update autoinstall module
This commit is contained in:
parent
16b699d2d5
commit
cd7d5989cd
20
machines/AMD-Workstation/autoinstall.nix
Normal file
20
machines/AMD-Workstation/autoinstall.nix
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
{ ... }: {
|
||||||
|
autoinstall.AMD-Workstation = {
|
||||||
|
mainuser = "ataraxia";
|
||||||
|
flakesPath = "/home/nixos/nixos-config";
|
||||||
|
encryption.ecryptBoot = false;
|
||||||
|
encryption.ecryptRoot = true;
|
||||||
|
encryption.passwordFile = "/home/nixos/pass";
|
||||||
|
encryption.argonIterTime = "4000";
|
||||||
|
partitioning.useEntireDisk = true;
|
||||||
|
partitioning.disk = "/dev/disk/by-id/nvme-XPG_GAMMIX_S11_Pro_2K342L2BBNUY";
|
||||||
|
partitioning.nullifyDisk = false;
|
||||||
|
partitioning.emptySpace = "100GiB";
|
||||||
|
swapPartition.enable = true;
|
||||||
|
swapPartition.size = "16GiB";
|
||||||
|
zfsOpts.ashift = 13;
|
||||||
|
zfsOpts.bootPoolReservation = "256M";
|
||||||
|
zfsOpts.rootPoolReservation = "45G";
|
||||||
|
persist.enable = true;
|
||||||
|
};
|
||||||
|
}
|
@ -3,7 +3,8 @@
|
|||||||
debug = false;
|
debug = false;
|
||||||
mainuser = "ataraxia";
|
mainuser = "ataraxia";
|
||||||
flakesPath = "/home/nixos/nixos-config";
|
flakesPath = "/home/nixos/nixos-config";
|
||||||
encryption.enable = true;
|
encryption.encryptBoot = true;
|
||||||
|
encryption.encryptRoot = true;
|
||||||
encryption.passwordFile = "/home/nixos/pass";
|
encryption.passwordFile = "/home/nixos/pass";
|
||||||
encryption.argonIterTime = "4000";
|
encryption.argonIterTime = "4000";
|
||||||
partitioning.useEntireDisk = true;
|
partitioning.useEntireDisk = true;
|
||||||
|
@ -27,6 +27,11 @@ let
|
|||||||
default = "";
|
default = "";
|
||||||
description = "Path to the disk to wipe";
|
description = "Path to the disk to wipe";
|
||||||
};
|
};
|
||||||
|
emptySpace = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "0";
|
||||||
|
description = "Empty space at the end of the disk`";
|
||||||
|
};
|
||||||
# partitions = mkOption {
|
# partitions = mkOption {
|
||||||
# type = types.nullOr attrsOf partitionsAttrs;
|
# type = types.nullOr attrsOf partitionsAttrs;
|
||||||
# default = null;
|
# default = null;
|
||||||
@ -40,7 +45,7 @@ let
|
|||||||
};
|
};
|
||||||
mainuser = mkOption {
|
mainuser = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "alukard";
|
default = "ataraxia";
|
||||||
description = "Name of the main user (used for creation of home folder)";
|
description = "Name of the main user (used for creation of home folder)";
|
||||||
};
|
};
|
||||||
flakesPath = mkOption {
|
flakesPath = mkOption {
|
||||||
@ -76,10 +81,15 @@ let
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
encryption = {
|
encryption = {
|
||||||
enable = mkOption {
|
encryptBoot = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = "Use luks full-disk encryption";
|
description = "Encrypt boot partition";
|
||||||
|
};
|
||||||
|
encryptRoot = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = "Encrypt boot partition";
|
||||||
};
|
};
|
||||||
argonIterTime = mkOption {
|
argonIterTime = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
@ -163,6 +173,14 @@ let
|
|||||||
};
|
};
|
||||||
serviceConfig = { Type = "oneshot"; };
|
serviceConfig = { Type = "oneshot"; };
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# asserts = opt: [{
|
||||||
|
# assertion = opt.flakesPath != "";
|
||||||
|
# message = "flakesPath can't be empty";
|
||||||
|
# } {
|
||||||
|
# assertion = !(opt.encryption.enable && opt.encryption.passwordFile == "");
|
||||||
|
# message = "If you use encryption, you need to set path to password file";
|
||||||
|
# }];
|
||||||
in {
|
in {
|
||||||
options.autoinstall = mkOption {
|
options.autoinstall = mkOption {
|
||||||
default = {};
|
default = {};
|
||||||
|
@ -9,9 +9,11 @@ with lib; let
|
|||||||
bootPartition = opt.partitioning.partitions.bootPartition or "0";
|
bootPartition = opt.partitioning.partitions.bootPartition or "0";
|
||||||
rootPartition = opt.partitioning.partitions.rootPartition or "0";
|
rootPartition = opt.partitioning.partitions.rootPartition or "0";
|
||||||
swapPartition = opt.partitioning.partitions.swapPartition or "0";
|
swapPartition = opt.partitioning.partitions.swapPartition or "0";
|
||||||
|
emptySpace = opt.partitioning.emptySpace or "0";
|
||||||
debug = boolToString opt.debug;
|
debug = boolToString opt.debug;
|
||||||
useSwap = boolToString opt.swapPartition.enable;
|
useSwap = boolToString opt.swapPartition.enable;
|
||||||
useEncryption = boolToString opt.encryption.enable;
|
encryptRoot = boolToString opt.encryption.encryptRoot;
|
||||||
|
encryptBoot = boolToString opt.encryption.encryptBoot;
|
||||||
swapSize = opt.swapPartition.size or "0";
|
swapSize = opt.swapPartition.size or "0";
|
||||||
zfsAshift = toString opt.zfsOpts.ashift;
|
zfsAshift = toString opt.zfsOpts.ashift;
|
||||||
usePersistModule = boolToString opt.persist.enable;
|
usePersistModule = boolToString opt.persist.enable;
|
||||||
@ -45,7 +47,8 @@ in ''
|
|||||||
bootSize="${cfg.bootSize}"
|
bootSize="${cfg.bootSize}"
|
||||||
rootSize="${cfg.rootSize}"
|
rootSize="${cfg.rootSize}"
|
||||||
swapSize="${cfg.swapSize}"
|
swapSize="${cfg.swapSize}"
|
||||||
useEncryption="${cfg.useEncryption}"
|
encryptRoot="${cfg.encryptRoot}"
|
||||||
|
encryptBoot="${cfg.encryptBoot}"
|
||||||
useSwap="${cfg.useSwap}"
|
useSwap="${cfg.useSwap}"
|
||||||
argonIterTime="${cfg.argonIterTime}"
|
argonIterTime="${cfg.argonIterTime}"
|
||||||
cryptRoot="${cfg.cryptRoot}"
|
cryptRoot="${cfg.cryptRoot}"
|
||||||
@ -72,7 +75,7 @@ in ''
|
|||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "${cfg.useEncryption}" = "true" && ! -f "${cfg.passwordFile}" ]; then
|
if [ "${cfg.encryptBoot}" = "true" || "${cfg.encryptRoot}" = "true" && ! -f "${cfg.passwordFile}" ]; then
|
||||||
pprint "passwordFile does not exists!"
|
pprint "passwordFile does not exists!"
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
@ -121,20 +124,25 @@ in ''
|
|||||||
efiPart="$diskByID-part1"
|
efiPart="$diskByID-part1"
|
||||||
|
|
||||||
pprint "Creating boot (ZFS) partition"
|
pprint "Creating boot (ZFS) partition"
|
||||||
if [ "${cfg.useEncryption}" = "true" ]; then
|
if [ "${cfg.encryptBoot}" = "true" ]; then
|
||||||
sgdisk -n2:0:+${cfg.bootSize} -t2:8309 "$diskByID"
|
sgdisk -n2:0:+${cfg.bootSize} -t2:8309 "$diskByID"
|
||||||
else
|
else
|
||||||
sgdisk -n2:0:+${cfg.bootSize} -t2:BF00 "$diskByID"
|
sgdisk -n2:0:+${cfg.bootSize} -t2:BF00 "$diskByID"
|
||||||
fi
|
fi
|
||||||
bootPart="$diskByID-part2"
|
bootPart="$diskByID-part2"
|
||||||
|
|
||||||
|
if [ "${cfg.emptySpace}" != "0" ]; then
|
||||||
|
pprint "Creating temp empty partition at the end of the disk"
|
||||||
|
sgdisk -n5:-${cfg.emptySpace}:0 -t5:8300 "$diskByID"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "${cfg.useSwap}" = "true" ]; then
|
if [ "${cfg.useSwap}" = "true" ]; then
|
||||||
pprint "Creating SWAP partition"
|
pprint "Creating SWAP partition"
|
||||||
sgdisk -n4:0:+${cfg.swapSize} -t4:8200 "$diskByID"
|
sgdisk -n4:0:+${cfg.swapSize} -t4:8200 "$diskByID"
|
||||||
swapPart="$diskByID-part4"
|
swapPart="$diskByID-part4"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "${cfg.useEncryption}" = "true" ]; then
|
if [ "${cfg.encryptRoot}" = "true" ]; then
|
||||||
pprint "Creating LUKS partition"
|
pprint "Creating LUKS partition"
|
||||||
sgdisk -n3:0:${cfg.rootSize} -t3:8309 "$diskByID"
|
sgdisk -n3:0:${cfg.rootSize} -t3:8309 "$diskByID"
|
||||||
else
|
else
|
||||||
@ -143,6 +151,11 @@ in ''
|
|||||||
fi
|
fi
|
||||||
rootPart="$diskByID-part3"
|
rootPart="$diskByID-part3"
|
||||||
|
|
||||||
|
if [ "${cfg.emptySpace}" != "0" ]; then
|
||||||
|
pprint "Remove temp partition"
|
||||||
|
sgdisk -d 5 -s "$diskByID"
|
||||||
|
fi
|
||||||
|
|
||||||
partprobe "$diskByID"
|
partprobe "$diskByID"
|
||||||
sleep 1
|
sleep 1
|
||||||
|
|
||||||
@ -158,28 +171,31 @@ in ''
|
|||||||
use_existing_part_table
|
use_existing_part_table
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "${cfg.useEncryption}" = "true" ]; then
|
if [ "${cfg.encryptBoot}" = "true" || "${cfg.encryptRoot}" = "true" ]; then
|
||||||
password=$(cat ${cfg.passwordFile})
|
password=$(cat ${cfg.passwordFile})
|
||||||
dd if=/dev/urandom of=/tmp/keyfile0.bin bs=1024 count=4
|
dd if=/dev/urandom of=/tmp/keyfile0.bin bs=1024 count=4
|
||||||
|
|
||||||
pprint "Creating LUKS container on $bootPart"
|
if [ "${cfg.encryptBoot}" = "true" ]; then
|
||||||
echo -n "$password" | cryptsetup --type luks2 --pbkdf argon2id --iter-time ${cfg.argonIterTime} -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$bootPart" -
|
pprint "Creating LUKS container on $bootPart"
|
||||||
pprint "Add keyfile to LUKS container on $bootPart"
|
echo -n "$password" | cryptsetup --type luks2 --pbkdf argon2id --iter-time ${cfg.argonIterTime} -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$bootPart" -
|
||||||
echo -n "$password" | cryptsetup luksAddKey $bootPart /tmp/keyfile0.bin -
|
pprint "Add keyfile to LUKS container on $bootPart"
|
||||||
|
echo -n "$password" | cryptsetup luksAddKey $bootPart /tmp/keyfile0.bin -
|
||||||
|
|
||||||
pprint "Open LUKS container on $bootPart"
|
pprint "Open LUKS container on $bootPart"
|
||||||
cryptsetup luksOpen --allow-discards "$bootPart" "${cfg.cryptBoot}" -d /tmp/keyfile0.bin
|
cryptsetup luksOpen --allow-discards "$bootPart" "${cfg.cryptBoot}" -d /tmp/keyfile0.bin
|
||||||
|
bootPool="$(ls /dev/disk/by-id/dm-uuid-*${cfg.cryptBoot})"
|
||||||
|
fi
|
||||||
|
|
||||||
pprint "Creating LUKS container on $rootPart"
|
if [ "${cfg.encryptRoot}" = "true" ]; then
|
||||||
echo -n "$password" | cryptsetup --type luks2 --pbkdf argon2id --iter-time ${cfg.argonIterTime} -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$rootPart" -
|
pprint "Creating LUKS container on $rootPart"
|
||||||
pprint "Add keyfile to LUKS container on $rootPart"
|
echo -n "$password" | cryptsetup --type luks2 --pbkdf argon2id --iter-time ${cfg.argonIterTime} -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$rootPart" -
|
||||||
echo -n "$password" | cryptsetup luksAddKey $rootPart /tmp/keyfile0.bin -
|
pprint "Add keyfile to LUKS container on $rootPart"
|
||||||
|
echo -n "$password" | cryptsetup luksAddKey $rootPart /tmp/keyfile0.bin -
|
||||||
|
|
||||||
pprint "Open LUKS container on $rootPart"
|
pprint "Open LUKS container on $rootPart"
|
||||||
cryptsetup luksOpen --allow-discards "$rootPart" "${cfg.cryptRoot}" -d /tmp/keyfile0.bin
|
cryptsetup luksOpen --allow-discards "$rootPart" "${cfg.cryptRoot}" -d /tmp/keyfile0.bin
|
||||||
|
rootPool="$(ls /dev/disk/by-id/dm-uuid-*${cfg.cryptRoot})"
|
||||||
bootPool="$(ls /dev/disk/by-id/dm-uuid-*${cfg.cryptBoot})"
|
fi
|
||||||
rootPool="$(ls /dev/disk/by-id/dm-uuid-*${cfg.cryptRoot})"
|
|
||||||
else
|
else
|
||||||
bootPool="$bootPart"
|
bootPool="$bootPart"
|
||||||
rootPool="$rootPart"
|
rootPool="$rootPart"
|
||||||
@ -320,23 +336,22 @@ in ''
|
|||||||
hostID=$(head -c8 /etc/machine-id)
|
hostID=$(head -c8 /etc/machine-id)
|
||||||
|
|
||||||
hardwareConfig=$(mktemp)
|
hardwareConfig=$(mktemp)
|
||||||
if [ "${cfg.useEncryption}" = "true" ]; then
|
|
||||||
bootPartUuid=$(blkid --match-tag PARTUUID --output value "$bootPart")
|
|
||||||
rootPartUuid=$(blkid --match-tag PARTUUID --output value "$rootPart")
|
|
||||||
|
|
||||||
cat <<CONFIG > "$hardwareConfig"
|
|
||||||
networking.hostId = "$hostID";
|
|
||||||
boot.zfs.devNodes = "/dev/disk/by-partuuid";
|
|
||||||
boot.supportedFilesystems = [ "zfs" ];
|
|
||||||
boot.initrd.luks.devices."${cfg.cryptBoot}".device = "/dev/disk/by-partuuid/$bootPartUuid";
|
|
||||||
boot.initrd.luks.devices."${cfg.cryptRoot}".device = "/dev/disk/by-partuuid/$rootPartUuid";
|
|
||||||
CONFIG
|
|
||||||
else
|
|
||||||
cat <<CONFIG > "$hardwareConfig"
|
cat <<CONFIG > "$hardwareConfig"
|
||||||
networking.hostId = "$hostID";
|
networking.hostId = "$hostID";
|
||||||
boot.zfs.devNodes = "/dev/disk/by-partuuid";
|
boot.zfs.devNodes = "/dev/disk/by-partuuid";
|
||||||
boot.supportedFilesystems = [ "zfs" ];
|
boot.supportedFilesystems = [ "zfs" ];
|
||||||
CONFIG
|
CONFIG
|
||||||
|
if [ "${cfg.encryptBoot}" = "true" ]; then
|
||||||
|
bootPartUuid=$(blkid --match-tag PARTUUID --output value "$bootPart")
|
||||||
|
cat <<CONFIG >> "$hardwareConfig"
|
||||||
|
boot.initrd.luks.devices."${cfg.cryptBoot}".device = "/dev/disk/by-partuuid/$bootPartUuid";
|
||||||
|
CONFIG
|
||||||
|
fi
|
||||||
|
if [ "${cfg.encryptRoot}" = "true" ]; then
|
||||||
|
rootPartUuid=$(blkid --match-tag PARTUUID --output value "$rootPart")
|
||||||
|
cat <<CONFIG >> "$hardwareConfig"
|
||||||
|
boot.initrd.luks.devices."${cfg.cryptRoot}".device = "/dev/disk/by-partuuid/$rootPartUuid";
|
||||||
|
CONFIG
|
||||||
fi
|
fi
|
||||||
|
|
||||||
sed -i "\$e cat $hardwareConfig" ${cfg.flakesPath}/machines/${cfg.hostname}/hardware-configuration.nix
|
sed -i "\$e cat $hardwareConfig" ${cfg.flakesPath}/machines/${cfg.hostname}/hardware-configuration.nix
|
||||||
@ -354,7 +369,7 @@ in ''
|
|||||||
chown root:root /mnt/etc/secrets/ssh_host_key
|
chown root:root /mnt/etc/secrets/ssh_host_key
|
||||||
chmod 600 /mnt/etc/secrets/ssh_host_key
|
chmod 600 /mnt/etc/secrets/ssh_host_key
|
||||||
|
|
||||||
if [ "${cfg.useEncryption}" = "true" ]; then
|
if [ "${cfg.encryptBoot}" = "true" || "${cfg.encryptRoot}" = "true" ]; then
|
||||||
cp /tmp/keyfile0.bin /mnt/etc/secrets/keyfile0.bin
|
cp /tmp/keyfile0.bin /mnt/etc/secrets/keyfile0.bin
|
||||||
chmod 000 /mnt/etc/secrets/keyfile*.bin
|
chmod 000 /mnt/etc/secrets/keyfile*.bin
|
||||||
fi
|
fi
|
||||||
@ -378,10 +393,8 @@ in ''
|
|||||||
|
|
||||||
umount -Rl /mnt
|
umount -Rl /mnt
|
||||||
zpool export -a
|
zpool export -a
|
||||||
if [ "${cfg.useEncryption}" = "true" ]; then
|
[ "${cfg.encryptBoot}" = "true" ] && cryptsetup luksClose ${cfg.cryptBoot}
|
||||||
cryptsetup luksClose ${cfg.cryptBoot}
|
[ "${cfg.encryptRoot}" = "true" ] && cryptsetup luksClose ${cfg.cryptRoot}
|
||||||
cryptsetup luksClose ${cfg.cryptRoot}
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "${cfg.autoReboot}" = "true" ]; then
|
if [ "${cfg.autoReboot}" = "true" ]; then
|
||||||
if ! systemctl reboot --firmware-setup ; then
|
if ! systemctl reboot --firmware-setup ; then
|
||||||
|
Loading…
x
Reference in New Issue
Block a user