4 - pprint "Creating LUKS container on $bootPart" - echo -n "$password" | cryptsetup --type luks2 --pbkdf argon2id --iter-time ${cfg.argonIterTime} -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$bootPart" - - pprint "Add keyfile to LUKS container on $bootPart" - echo -n "$password" | cryptsetup luksAddKey $bootPart /tmp/keyfile0.bin - + if [ "${cfg.encryptBoot}" = "true" ]; then + pprint "Creating LUKS container on $bootPart" + echo -n "$password" | cryptsetup --type luks2 --pbkdf argon2id --iter-time ${cfg.argonIterTime} -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$bootPart" - + pprint "Add keyfile to LUKS container on $bootPart" + echo -n "$password" | cryptsetup luksAddKey $bootPart /tmp/keyfile0.bin - - pprint "Open LUKS container on $bootPart" - cryptsetup luksOpen --allow-discards "$bootPart" "${cfg.cryptBoot}" -d /tmp/keyfile0.bin + pprint "Open LUKS container on $bootPart" + cryptsetup luksOpen --allow-discards "$bootPart" "${cfg.cryptBoot}" -d /tmp/keyfile0.bin + bootPool="$(ls /dev/disk/by-id/dm-uuid-*${cfg.cryptBoot})" + fi - pprint "Creating LUKS container on $rootPart" - echo -n "$password" | cryptsetup --type luks2 --pbkdf argon2id --iter-time ${cfg.argonIterTime} -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$rootPart" - - pprint "Add keyfile to LUKS container on $rootPart" - echo -n "$password" | cryptsetup luksAddKey $rootPart /tmp/keyfile0.bin - + if [ "${cfg.encryptRoot}" = "true" ]; then + pprint "Creating LUKS container on $rootPart" + echo -n "$password" | cryptsetup --type luks2 --pbkdf argon2id --iter-time ${cfg.argonIterTime} -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$rootPart" - + pprint "Add keyfile to LUKS container on $rootPart" + echo -n "$password" | cryptsetup luksAddKey $rootPart /tmp/keyfile0.bin - - pprint "Open LUKS container on $rootPart" - cryptsetup luksOpen --allow-discards "$rootPart" "${cfg.cryptRoot}" -d /tmp/keyfile0.bin - - bootPool="$(ls /dev/disk/by-id/dm-uuid-*${cfg.cryptBoot})" - rootPool="$(ls /dev/disk/by-id/dm-uuid-*${cfg.cryptRoot})" + pprint "Open LUKS container on $rootPart" + cryptsetup luksOpen --allow-discards "$rootPart" "${cfg.cryptRoot}" -d /tmp/keyfile0.bin + rootPool="$(ls /dev/disk/by-id/dm-uuid-*${cfg.cryptRoot})" + fi else bootPool="$bootPart" rootPool="$rootPart" @@ -320,23 +336,22 @@ in '' hostID=$(head -c8 /etc/machine-id) hardwareConfig=$(mktemp) - if [ "${cfg.useEncryption}" = "true" ]; then - bootPartUuid=$(blkid --match-tag PARTUUID --output value "$bootPart") - rootPartUuid=$(blkid --match-tag PARTUUID --output value "$rootPart") - - cat < "$hardwareConfig" - networking.hostId = "$hostID"; - boot.zfs.devNodes = "/dev/disk/by-partuuid"; - boot.supportedFilesystems = [ "zfs" ]; - boot.initrd.luks.devices."${cfg.cryptBoot}".device = "/dev/disk/by-partuuid/$bootPartUuid"; - boot.initrd.luks.devices."${cfg.cryptRoot}".device = "/dev/disk/by-partuuid/$rootPartUuid"; - CONFIG - else cat < "$hardwareConfig" networking.hostId = "$hostID"; boot.zfs.devNodes = "/dev/disk/by-partuuid"; boot.supportedFilesystems = [ "zfs" ]; CONFIG + if [ "${cfg.encryptBoot}" = "true" ]; then + bootPartUuid=$(blkid --match-tag PARTUUID --output value "$bootPart") + cat <> "$hardwareConfig" + boot.initrd.luks.devices."${cfg.cryptBoot}".device = "/dev/disk/by-partuuid/$bootPartUuid"; + CONFIG + fi + if [ "${cfg.encryptRoot}" = "true" ]; then + rootPartUuid=$(blkid --match-tag PARTUUID --output value "$rootPart") + cat <> "$hardwareConfig" + boot.initrd.luks.devices."${cfg.cryptRoot}".device = "/dev/disk/by-partuuid/$rootPartUuid"; + CONFIG fi sed -i "\$e cat $hardwareConfig" ${cfg.flakesPath}/machines/${cfg.hostname}/hardware-configuration.nix @@ -354,7 +369,7 @@ in '' chown root:root /mnt/etc/secrets/ssh_host_key chmod 600 /mnt/etc/secrets/ssh_host_key - if [ "${cfg.useEncryption}" = "true" ]; then + if [ "${cfg.encryptBoot}" = "true" || "${cfg.encryptRoot}" = "true" ]; then cp /tmp/keyfile0.bin /mnt/etc/secrets/keyfile0.bin chmod 000 /mnt/etc/secrets/keyfile*.bin fi @@ -378,10 +393,8 @@ in '' umount -Rl /mnt zpool export -a - if [ "${cfg.useEncryption}" = "true" ]; then - cryptsetup luksClose ${cfg.cryptBoot} - cryptsetup luksClose ${cfg.cryptRoot} - fi + [ "${cfg.encryptBoot}" = "true" ] && cryptsetup luksClose ${cfg.cryptBoot} + [ "${cfg.encryptRoot}" = "true" ] && cryptsetup luksClose ${cfg.cryptRoot} if [ "${cfg.autoReboot}" = "true" ]; then if ! systemctl reboot --firmware-setup ; then