From d5f1ef4af6aa53686a10587cfbceb50cca80ffe1 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Wed, 7 Aug 2024 11:07:10 +0200 Subject: [PATCH] extract nixos.boot.ssh and set up probe --- components/gui/wayland.nix | 6 +-- components/gui/xorg/default.nix | 2 +- components/nixos/boot/default.nix | 15 ++++++ components/nixos/boot/ssh.nix | 49 +++++++++++++++++++ components/nixos/{ => boot}/tor-ssh.nix | 37 -------------- components/nixos/default.nix | 2 +- flake.nix | 12 ++--- machines/chungus/configuration.nix | 3 +- machines/orbi/configuration.nix | 1 - machines/probe/configuration.nix | 5 +- machines/probe/facts/ssh.boot.id_ed25519.pub | 1 + .../probe/hardware-configuration/default.nix | 5 +- .../disko-config-encrypted.nix | 44 +++++++++++++++++ ...sko-config.nix => disko-config-simple.nix} | 0 .../probe/hardware-configuration/hetzner.nix | 12 ++++- 15 files changed, 137 insertions(+), 57 deletions(-) create mode 100644 components/nixos/boot/default.nix create mode 100644 components/nixos/boot/ssh.nix rename components/nixos/{ => boot}/tor-ssh.nix (72%) create mode 100644 machines/probe/facts/ssh.boot.id_ed25519.pub create mode 100644 machines/probe/hardware-configuration/disko-config-encrypted.nix rename machines/probe/hardware-configuration/{disko-config.nix => disko-config-simple.nix} (100%) diff --git a/components/gui/wayland.nix b/components/gui/wayland.nix index 1aeed23..9b7b871 100644 --- a/components/gui/wayland.nix +++ b/components/gui/wayland.nix @@ -4,10 +4,10 @@ with lib; options.components.gui.wayland.enable = mkOption { type = lib.types.bool; - default = ! config.components.gui.xorg.enable; + default = !config.components.gui.xorg.enable; }; - config = mkIf config.components.gui.wayland.enable { - programs.hyprland.enable = true; + config = mkIf (config.components.gui.wayland.enable && config.components.gui.enable) { + programs.sway.enable = false; }; } diff --git a/components/gui/xorg/default.nix b/components/gui/xorg/default.nix index 2da2dd3..27f04f3 100644 --- a/components/gui/xorg/default.nix +++ b/components/gui/xorg/default.nix @@ -9,7 +9,7 @@ with lib; default = config.components.gui.enable; }; - config = mkIf config.components.gui.xorg.enable { + config = mkIf (config.components.gui.xorg.enable && config.components.gui.enable) { # system.custom.fonts.enable = true; services.displayManager = { diff --git a/components/nixos/boot/default.nix b/components/nixos/boot/default.nix new file mode 100644 index 0000000..9bf6045 --- /dev/null +++ b/components/nixos/boot/default.nix @@ -0,0 +1,15 @@ +{ lib, config, ... }: +{ + + imports = [ + ./ssh.nix + ]; + + options.components.nixos.boot.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf (config.components.nixos.boot.enable) { }; + +} diff --git a/components/nixos/boot/ssh.nix b/components/nixos/boot/ssh.nix new file mode 100644 index 0000000..b774840 --- /dev/null +++ b/components/nixos/boot/ssh.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, factsGenerator, clanLib, ... }: +with lib; +with types; + +{ + options.components.nixos.boot.ssh = { + enable = lib.mkOption { + type = lib.types.bool; + default = config.components.nixos.boot.enable; + }; + kernelModules = mkOption { + type = listOf str; + default = [ ]; + description = + "nix-shell -p pciutils --run 'lspci -v' will tell you which kernel module is used for the ethernet interface"; + }; + }; + + config = mkIf (config.components.nixos.boot.ssh.enable) { + + # root password + #clan.core.facts.services.rootPassword = factsGenerator.password { name = "root"; }; + #users.users.root.hashedPasswordFile = config.clan.core.facts.services.rootPassword.secret."password.root.pam".path; # fixme not working for some reason + #users.users.root.initalPassword = "admin"; + + # ssh host key + clan.core.facts.services."boot.ssh" = factsGenerator.ssh { name = "boot"; }; + + # boot + boot.initrd.systemd.enable = true; + boot.initrd.systemd.contents."/etc/hostname".text = "unlock.${config.networking.hostName}"; + + # network + boot.initrd.systemd.network.enable = true; + boot.initrd.availableKernelModules = config.components.nixos.boot.ssh.kernelModules; + + # ssh + boot.initrd.network.enable = true; + boot.initrd.network.ssh = { + enable = true; + authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys; + port = 2222; + hostKeys = [ config.clan.core.facts.services."boot.ssh".secret."ssh.boot.id_ed25519".path ]; + }; + + }; + +} + diff --git a/components/nixos/tor-ssh.nix b/components/nixos/boot/tor-ssh.nix similarity index 72% rename from components/nixos/tor-ssh.nix rename to components/nixos/boot/tor-ssh.nix index 9af78bb..586b19f 100644 --- a/components/nixos/tor-ssh.nix +++ b/components/nixos/boot/tor-ssh.nix @@ -10,18 +10,6 @@ with types; default = false; }; - kernelModules = mkOption { - type = listOf str; - default = [ ]; - description = - "lspci -v will tell you which kernel module is used for the ethernet interface"; - }; - - ssh.enable = lib.mkOption { - type = lib.types.bool; - default = config.components.nixos.boot.enable; - }; - tor.enable = lib.mkOption { type = lib.types.bool; default = config.components.nixos.boot.ssh.enable; @@ -107,31 +95,6 @@ with types; }) - # ssh part - # -------- - (mkIf (config.components.nixos.boot.ssh.enable) { - - # boot - boot.initrd.systemd.enable = true; - boot.initrd.systemd.contents."/etc/hostname".text = "unlock.${config.networking.hostName}"; - - # network - boot.initrd.systemd.network.enable = true; - boot.initrd.availableKernelModules = config.components.nixos.boot.kernelModules; - - # ssh - boot.initrd.network.enable = true; - boot.initrd.network.ssh = { - enable = true; - #authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ; - #authorizedKeyFiles = config.users.users.root.openssh.authorizedKeys.keyFiles; - port = 2222; - hostKeys = map ({ path, ... }: path) config.services.openssh.hostKeys; - }; - - - }) - ]; } diff --git a/components/nixos/default.nix b/components/nixos/default.nix index 7da3461..838850e 100644 --- a/components/nixos/default.nix +++ b/components/nixos/default.nix @@ -2,7 +2,7 @@ { imports = [ ./upgrade-diff.nix - ./tor-ssh.nix + ./boot ]; options.components.nixos.enable = lib.mkOption { diff --git a/flake.nix b/flake.nix index c62bc0d..accf7a2 100644 --- a/flake.nix +++ b/flake.nix @@ -246,12 +246,8 @@ # configure nix ({ pkgs, lib, clanLib, ... }: { - nix.settings.substituters = [ - "http://cache.orbi.wg0" - ]; - nix.settings.trusted-public-keys = [ - (clanLib.readFact "nix-serve.pub" "orbi") - ]; + #nix.settings.substituters = [ "http://cache.orbi.wg0" ]; + #nix.settings.trusted-public-keys = [ (clanLib.readFact "nix-serve.pub" "orbi") ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.max-jobs = 1; # no channesl needed this way @@ -477,13 +473,15 @@ probe = clanSetup { name = "probe"; - host = "probe.bear"; + #host = "167.235.205.150"; + host = "95.217.18.54"; modules = [ homeManagerModules stylixModules srvos.nixosModules.hardware-hetzner-cloud srvos.nixosModules.server srvos.nixosModules.mixins-terminfo + #inputs.clan-core.clanModules.sshd { home-manager.users.mainUser = import ./homes/palo; home-manager.users.root = import ./homes/root; diff --git a/machines/chungus/configuration.nix b/machines/chungus/configuration.nix index 15f8445..fab3704 100644 --- a/machines/chungus/configuration.nix +++ b/machines/chungus/configuration.nix @@ -59,8 +59,7 @@ components.terminal.enable = true; components.nixos.boot.enable = true; - components.nixos.boot.kernelModules = [ "e1000e" ]; - components.nixos.boot.tor.enable = false; + components.nixos.boot.ssh.kernelModules = [ "e1000e" ]; components.monitor.enable = true; components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317"; diff --git a/machines/orbi/configuration.nix b/machines/orbi/configuration.nix index 6e26d38..237ce3d 100644 --- a/machines/orbi/configuration.nix +++ b/machines/orbi/configuration.nix @@ -54,7 +54,6 @@ components.network.sshd.sshguard.enable = false; components.nixos.boot.enable = true; - components.nixos.boot.tor.enable = false; components.monitor.enable = true; networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ]; diff --git a/machines/probe/configuration.nix b/machines/probe/configuration.nix index 2ada334..48ae5c8 100644 --- a/machines/probe/configuration.nix +++ b/machines/probe/configuration.nix @@ -10,8 +10,11 @@ components.mainUser.enable = true; components.network.enable = true; + components.nixos.boot.enable = true; + components.nixos.boot.ssh.enable = true; + networking.hostName = "probe"; users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkqVvuJSvRMO5pG2CHNNBxjB7HlJudK4TQs3BhbOWOD" ]; - users.users.root.initialPassword = "admin"; + #users.users.root.initialPassword = "admin"; } diff --git a/machines/probe/facts/ssh.boot.id_ed25519.pub b/machines/probe/facts/ssh.boot.id_ed25519.pub new file mode 100644 index 0000000..85ff279 --- /dev/null +++ b/machines/probe/facts/ssh.boot.id_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGpSFQ3qd9iXkIxhLdP2ic6pGNPKlyKfQdeMN2IutmE nixbld@cream \ No newline at end of file diff --git a/machines/probe/hardware-configuration/default.nix b/machines/probe/hardware-configuration/default.nix index 0c2cbf0..57ff87b 100644 --- a/machines/probe/hardware-configuration/default.nix +++ b/machines/probe/hardware-configuration/default.nix @@ -1,13 +1,12 @@ { config, factsGenerator, clanLib, ... }: { imports = [ - ./disko-config.nix + #./disko-config-simple.nix + ./disko-config-encrypted.nix ./hardware-configuration.nix ./hetzner.nix # to more me to components ]; boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!) - - } diff --git a/machines/probe/hardware-configuration/disko-config-encrypted.nix b/machines/probe/hardware-configuration/disko-config-encrypted.nix new file mode 100644 index 0000000..f9d82ff --- /dev/null +++ b/machines/probe/hardware-configuration/disko-config-encrypted.nix @@ -0,0 +1,44 @@ +# Example to create a bios compatible gpt partition +{ lib, ... }: +{ + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "luks"; + name = "root"; + settings.allowDiscards = true; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/machines/probe/hardware-configuration/disko-config.nix b/machines/probe/hardware-configuration/disko-config-simple.nix similarity index 100% rename from machines/probe/hardware-configuration/disko-config.nix rename to machines/probe/hardware-configuration/disko-config-simple.nix diff --git a/machines/probe/hardware-configuration/hetzner.nix b/machines/probe/hardware-configuration/hetzner.nix index a42575c..92616e8 100644 --- a/machines/probe/hardware-configuration/hetzner.nix +++ b/machines/probe/hardware-configuration/hetzner.nix @@ -1,12 +1,22 @@ +{ config, ... }: { + + # set up hetzner cloud network systemd.network.enable = true; - systemd.network.networks."10-private-hetzner" = { + systemd.network.networks."10-hetzner" = { matchConfig.Name = "en*"; networkConfig.DHCP = "ipv4"; linkConfig.RequiredForOnline = "routable"; }; + + # set up hetzner cloud network during init + boot.initrd.systemd.network.networks."10-hetzner" = config.systemd.network.networks."10-hetzner"; + boot.initrd.availableKernelModules = [ "virtio_pci" ]; # network kernel module + + # set up hetzner boot loader boot.loader.grub = { efiSupport = true; efiInstallAsRemovable = true; }; + }