From c6366e1e07660d388580161d8c1648e9b8f692c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Patrick=20Gro=C3=9Fmann?= <patrickdgro@gmail.com>
Date: Fri, 22 Dec 2023 23:53:11 +0100
Subject: [PATCH] feat: booted hetzner server

---
 flake.lock                                    |  12 +++---
 hosts.toml                                    |   4 ++
 hosts/maddy/default.nix                       |  24 ++++++++++++
 hosts/maddy/fs.nix                            |  35 ++++++++++++++++++
 hosts/maddy/net.nix                           |  33 +++++++++++++++++
 .../generated/initrd_host_ed25519_key.age     |  14 +++++++
 hosts/maddy/secrets/secrets.nix.age           | Bin 0 -> 821 bytes
 lib/disko.nix                                 |   5 +++
 modules/config/default.nix                    |   8 +++-
 modules/config/efi.nix                        |   7 ----
 modules/optional/initrd-ssh.nix               |  13 +++----
 11 files changed, 133 insertions(+), 22 deletions(-)
 create mode 100644 hosts/maddy/default.nix
 create mode 100644 hosts/maddy/fs.nix
 create mode 100644 hosts/maddy/net.nix
 create mode 100644 hosts/maddy/secrets/generated/initrd_host_ed25519_key.age
 create mode 100644 hosts/maddy/secrets/secrets.nix.age
 delete mode 100644 modules/config/efi.nix

diff --git a/flake.lock b/flake.lock
index f34dba8..cba26eb 100644
--- a/flake.lock
+++ b/flake.lock
@@ -974,12 +974,12 @@
         "pre-commit-hooks": "pre-commit-hooks_2"
       },
       "locked": {
-        "lastModified": 1703206032,
-        "narHash": "sha256-hCuX9y1lUwa8Ck0jruebL2YLhwnDunav/uiIp9EvmNc=",
-        "owner": "oddlama",
-        "repo": "nixos-extra-modules",
-        "rev": "073a8ae3b34ed85619dd22bba0d4fb6b6e8e14d1",
-        "type": "github"
+        "dirtyRev": "c2b389938b166987c4a4fb867ccaa8ff530ddc71-dirty",
+        "dirtyShortRev": "c2b3899-dirty",
+        "lastModified": 1703274021,
+        "narHash": "sha256-r5y1DmRxlKF3rlJoIULeq1lGVGWbTZxmNGlQ0jW8ZjQ=",
+        "type": "git",
+        "url": "file:///home/patrick/repos/nix/nixos-extra-modules"
       },
       "original": {
         "owner": "oddlama",
diff --git a/hosts.toml b/hosts.toml
index f96c03d..ed7aa3d 100644
--- a/hosts.toml
+++ b/hosts.toml
@@ -13,3 +13,7 @@ system = "x86_64-linux"
 [gojo]
 type = "nixos"
 system = "x86_64-linux"
+
+[maddy]
+type = "nixos"
+system = "x86_64-linux"
diff --git a/hosts/maddy/default.nix b/hosts/maddy/default.nix
new file mode 100644
index 0000000..25381d0
--- /dev/null
+++ b/hosts/maddy/default.nix
@@ -0,0 +1,24 @@
+{
+  lib,
+  minimal,
+  ...
+}: {
+  imports =
+    [
+      ../../modules/config
+      ../../modules/optional/initrd-ssh.nix
+
+      ../../modules/hardware/zfs.nix
+
+      ./net.nix
+      ./fs.nix
+    ]
+    ++ lib.lists.optionals (!minimal) [
+    ];
+  services.xserver = {
+    layout = "de";
+    xkbVariant = "bone";
+  };
+  boot.mode = "bios";
+  boot.initrd.availableKernelModules = ["virtio_pci" "virtio_net" "virtio_scsi" "virtio_blk"];
+}
diff --git a/hosts/maddy/fs.nix b/hosts/maddy/fs.nix
new file mode 100644
index 0000000..38531c8
--- /dev/null
+++ b/hosts/maddy/fs.nix
@@ -0,0 +1,35 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  disko.devices = {
+    disk = {
+      drive = {
+        type = "disk";
+        device = "/dev/disk/by-id/${config.secrets.secrets.local.disko.drive}";
+        content = with lib.disko.gpt; {
+          type = "table";
+          format = "gpt";
+          partitions = [
+            (partGrub "grub" "0%" "1MiB")
+            (partEfiBoot "bios" "1MiB" "512MiB")
+            (partLuksZfs "rpool" "rpool" "512MiB" "100%")
+            #(lib.attrsets.recursiveUpdate (partLuksZfs "rpool" "rpool" "17GiB" "100%") {content.extraFormatArgs = ["--pbkdf pbkdf2"];})
+          ];
+        };
+      };
+    };
+
+    zpool = with lib.disko.zfs; {
+      rpool = defaultZpoolOptions // {datasets = defaultZfsDatasets;};
+    };
+  };
+
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/persist".neededForBoot = true;
+  boot.initrd.luks.devices.enc-rpool.allowDiscards = true;
+  boot.loader.grub.devices = [
+    "/dev/disk/by-id/${config.secrets.secrets.local.disko.drive}"
+  ];
+}
diff --git a/hosts/maddy/net.nix b/hosts/maddy/net.nix
new file mode 100644
index 0000000..f4750fc
--- /dev/null
+++ b/hosts/maddy/net.nix
@@ -0,0 +1,33 @@
+{config, ...}: {
+  networking.hostId = config.secrets.secrets.local.networking.hostId;
+  networking.domain = config.secrets.secrets.global.domains.mail;
+
+  boot.initrd.systemd.network = {
+    enable = true;
+    networks = {inherit (config.systemd.network.networks) "lan01";};
+  };
+
+  systemd.network.networks = {
+    "lan01" = let
+      icfg = config.secrets.secrets.local.networking.interfaces.lan01;
+    in {
+      address = [
+        icfg.hostCidrv4
+        icfg.hostCidrv6
+      ];
+      gateway = ["fe80::1"];
+      routes = [
+        {routeConfig = {Destination = "172.31.1.1";};}
+        {
+          routeConfig = {
+            Gateway = "172.31.1.1";
+            GatewayOnLink = true;
+          };
+        }
+      ];
+      matchConfig.MACAddress = icfg.mac;
+      networkConfig.IPv6PrivacyExtensions = "yes";
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+}
diff --git a/hosts/maddy/secrets/generated/initrd_host_ed25519_key.age b/hosts/maddy/secrets/generated/initrd_host_ed25519_key.age
new file mode 100644
index 0000000..90f1e21
--- /dev/null
+++ b/hosts/maddy/secrets/generated/initrd_host_ed25519_key.age
@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> X25519 ep9dccBXMw0tEheuaIHeWMvhUKwtBFm0+mZJ5gCYxn0
+4ZVc8jn+4EsztT9drb4aUNCphqcwmAGGlFy3EfAaFJE
+-> piv-p256 XTQkUA AjvE9Foo//U4E/1d/5KasrCji7H7eCmJEsaql16s27Ou
+OWf66Ql7f2FWqzzcfHzUJ9fA5a0rhvQEQ9xrEAbATpw
+-> piv-p256 ZFgiIw AvU0lAitU4jUegJH3s2btabyRtN38JbxMlgnOqZwvYyb
++655NICGD8ARcYPx+fCrh0aE5ZG0edMpoCcPDPQ8pvk
+-> piv-p256 ZFgiIw Aj4PUKsRiW04mmhOXPRQbr0myd//IeznPebXA4Oa1eRI
+CaRtlEkYAKOc8+t2d40f+GpzXY8SXpDEPQevhk8xb8s
+-> pK&V%|-grease BFxJOSz B9%c_+
+P1vAU7VI4VydjqLAjtDWqjKOP1k6iHjYsCgly21IvQsbwt4rwbUzodkpPtB6P7xt
+rcsi6e+J8Q9nc4lPRjsYyN/RiE1HIpr2MW+bBxljiyK/uC+1oxjZeKAKYTF/
+--- Sp0YG5pL58MD8xQ3XuIeBSuOQQy3+jJwBmhwNLWxbxM
+IYÅÜlŠm«1´*mW«OY+’#°5ÍB'Œqü¼]4N"2>¡éÂ‡¡ $žH?‡ï.]r¢º`Y¹Ýã{]‚zA…¾Ó§9²L¦è¾F¢†§Ù'E'í-~›Æ‡x@=•ÉÑGÜ—a8Æ*UT&¡Gè·šòîŒS\Ž¯ä•!P.üð˜p}ádM¢a.G‹:àïÀgüôÑôCêS’[,öB¦Bå	ë',ÛšóÊ9šÀv€JND%ƒìŠÑ…·£Ûûæ@Þæ_–¬^uÆU¯}91ÿ8ãITÿQÈÏ´|“‡M<ƒïuà®]ñMç¨Ø$Xœ­?öo‡é ÿtÛ,Hñ³YzÖÓ¥ÑäŸæ_OH^•³‹‰·îÆ^«œ!IÑ²ò‡}rIôÂ$ý²Wgð'ÙìE¯è'ïâRD!OA™­ZY	.Z ÂH6™/ï’õyJCV2Í¡0‰LÉñÒb©&êDK†÷j$ñìuõA.ê8=èö&#n¹J%€ŠÂ>ßÎƒÝ[‘8:~ŒµÉ—È]”f¦€š_[¨¯vVoÖ–t6hE
\ No newline at end of file
diff --git a/hosts/maddy/secrets/secrets.nix.age b/hosts/maddy/secrets/secrets.nix.age
new file mode 100644
index 0000000000000000000000000000000000000000..1ba0f024e8fa55337763f6c60a8c2254b6f2ad06
GIT binary patch
literal 821
zcmY+<-)kEM0KoCJtgA#}!gSNE%DK@N7UDIRUM@FW<u2Fc((7GvKayOcxLhumyZq?g
z<&wKg;s(lUtxT-AU(ktYajP4yC`>_A@IhpQS!7zOOpvb9Fo&Zrw(dn|AAHzf@cDiv
zRq-jhY_-fr$<UuQEERP89^VKcLNM${0kt~8i^D9%2u^^aQo2G9C6!USL1r}^DhGH;
zgqk)VL$d<yk%GyROeEd9hQfl^<z0=fk$#CJBNjhltMN1wL<5PWo-#+b1heG$Ob8AF
zqQF*?7=X1Idnkk3bWuoTjFxSUhb#3VBQ7=CEXUvt#4Jx(<DxAa39rX)>PoB`tq4tC
zYN1#}teEL`9)>9n&v5CysTV;mLR7PC>p?3UQA;rwz(RuQ*yACB%apV7xRH;h<Ovg!
zA}%46SduU_D@upOa#&!Z9yIT!U_pt;QlO+)^tc-E*NPUW7pobhreU-al~6HXpj5<o
z;Ol?Oq(aRGU3HRUTv?XUSUTZl9N8-rO|G1mRegvJN$~`kV0p|F;+QJtC5Q3hn2ICS
zqK!i_xRB;jbQ1+F5X=Ns6sn7Gek{3V_2=Y5PIQj?R7;WS3V`}-7mxr12xpxa{jR4$
z))}YpUzX1YXjsfCc+;9vfrt5;oh2x+-Y)16E=D!KnGv~Q%LZLe%A2fbW9IIy>A$=C
zJ1ZN?L)bZJ{-0WI^e_KgtGnUeIo3THSeRXV!rfdv@txG_TY37Uf$$Nkb@0<!(C%Ys
zVrmyq?o>4S@||s;efeYI)`!2o@cz=mOP4dp9rqdb()s1Uw=-{FpZmpF{9)mfBVFIf
zPu)0l<LBj9C;7eC+dbCU+1Ho1U%A;;8+md%-t*4muWbCgSvr30X!q@f#ntV(l`|T$
zvvYdtg6At}TUP;j`R3u!(%PHXuI}UqS$w*04>_2FTOYXlPnM8Jx%IWfBY&QdzTPo;
z;l0KVn(q8|@B2IVo_}P1VCCYwJ@fE$VtsXz=wGH@D|cDHudjV^>ahbUWZzHSf4KA;
cPVV!)CFknh{Y${W+_BEXMC#+-V+U*Z0gp{KvH$=8

literal 0
HcmV?d00001

diff --git a/lib/disko.nix b/lib/disko.nix
index a513903..b3774e1 100644
--- a/lib/disko.nix
+++ b/lib/disko.nix
@@ -4,6 +4,11 @@ _inputs: _self: super: {
     // {
       disko = {
         gpt = {
+          partGrub = name: start: end: {
+            inherit name start end;
+            part-type = "primary";
+            flags = ["bios_grub"];
+          };
           partEfiBoot = name: start: end: {
             inherit name start end;
             fs-type = "fat32";
diff --git a/modules/config/default.nix b/modules/config/default.nix
index 4a7462f..ad8da21 100644
--- a/modules/config/default.nix
+++ b/modules/config/default.nix
@@ -1,7 +1,10 @@
-{inputs, ...}: {
+{
+  inputs,
+  lib,
+  ...
+}: {
   imports = [
     ./boot.nix
-    ./efi.nix
     ./home-manager.nix
     ./inputrc.nix
     ./issue.nix
@@ -32,4 +35,5 @@
     inputs.nixos-extra-modules.nixosModules.default
   ];
   age.identityPaths = ["/state/etc/ssh/ssh_host_ed25519_key"];
+  boot.mode = lib.mkDefault "efi";
 }
diff --git a/modules/config/efi.nix b/modules/config/efi.nix
deleted file mode 100644
index c07c7e8..0000000
--- a/modules/config/efi.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-  # Use the systemd-boot EFI boot loader.
-  boot.loader = {
-    systemd-boot.enable = true;
-    efi.canTouchEfiVariables = true;
-  };
-}
diff --git a/modules/optional/initrd-ssh.nix b/modules/optional/initrd-ssh.nix
index 3eeced4..ae7bf26 100644
--- a/modules/optional/initrd-ssh.nix
+++ b/modules/optional/initrd-ssh.nix
@@ -1,11 +1,8 @@
 {
   config,
   pkgs,
-  lib,
-  minimal,
   ...
-}:
-lib.optionalAttrs (!minimal) {
+}: {
   age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519";
 
   boot.initrd.network.enable = true;
@@ -28,10 +25,12 @@ lib.optionalAttrs (!minimal) {
   # for the first time, and the secrets were rekeyed for the the new host identity.
   system.activationScripts.agenixEnsureInitrdHostkey = {
     text = ''
-      [[ -e ${config.age.secrets.initrd_host_ed25519_key.path} ]] \
-        || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.age.secrets.initrd_host_ed25519_key.path}
+      if [[ ! -e ${config.age.secrets.initrd_host_ed25519_key.path} ]]; then
+        mkdir -p "$(dirname "${config.age.secrets.initrd_host_ed25519_key.path}")"
+        ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f "${config.age.secrets.initrd_host_ed25519_key.path}"
+      fi
     '';
-    deps = ["agenixInstall"];
+    deps = ["agenixInstall" "users"];
   };
   system.activationScripts.agenixChown.deps = ["agenixEnsureInitrdHostkey"];
 }