feat: booted hetzner server

2023-12-22 23:53:11 +01:00 · 2023-12-22 23:53:11 +01:00 · c6366e1e07
parent de6275570b
commit c6366e1e07
11 changed files with 133 additions and 22 deletions
--- a/flake.lock
+++ b/flake.lock
@ -974,12 +974,12 @@
        "pre-commit-hooks": "pre-commit-hooks_2"
      },
      "locked": {
-        "lastModified": 1703206032,
+        "dirtyRev": "c2b389938b166987c4a4fb867ccaa8ff530ddc71-dirty",
-        "narHash": "sha256-hCuX9y1lUwa8Ck0jruebL2YLhwnDunav/uiIp9EvmNc=",
+        "dirtyShortRev": "c2b3899-dirty",
-        "owner": "oddlama",
+        "lastModified": 1703274021,
-        "repo": "nixos-extra-modules",
+        "narHash": "sha256-r5y1DmRxlKF3rlJoIULeq1lGVGWbTZxmNGlQ0jW8ZjQ=",
-        "rev": "073a8ae3b34ed85619dd22bba0d4fb6b6e8e14d1",
+        "type": "git",
-        "type": "github"
+        "url": "file:///home/patrick/repos/nix/nixos-extra-modules"
      },
      "original": {
        "owner": "oddlama",
--- a/hosts.toml
+++ b/hosts.toml
@ -13,3 +13,7 @@ system = "x86_64-linux"
 [gojo]
 type = "nixos"
 system = "x86_64-linux"
 [maddy]
 type = "nixos"
 system = "x86_64-linux"
--- a/hosts/maddy/default.nix
+++ b/hosts/maddy/default.nix
@ -0,0 +1,24 @@
 {
  lib,
  minimal,
  ...
 }: {
  imports =
    [
      ../../modules/config
      ../../modules/optional/initrd-ssh.nix
      ../../modules/hardware/zfs.nix
      ./net.nix
      ./fs.nix
    ]
    ++ lib.lists.optionals (!minimal) [
    ];
  services.xserver = {
    layout = "de";
    xkbVariant = "bone";
  };
  boot.mode = "bios";
  boot.initrd.availableKernelModules = ["virtio_pci" "virtio_net" "virtio_scsi" "virtio_blk"];
 }
--- a/hosts/maddy/fs.nix
+++ b/hosts/maddy/fs.nix
@ -0,0 +1,35 @@
 {
  config,
  lib,
  ...
 }: {
  disko.devices = {
    disk = {
      drive = {
        type = "disk";
        device = "/dev/disk/by-id/${config.secrets.secrets.local.disko.drive}";
        content = with lib.disko.gpt; {
          type = "table";
          format = "gpt";
          partitions = [
            (partGrub "grub" "0%" "1MiB")
            (partEfiBoot "bios" "1MiB" "512MiB")
            (partLuksZfs "rpool" "rpool" "512MiB" "100%")
            #(lib.attrsets.recursiveUpdate (partLuksZfs "rpool" "rpool" "17GiB" "100%") {content.extraFormatArgs = ["--pbkdf pbkdf2"];})
          ];
        };
      };
    };
    zpool = with lib.disko.zfs; {
      rpool = defaultZpoolOptions // {datasets = defaultZfsDatasets;};
    };
  };
  fileSystems."/state".neededForBoot = true;
  fileSystems."/persist".neededForBoot = true;
  boot.initrd.luks.devices.enc-rpool.allowDiscards = true;
  boot.loader.grub.devices = [
    "/dev/disk/by-id/${config.secrets.secrets.local.disko.drive}"
  ];
 }
--- a/hosts/maddy/net.nix
+++ b/hosts/maddy/net.nix
@ -0,0 +1,33 @@
 {config, ...}: {
  networking.hostId = config.secrets.secrets.local.networking.hostId;
  networking.domain = config.secrets.secrets.global.domains.mail;
  boot.initrd.systemd.network = {
    enable = true;
    networks = {inherit (config.systemd.network.networks) "lan01";};
  };
  systemd.network.networks = {
    "lan01" = let
      icfg = config.secrets.secrets.local.networking.interfaces.lan01;
    in {
      address = [
        icfg.hostCidrv4
        icfg.hostCidrv6
      ];
      gateway = ["fe80::1"];
      routes = [
        {routeConfig = {Destination = "172.31.1.1";};}
        {
          routeConfig = {
            Gateway = "172.31.1.1";
            GatewayOnLink = true;
          };
        }
      ];
      matchConfig.MACAddress = icfg.mac;
      networkConfig.IPv6PrivacyExtensions = "yes";
      linkConfig.RequiredForOnline = "routable";
    };
  };
 }
--- a/hosts/maddy/secrets/generated/initrd_host_ed25519_key.age
+++ b/hosts/maddy/secrets/generated/initrd_host_ed25519_key.age
@ -0,0 +1,14 @@
 age-encryption.org/v1
 -> X25519 ep9dccBXMw0tEheuaIHeWMvhUKwtBFm0+mZJ5gCYxn0
 4ZVc8jn+4EsztT9drb4aUNCphqcwmAGGlFy3EfAaFJE
 -> piv-p256 XTQkUA AjvE9Foo//U4E/1d/5KasrCji7H7eCmJEsaql16s27Ou
 OWf66Ql7f2FWqzzcfHzUJ9fA5a0rhvQEQ9xrEAbATpw
 -> piv-p256 ZFgiIw AvU0lAitU4jUegJH3s2btabyRtN38JbxMlgnOqZwvYyb
 +655NICGD8ARcYPx+fCrh0aE5ZG0edMpoCcPDPQ8pvk
 -> piv-p256 ZFgiIw Aj4PUKsRiW04mmhOXPRQbr0myd//IeznPebXA4Oa1eRI
 CaRtlEkYAKOc8+t2d40f+GpzXY8SXpDEPQevhk8xb8s
 -> pK&V%|-grease BFxJOSz B9%c_+
 P1vAU7VI4VydjqLAjtDWqjKOP1k6iHjYsCgly21IvQsbwt4rwbUzodkpPtB6P7xt
 rcsi6e+J8Q9nc4lPRjsYyN/RiE1HIpr2MW+bBxljiyK/uC+1oxjZeKAKYTF/
 --- Sp0YG5pL58MD8xQ3XuIeBSuOQQy3+jJwBmhwNLWxbxM
 IYÅÜlŠm«1´*mW«OY+’#°5ÍB'Œqü¼]4N"2>¡éÂ‡¡ $žH?‡ï.]r¢º`Y¹Ýã{]‚zA…¾Ó§9²L¦è¾F¢†§Ù'E'í-~›Æ‡x@=•ÉÑGÜ—a8Æ*UT&¡Gè·šòîŒS\Ž¯ä•!P.üð˜p}ádM¢a.G‹:àïÀgüôÑôCê<43>S’[,öB¦Bå	ë',ÛšóÊ9šÀv€JND%ƒìŠÑ…·£Ûûæ@Þæ_–¬^uÆU¯}91ÿ8ãITÿQÈÏ´|“‡M<ƒïuà®]ñMç¨Ø$<24>Xœ?öo‡é ÿtÛ,Hñ³Y<C2B3>zÖÓ¥ÑäŸæ_OH^•³‹‰·îÆ^«œ!IÑ²ò‡}rIôÂ$ý²Wgð'ÙìE¯è'ïâRD!<21>OA™ZY	.Z ÂH6™/ï’õyJCV2Í¡0‰LÉñÒb©&êDK†÷j$ñ<16>ìuõA<C3B5>.ê8=èö&#n¹J%€ŠÂ>ßÎƒÝ[‘8:~<7E>ŒµÉ—È]”f¦€š_[¨¯v
VoÖ–t6hE
--- a/hosts/maddy/secrets/secrets.nix.age
+++ b/hosts/maddy/secrets/secrets.nix.age
--- a/lib/disko.nix
+++ b/lib/disko.nix
@ -4,6 +4,11 @@ _inputs: _self: super: {
    // {
      disko = {
        gpt = {
          partGrub = name: start: end: {
            inherit name start end;
            part-type = "primary";
            flags = ["bios_grub"];
          };
          partEfiBoot = name: start: end: {
            inherit name start end;
            fs-type = "fat32";
--- a/modules/config/default.nix
+++ b/modules/config/default.nix
@ -1,7 +1,10 @@
-{inputs, ...}: {
+{
  inputs,
  lib,
  ...
 }: {
  imports = [
    ./boot.nix
    ./efi.nix
    ./home-manager.nix
    ./inputrc.nix
    ./issue.nix
@ -32,4 +35,5 @@
    inputs.nixos-extra-modules.nixosModules.default
  ];
  age.identityPaths = ["/state/etc/ssh/ssh_host_ed25519_key"];
  boot.mode = lib.mkDefault "efi";
 }
--- a/modules/config/efi.nix
+++ b/modules/config/efi.nix
@ -1,7 +0,0 @@
 {
  # Use the systemd-boot EFI boot loader.
  boot.loader = {
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
  };
 }
--- a/modules/optional/initrd-ssh.nix
+++ b/modules/optional/initrd-ssh.nix
@ -1,11 +1,8 @@
 {
  config,
  pkgs,
  lib,
  minimal,
  ...
-}:
+}: {
 lib.optionalAttrs (!minimal) {
  age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519";
  boot.initrd.network.enable = true;
@ -28,10 +25,12 @@ lib.optionalAttrs (!minimal) {
  # for the first time, and the secrets were rekeyed for the the new host identity.
  system.activationScripts.agenixEnsureInitrdHostkey = {
    text = ''
-      [[ -e ${config.age.secrets.initrd_host_ed25519_key.path} ]] \
+      if [[ ! -e ${config.age.secrets.initrd_host_ed25519_key.path} ]]; then
-        || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.age.secrets.initrd_host_ed25519_key.path}
+        mkdir -p "$(dirname "${config.age.secrets.initrd_host_ed25519_key.path}")"
        ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f "${config.age.secrets.initrd_host_ed25519_key.path}"
      fi
    '';
-    deps = ["agenixInstall"];
+    deps = ["agenixInstall" "users"];
  };
  system.activationScripts.agenixChown.deps = ["agenixEnsureInitrdHostkey"];
 }