update autoinstall module

This commit is contained in:
Dmitriy Kholkin 2023-03-25 19:28:11 +03:00
parent 16b699d2d5
commit cd7d5989cd
4 changed files with 94 additions and 42 deletions

View File

@ -0,0 +1,20 @@
{ ... }: {
autoinstall.AMD-Workstation = {
mainuser = "ataraxia";
flakesPath = "/home/nixos/nixos-config";
encryption.ecryptBoot = false;
encryption.ecryptRoot = true;
encryption.passwordFile = "/home/nixos/pass";
encryption.argonIterTime = "4000";
partitioning.useEntireDisk = true;
partitioning.disk = "/dev/disk/by-id/nvme-XPG_GAMMIX_S11_Pro_2K342L2BBNUY";
partitioning.nullifyDisk = false;
partitioning.emptySpace = "100GiB";
swapPartition.enable = true;
swapPartition.size = "16GiB";
zfsOpts.ashift = 13;
zfsOpts.bootPoolReservation = "256M";
zfsOpts.rootPoolReservation = "45G";
persist.enable = true;
};
}

View File

@ -3,7 +3,8 @@
debug = false; debug = false;
mainuser = "ataraxia"; mainuser = "ataraxia";
flakesPath = "/home/nixos/nixos-config"; flakesPath = "/home/nixos/nixos-config";
encryption.enable = true; encryption.encryptBoot = true;
encryption.encryptRoot = true;
encryption.passwordFile = "/home/nixos/pass"; encryption.passwordFile = "/home/nixos/pass";
encryption.argonIterTime = "4000"; encryption.argonIterTime = "4000";
partitioning.useEntireDisk = true; partitioning.useEntireDisk = true;

View File

@ -27,6 +27,11 @@ let
default = ""; default = "";
description = "Path to the disk to wipe"; description = "Path to the disk to wipe";
}; };
emptySpace = mkOption {
type = types.str;
default = "0";
description = "Empty space at the end of the disk`";
};
# partitions = mkOption { # partitions = mkOption {
# type = types.nullOr attrsOf partitionsAttrs; # type = types.nullOr attrsOf partitionsAttrs;
# default = null; # default = null;
@ -40,7 +45,7 @@ let
}; };
mainuser = mkOption { mainuser = mkOption {
type = types.str; type = types.str;
default = "alukard"; default = "ataraxia";
description = "Name of the main user (used for creation of home folder)"; description = "Name of the main user (used for creation of home folder)";
}; };
flakesPath = mkOption { flakesPath = mkOption {
@ -76,10 +81,15 @@ let
}; };
}; };
encryption = { encryption = {
enable = mkOption { encryptBoot = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = "Use luks full-disk encryption"; description = "Encrypt boot partition";
};
encryptRoot = mkOption {
type = types.bool;
default = false;
description = "Encrypt boot partition";
}; };
argonIterTime = mkOption { argonIterTime = mkOption {
type = types.str; type = types.str;
@ -163,6 +173,14 @@ let
}; };
serviceConfig = { Type = "oneshot"; }; serviceConfig = { Type = "oneshot"; };
}; };
# asserts = opt: [{
# assertion = opt.flakesPath != "";
# message = "flakesPath can't be empty";
# } {
# assertion = !(opt.encryption.enable && opt.encryption.passwordFile == "");
# message = "If you use encryption, you need to set path to password file";
# }];
in { in {
options.autoinstall = mkOption { options.autoinstall = mkOption {
default = {}; default = {};

View File

@ -9,9 +9,11 @@ with lib; let
bootPartition = opt.partitioning.partitions.bootPartition or "0"; bootPartition = opt.partitioning.partitions.bootPartition or "0";
rootPartition = opt.partitioning.partitions.rootPartition or "0"; rootPartition = opt.partitioning.partitions.rootPartition or "0";
swapPartition = opt.partitioning.partitions.swapPartition or "0"; swapPartition = opt.partitioning.partitions.swapPartition or "0";
emptySpace = opt.partitioning.emptySpace or "0";
debug = boolToString opt.debug; debug = boolToString opt.debug;
useSwap = boolToString opt.swapPartition.enable; useSwap = boolToString opt.swapPartition.enable;
useEncryption = boolToString opt.encryption.enable; encryptRoot = boolToString opt.encryption.encryptRoot;
encryptBoot = boolToString opt.encryption.encryptBoot;
swapSize = opt.swapPartition.size or "0"; swapSize = opt.swapPartition.size or "0";
zfsAshift = toString opt.zfsOpts.ashift; zfsAshift = toString opt.zfsOpts.ashift;
usePersistModule = boolToString opt.persist.enable; usePersistModule = boolToString opt.persist.enable;
@ -45,7 +47,8 @@ in ''
bootSize="${cfg.bootSize}" bootSize="${cfg.bootSize}"
rootSize="${cfg.rootSize}" rootSize="${cfg.rootSize}"
swapSize="${cfg.swapSize}" swapSize="${cfg.swapSize}"
useEncryption="${cfg.useEncryption}" encryptRoot="${cfg.encryptRoot}"
encryptBoot="${cfg.encryptBoot}"
useSwap="${cfg.useSwap}" useSwap="${cfg.useSwap}"
argonIterTime="${cfg.argonIterTime}" argonIterTime="${cfg.argonIterTime}"
cryptRoot="${cfg.cryptRoot}" cryptRoot="${cfg.cryptRoot}"
@ -72,7 +75,7 @@ in ''
exit 2 exit 2
fi fi
if [ "${cfg.useEncryption}" = "true" && ! -f "${cfg.passwordFile}" ]; then if [ "${cfg.encryptBoot}" = "true" || "${cfg.encryptRoot}" = "true" && ! -f "${cfg.passwordFile}" ]; then
pprint "passwordFile does not exists!" pprint "passwordFile does not exists!"
exit 2 exit 2
fi fi
@ -121,20 +124,25 @@ in ''
efiPart="$diskByID-part1" efiPart="$diskByID-part1"
pprint "Creating boot (ZFS) partition" pprint "Creating boot (ZFS) partition"
if [ "${cfg.useEncryption}" = "true" ]; then if [ "${cfg.encryptBoot}" = "true" ]; then
sgdisk -n2:0:+${cfg.bootSize} -t2:8309 "$diskByID" sgdisk -n2:0:+${cfg.bootSize} -t2:8309 "$diskByID"
else else
sgdisk -n2:0:+${cfg.bootSize} -t2:BF00 "$diskByID" sgdisk -n2:0:+${cfg.bootSize} -t2:BF00 "$diskByID"
fi fi
bootPart="$diskByID-part2" bootPart="$diskByID-part2"
if [ "${cfg.emptySpace}" != "0" ]; then
pprint "Creating temp empty partition at the end of the disk"
sgdisk -n5:-${cfg.emptySpace}:0 -t5:8300 "$diskByID"
fi
if [ "${cfg.useSwap}" = "true" ]; then if [ "${cfg.useSwap}" = "true" ]; then
pprint "Creating SWAP partition" pprint "Creating SWAP partition"
sgdisk -n4:0:+${cfg.swapSize} -t4:8200 "$diskByID" sgdisk -n4:0:+${cfg.swapSize} -t4:8200 "$diskByID"
swapPart="$diskByID-part4" swapPart="$diskByID-part4"
fi fi
if [ "${cfg.useEncryption}" = "true" ]; then if [ "${cfg.encryptRoot}" = "true" ]; then
pprint "Creating LUKS partition" pprint "Creating LUKS partition"
sgdisk -n3:0:${cfg.rootSize} -t3:8309 "$diskByID" sgdisk -n3:0:${cfg.rootSize} -t3:8309 "$diskByID"
else else
@ -143,6 +151,11 @@ in ''
fi fi
rootPart="$diskByID-part3" rootPart="$diskByID-part3"
if [ "${cfg.emptySpace}" != "0" ]; then
pprint "Remove temp partition"
sgdisk -d 5 -s "$diskByID"
fi
partprobe "$diskByID" partprobe "$diskByID"
sleep 1 sleep 1
@ -158,10 +171,11 @@ in ''
use_existing_part_table use_existing_part_table
fi fi
if [ "${cfg.useEncryption}" = "true" ]; then if [ "${cfg.encryptBoot}" = "true" || "${cfg.encryptRoot}" = "true" ]; then
password=$(cat ${cfg.passwordFile}) password=$(cat ${cfg.passwordFile})
dd if=/dev/urandom of=/tmp/keyfile0.bin bs=1024 count=4 dd if=/dev/urandom of=/tmp/keyfile0.bin bs=1024 count=4
if [ "${cfg.encryptBoot}" = "true" ]; then
pprint "Creating LUKS container on $bootPart" pprint "Creating LUKS container on $bootPart"
echo -n "$password" | cryptsetup --type luks2 --pbkdf argon2id --iter-time ${cfg.argonIterTime} -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$bootPart" - echo -n "$password" | cryptsetup --type luks2 --pbkdf argon2id --iter-time ${cfg.argonIterTime} -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$bootPart" -
pprint "Add keyfile to LUKS container on $bootPart" pprint "Add keyfile to LUKS container on $bootPart"
@ -169,7 +183,10 @@ in ''
pprint "Open LUKS container on $bootPart" pprint "Open LUKS container on $bootPart"
cryptsetup luksOpen --allow-discards "$bootPart" "${cfg.cryptBoot}" -d /tmp/keyfile0.bin cryptsetup luksOpen --allow-discards "$bootPart" "${cfg.cryptBoot}" -d /tmp/keyfile0.bin
bootPool="$(ls /dev/disk/by-id/dm-uuid-*${cfg.cryptBoot})"
fi
if [ "${cfg.encryptRoot}" = "true" ]; then
pprint "Creating LUKS container on $rootPart" pprint "Creating LUKS container on $rootPart"
echo -n "$password" | cryptsetup --type luks2 --pbkdf argon2id --iter-time ${cfg.argonIterTime} -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$rootPart" - echo -n "$password" | cryptsetup --type luks2 --pbkdf argon2id --iter-time ${cfg.argonIterTime} -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$rootPart" -
pprint "Add keyfile to LUKS container on $rootPart" pprint "Add keyfile to LUKS container on $rootPart"
@ -177,9 +194,8 @@ in ''
pprint "Open LUKS container on $rootPart" pprint "Open LUKS container on $rootPart"
cryptsetup luksOpen --allow-discards "$rootPart" "${cfg.cryptRoot}" -d /tmp/keyfile0.bin cryptsetup luksOpen --allow-discards "$rootPart" "${cfg.cryptRoot}" -d /tmp/keyfile0.bin
bootPool="$(ls /dev/disk/by-id/dm-uuid-*${cfg.cryptBoot})"
rootPool="$(ls /dev/disk/by-id/dm-uuid-*${cfg.cryptRoot})" rootPool="$(ls /dev/disk/by-id/dm-uuid-*${cfg.cryptRoot})"
fi
else else
bootPool="$bootPart" bootPool="$bootPart"
rootPool="$rootPart" rootPool="$rootPart"
@ -320,22 +336,21 @@ in ''
hostID=$(head -c8 /etc/machine-id) hostID=$(head -c8 /etc/machine-id)
hardwareConfig=$(mktemp) hardwareConfig=$(mktemp)
if [ "${cfg.useEncryption}" = "true" ]; then
bootPartUuid=$(blkid --match-tag PARTUUID --output value "$bootPart")
rootPartUuid=$(blkid --match-tag PARTUUID --output value "$rootPart")
cat <<CONFIG > "$hardwareConfig" cat <<CONFIG > "$hardwareConfig"
networking.hostId = "$hostID"; networking.hostId = "$hostID";
boot.zfs.devNodes = "/dev/disk/by-partuuid"; boot.zfs.devNodes = "/dev/disk/by-partuuid";
boot.supportedFilesystems = [ "zfs" ]; boot.supportedFilesystems = [ "zfs" ];
boot.initrd.luks.devices."${cfg.cryptBoot}".device = "/dev/disk/by-partuuid/$bootPartUuid";
boot.initrd.luks.devices."${cfg.cryptRoot}".device = "/dev/disk/by-partuuid/$rootPartUuid";
CONFIG CONFIG
else if [ "${cfg.encryptBoot}" = "true" ]; then
cat <<CONFIG > "$hardwareConfig" bootPartUuid=$(blkid --match-tag PARTUUID --output value "$bootPart")
networking.hostId = "$hostID"; cat <<CONFIG >> "$hardwareConfig"
boot.zfs.devNodes = "/dev/disk/by-partuuid"; boot.initrd.luks.devices."${cfg.cryptBoot}".device = "/dev/disk/by-partuuid/$bootPartUuid";
boot.supportedFilesystems = [ "zfs" ]; CONFIG
fi
if [ "${cfg.encryptRoot}" = "true" ]; then
rootPartUuid=$(blkid --match-tag PARTUUID --output value "$rootPart")
cat <<CONFIG >> "$hardwareConfig"
boot.initrd.luks.devices."${cfg.cryptRoot}".device = "/dev/disk/by-partuuid/$rootPartUuid";
CONFIG CONFIG
fi fi
@ -354,7 +369,7 @@ in ''
chown root:root /mnt/etc/secrets/ssh_host_key chown root:root /mnt/etc/secrets/ssh_host_key
chmod 600 /mnt/etc/secrets/ssh_host_key chmod 600 /mnt/etc/secrets/ssh_host_key
if [ "${cfg.useEncryption}" = "true" ]; then if [ "${cfg.encryptBoot}" = "true" || "${cfg.encryptRoot}" = "true" ]; then
cp /tmp/keyfile0.bin /mnt/etc/secrets/keyfile0.bin cp /tmp/keyfile0.bin /mnt/etc/secrets/keyfile0.bin
chmod 000 /mnt/etc/secrets/keyfile*.bin chmod 000 /mnt/etc/secrets/keyfile*.bin
fi fi
@ -378,10 +393,8 @@ in ''
umount -Rl /mnt umount -Rl /mnt
zpool export -a zpool export -a
if [ "${cfg.useEncryption}" = "true" ]; then [ "${cfg.encryptBoot}" = "true" ] && cryptsetup luksClose ${cfg.cryptBoot}
cryptsetup luksClose ${cfg.cryptBoot} [ "${cfg.encryptRoot}" = "true" ] && cryptsetup luksClose ${cfg.cryptRoot}
cryptsetup luksClose ${cfg.cryptRoot}
fi
if [ "${cfg.autoReboot}" = "true" ]; then if [ "${cfg.autoReboot}" = "true" ]; then
if ! systemctl reboot --firmware-setup ; then if ! systemctl reboot --firmware-setup ; then