dedicated server script works now
This commit is contained in:
Ingolf Wagner
parent
a34de3739a
commit
760c68c783
1 changed files with 13 additions and 17 deletions
|
|
@ -34,7 +34,7 @@
|
||||||
# Notes https://mazzo.li/posts/hetzner-zfs.html
|
# Notes https://mazzo.li/posts/hetzner-zfs.html
|
||||||
|
|
||||||
# FIXME : change password
|
# FIXME : change password
|
||||||
MAIN_PASSWORD="KlEBgwLgksT71cfIixM3eNDjIaZgFFvMDY8EoBs1Il"
|
MAIN_PASSWORD="YOLO"
|
||||||
|
|
||||||
set -eu
|
set -eu
|
||||||
set -o pipefail
|
set -o pipefail
|
||||||
|
|
@ -161,8 +161,8 @@ echo 0 > /proc/sys/dev/raid/speed_limit_max
|
||||||
encrypt() {
|
encrypt() {
|
||||||
device=$1
|
device=$1
|
||||||
label=$2
|
label=$2
|
||||||
echo $MAIN_PASSWORD | cryptsetup luksFormat ${device}3 -
|
echo -n "$MAIN_PASSWORD" | cryptsetup luksFormat ${device}3 -
|
||||||
echo $MAIN_PASSWORD | cryptsetup --key-file - open --type luks ${device}3 ${label}_encrypted
|
echo -n "$MAIN_PASSWORD" | cryptsetup --key-file - open --type luks ${device}3 ${label}_encrypted
|
||||||
}
|
}
|
||||||
|
|
||||||
encrypt /dev/sda "a"
|
encrypt /dev/sda "a"
|
||||||
|
|
@ -305,7 +305,12 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "ahci" "sd_mod" ];
|
boot.initrd.availableKernelModules = [ "ahci" "sd_mod" ];
|
||||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
boot.initrd.kernelModules = [
|
||||||
|
"dm-snapshot"
|
||||||
|
"dm_mirror"
|
||||||
|
"dm_raid"
|
||||||
|
"dm_region_hash"
|
||||||
|
];
|
||||||
boot.kernelModules = [ "kvm-intel" ];
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
|
@ -335,6 +340,7 @@ in
|
||||||
# fileSystems."/boot-1".options = [ "nofail" ];
|
# fileSystems."/boot-1".options = [ "nofail" ];
|
||||||
# fileSystems."/boot-2".options = [ "nofail" ];
|
# fileSystems."/boot-2".options = [ "nofail" ];
|
||||||
|
|
||||||
|
boot.initrd.luks.reusePassphrases = true;
|
||||||
boot.initrd.luks.devices = {
|
boot.initrd.luks.devices = {
|
||||||
a_encrypted = {
|
a_encrypted = {
|
||||||
device = "/dev/sda3";
|
device = "/dev/sda3";
|
||||||
|
|
@ -381,6 +387,7 @@ in
|
||||||
|
|
||||||
# enable ssh on init
|
# enable ssh on init
|
||||||
# ------------------
|
# ------------------
|
||||||
|
|
||||||
boot.kernelParams = [
|
boot.kernelParams = [
|
||||||
# See <https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for docs on this
|
# See <https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for docs on this
|
||||||
# ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
|
# ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
|
||||||
|
|
@ -394,23 +401,12 @@ in
|
||||||
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
||||||
port = 22;
|
port = 22;
|
||||||
hostKeys = [
|
hostKeys = [
|
||||||
/etc/secrets/initrd/ssh_host_rsa_key
|
/etc/secrets/initrd/ssh_host_rsa_key
|
||||||
/etc/secrets/initrd/ssh_host_ed25519_key
|
/etc/secrets/initrd/ssh_host_ed25519_key
|
||||||
];
|
];
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
# make sure ip address is set after in initrd
|
|
||||||
#boot.initrd.network.postCommands = ''
|
|
||||||
# up ip addr add $IP_V4/32 dev eth0
|
|
||||||
# #ip address add $IP_V4/32 dev eth0
|
|
||||||
# #ip link set eth0 up
|
|
||||||
# #ip address add $IP_V4/32 dev $NIXOS_INTERFACE
|
|
||||||
# #ip link set eth0 up
|
|
||||||
#'';
|
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue