AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

update autoinstall module

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-03-25 19:28:11 +03:00
parent 16b699d2d5
commit cd7d5989cd
4 changed files with 94 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
machines/AMD-Workstation/autoinstall.nix Normal file
View File

@ -0,0 +1,20 @@
{ ... }: {
autoinstall.AMD-Workstation = {
mainuser = "ataraxia";
flakesPath = "/home/nixos/nixos-config";
encryption.ecryptBoot = false;
encryption.ecryptRoot = true;
encryption.passwordFile = "/home/nixos/pass";
encryption.argonIterTime = "4000";
partitioning.useEntireDisk = true;
partitioning.disk = "/dev/disk/by-id/nvme-XPG_GAMMIX_S11_Pro_2K342L2BBNUY";
partitioning.nullifyDisk = false;
partitioning.emptySpace = "100GiB";
swapPartition.enable = true;
swapPartition.size = "16GiB";
zfsOpts.ashift = 13;
zfsOpts.bootPoolReservation = "256M";
zfsOpts.rootPoolReservation = "45G";
persist.enable = true;
};
}

3
machines/Home-Hypervisor/autoinstall.nix
View File

@ -3,7 +3,8 @@
debug = false;
mainuser = "ataraxia";
flakesPath = "/home/nixos/nixos-config";
encryption.enable = true;
encryption.encryptBoot = true;
encryption.encryptRoot = true;
encryption.passwordFile = "/home/nixos/pass";
encryption.argonIterTime = "4000";
partitioning.useEntireDisk = true;

24
modules/autoinstall/default.nix
View File

@ -27,6 +27,11 @@ let
default = "";
description = "Path to the disk to wipe";
};
emptySpace = mkOption {
type = types.str;
default = "0";
description = "Empty space at the end of the disk`";
};
# partitions = mkOption {
# type = types.nullOr attrsOf partitionsAttrs;
# default = null;
@ -40,7 +45,7 @@ let
};
mainuser = mkOption {
type = types.str;
default = "alukard";
default = "ataraxia";
description = "Name of the main user (used for creation of home folder)";
};
flakesPath = mkOption {
@ -76,10 +81,15 @@ let
};
};
encryption = {
enable = mkOption {
encryptBoot = mkOption {
type = types.bool;
default = false;
description = "Use luks full-disk encryption";
description = "Encrypt boot partition";
};
encryptRoot = mkOption {
type = types.bool;
default = false;
description = "Encrypt boot partition";
};
argonIterTime = mkOption {
type = types.str;
@ -163,6 +173,14 @@ let
};
serviceConfig = { Type = "oneshot"; };
};
# asserts = opt: [{
# assertion = opt.flakesPath != "";
# message = "flakesPath can't be empty";
# } {
# assertion = !(opt.encryption.enable && opt.encryption.passwordFile == "");
# message = "If you use encryption, you need to set path to password file";
# }];
in {
options.autoinstall = mkOption {
default = {};

89
modules/autoinstall/install.nix
View File

@ -9,9 +9,11 @@ with lib; let
bootPartition = opt.partitioning.partitions.bootPartition or "0";
rootPartition = opt.partitioning.partitions.rootPartition or "0";
swapPartition = opt.partitioning.partitions.swapPartition or "0";
emptySpace = opt.partitioning.emptySpace or "0";
debug = boolToString opt.debug;
useSwap = boolToString opt.swapPartition.enable;
useEncryption = boolToString opt.encryption.enable;
encryptRoot = boolToString opt.encryption.encryptRoot;
encryptBoot = boolToString opt.encryption.encryptBoot;
swapSize = opt.swapPartition.size or "0";
zfsAshift = toString opt.zfsOpts.ashift;
usePersistModule = boolToString opt.persist.enable;
@ -45,7 +47,8 @@ in ''
bootSize="${cfg.bootSize}"
rootSize="${cfg.rootSize}"
swapSize="${cfg.swapSize}"
useEncryption="${cfg.useEncryption}"
encryptRoot="${cfg.encryptRoot}"
encryptBoot="${cfg.encryptBoot}"
useSwap="${cfg.useSwap}"
argonIterTime="${cfg.argonIterTime}"
cryptRoot="${cfg.cryptRoot}"
@ -72,7 +75,7 @@ in ''
exit 2
fi
if [ "${cfg.useEncryption}" = "true" && ! -f "${cfg.passwordFile}" ]; then
if [ "${cfg.encryptBoot}" = "true" || "${cfg.encryptRoot}" = "true" && ! -f "${cfg.passwordFile}" ]; then
pprint "passwordFile does not exists!"
exit 2
fi
@ -121,20 +124,25 @@ in ''
efiPart="$diskByID-part1"
pprint "Creating boot (ZFS) partition"
if [ "${cfg.useEncryption}" = "true" ]; then
if [ "${cfg.encryptBoot}" = "true" ]; then
sgdisk -n2:0:+${cfg.bootSize} -t2:8309 "$diskByID"
else
sgdisk -n2:0:+${cfg.bootSize} -t2:BF00 "$diskByID"
fi
bootPart="$diskByID-part2"
if [ "${cfg.emptySpace}" != "0" ]; then
pprint "Creating temp empty partition at the end of the disk"
sgdisk -n5:-${cfg.emptySpace}:0 -t5:8300 "$diskByID"
fi
if [ "${cfg.useSwap}" = "true" ]; then
pprint "Creating SWAP partition"
sgdisk -n4:0:+${cfg.swapSize} -t4:8200 "$diskByID"
swapPart="$diskByID-part4"
fi
if [ "${cfg.useEncryption}" = "true" ]; then
if [ "${cfg.encryptRoot}" = "true" ]; then
pprint "Creating LUKS partition"
sgdisk -n3:0:${cfg.rootSize} -t3:8309 "$diskByID"
else
@ -143,6 +151,11 @@ in ''
fi
rootPart="$diskByID-part3"
if [ "${cfg.emptySpace}" != "0" ]; then
pprint "Remove temp partition"
sgdisk -d 5 -s "$diskByID"
fi
partprobe "$diskByID"
sleep 1
@ -158,28 +171,31 @@ in ''
use_existing_part_table
fi
if [ "${cfg.useEncryption}" = "true" ]; then
if [ "${cfg.encryptBoot}" = "true" || "${cfg.encryptRoot}" = "true" ]; then
password=$(cat ${cfg.passwordFile})
dd if=/dev/urandom of=/tmp/keyfile0.bin bs=1024 count=4
pprint "Creating LUKS container on $bootPart"
echo -n "$password" | cryptsetup --type luks2 --pbkdf argon2id --iter-time ${cfg.argonIterTime} -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$bootPart" -
pprint "Add keyfile to LUKS container on $bootPart"
echo -n "$password" | cryptsetup luksAddKey $bootPart /tmp/keyfile0.bin -
if [ "${cfg.encryptBoot}" = "true" ]; then
pprint "Creating LUKS container on $bootPart"
echo -n "$password" | cryptsetup --type luks2 --pbkdf argon2id --iter-time ${cfg.argonIterTime} -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$bootPart" -
pprint "Add keyfile to LUKS container on $bootPart"
echo -n "$password" | cryptsetup luksAddKey $bootPart /tmp/keyfile0.bin -
pprint "Open LUKS container on $bootPart"
cryptsetup luksOpen --allow-discards "$bootPart" "${cfg.cryptBoot}" -d /tmp/keyfile0.bin
pprint "Open LUKS container on $bootPart"
cryptsetup luksOpen --allow-discards "$bootPart" "${cfg.cryptBoot}" -d /tmp/keyfile0.bin
bootPool="$(ls /dev/disk/by-id/dm-uuid-*${cfg.cryptBoot})"
fi
pprint "Creating LUKS container on $rootPart"
echo -n "$password" | cryptsetup --type luks2 --pbkdf argon2id --iter-time ${cfg.argonIterTime} -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$rootPart" -
pprint "Add keyfile to LUKS container on $rootPart"
echo -n "$password" | cryptsetup luksAddKey $rootPart /tmp/keyfile0.bin -
if [ "${cfg.encryptRoot}" = "true" ]; then
pprint "Creating LUKS container on $rootPart"
echo -n "$password" | cryptsetup --type luks2 --pbkdf argon2id --iter-time ${cfg.argonIterTime} -c aes-xts-plain64 -s 512 -h sha256 luksFormat "$rootPart" -
pprint "Add keyfile to LUKS container on $rootPart"
echo -n "$password" | cryptsetup luksAddKey $rootPart /tmp/keyfile0.bin -
pprint "Open LUKS container on $rootPart"
cryptsetup luksOpen --allow-discards "$rootPart" "${cfg.cryptRoot}" -d /tmp/keyfile0.bin
bootPool="$(ls /dev/disk/by-id/dm-uuid-*${cfg.cryptBoot})"
rootPool="$(ls /dev/disk/by-id/dm-uuid-*${cfg.cryptRoot})"
pprint "Open LUKS container on $rootPart"
cryptsetup luksOpen --allow-discards "$rootPart" "${cfg.cryptRoot}" -d /tmp/keyfile0.bin
rootPool="$(ls /dev/disk/by-id/dm-uuid-*${cfg.cryptRoot})"
fi
else
bootPool="$bootPart"
rootPool="$rootPart"
@ -320,23 +336,22 @@ in ''
hostID=$(head -c8 /etc/machine-id)
hardwareConfig=$(mktemp)
if [ "${cfg.useEncryption}" = "true" ]; then
bootPartUuid=$(blkid --match-tag PARTUUID --output value "$bootPart")
rootPartUuid=$(blkid --match-tag PARTUUID --output value "$rootPart")
cat <<CONFIG > "$hardwareConfig"
networking.hostId = "$hostID";
boot.zfs.devNodes = "/dev/disk/by-partuuid";
boot.supportedFilesystems = [ "zfs" ];
boot.initrd.luks.devices."${cfg.cryptBoot}".device = "/dev/disk/by-partuuid/$bootPartUuid";
boot.initrd.luks.devices."${cfg.cryptRoot}".device = "/dev/disk/by-partuuid/$rootPartUuid";
CONFIG
else
cat <<CONFIG > "$hardwareConfig"
networking.hostId = "$hostID";
boot.zfs.devNodes = "/dev/disk/by-partuuid";
boot.supportedFilesystems = [ "zfs" ];
CONFIG
if [ "${cfg.encryptBoot}" = "true" ]; then
bootPartUuid=$(blkid --match-tag PARTUUID --output value "$bootPart")
cat <<CONFIG >> "$hardwareConfig"
boot.initrd.luks.devices."${cfg.cryptBoot}".device = "/dev/disk/by-partuuid/$bootPartUuid";
CONFIG
fi
if [ "${cfg.encryptRoot}" = "true" ]; then
rootPartUuid=$(blkid --match-tag PARTUUID --output value "$rootPart")
cat <<CONFIG >> "$hardwareConfig"
boot.initrd.luks.devices."${cfg.cryptRoot}".device = "/dev/disk/by-partuuid/$rootPartUuid";
CONFIG
fi
sed -i "\$e cat $hardwareConfig" ${cfg.flakesPath}/machines/${cfg.hostname}/hardware-configuration.nix
@ -354,7 +369,7 @@ in ''
chown root:root /mnt/etc/secrets/ssh_host_key
chmod 600 /mnt/etc/secrets/ssh_host_key
if [ "${cfg.useEncryption}" = "true" ]; then
if [ "${cfg.encryptBoot}" = "true" || "${cfg.encryptRoot}" = "true" ]; then
cp /tmp/keyfile0.bin /mnt/etc/secrets/keyfile0.bin
chmod 000 /mnt/etc/secrets/keyfile*.bin
fi
@ -378,10 +393,8 @@ in ''
umount -Rl /mnt
zpool export -a
if [ "${cfg.useEncryption}" = "true" ]; then
cryptsetup luksClose ${cfg.cryptBoot}
cryptsetup luksClose ${cfg.cryptRoot}
fi
[ "${cfg.encryptBoot}" = "true" ] && cryptsetup luksClose ${cfg.cryptBoot}
[ "${cfg.encryptRoot}" = "true" ] && cryptsetup luksClose ${cfg.cryptRoot}
if [ "${cfg.autoReboot}" = "true" ]; then
if ! systemctl reboot --firmware-setup ; then