orbi works now
This commit is contained in:
parent
049d9206d6
commit
eea11b2589
7 changed files with 64 additions and 64 deletions
|
@ -5,8 +5,8 @@
|
||||||
../../system/server
|
../../system/server
|
||||||
../../components
|
../../components
|
||||||
|
|
||||||
./hardware-configuration.nix
|
./hardware-configuration
|
||||||
./disko-config.nix
|
|
||||||
./disko-syncoid.nix
|
./disko-syncoid.nix
|
||||||
./packages.nix
|
./packages.nix
|
||||||
|
|
||||||
|
@ -70,14 +70,6 @@
|
||||||
|
|
||||||
services.printing.enable = false;
|
services.printing.enable = false;
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
|
||||||
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
|
|
||||||
|
|
||||||
boot.supportedFilesystems = [ "zfs" ];
|
|
||||||
# head -c4 /dev/urandom | od -A none -t x4
|
|
||||||
networking.hostId = "e439b116";
|
|
||||||
services.zfs.autoSnapshot.enable = true;
|
|
||||||
|
|
||||||
#virtualisation.containers.storage.settings = {
|
#virtualisation.containers.storage.settings = {
|
||||||
# # fixes: Error: 'overlay' is not supported over zfs, a mount_program is required: backing file system is unsupported for this graph driver
|
# # fixes: Error: 'overlay' is not supported over zfs, a mount_program is required: backing file system is unsupported for this graph driver
|
||||||
|
@ -91,13 +83,6 @@
|
||||||
|
|
||||||
users.users.root.shell = pkgs.zsh;
|
users.users.root.shell = pkgs.zsh;
|
||||||
|
|
||||||
# todo : rename to component.init.ssh
|
|
||||||
# todo : make tor optional
|
|
||||||
configuration.init-ssh = {
|
|
||||||
enable = "enabled";
|
|
||||||
kernelModules = [ "e1000e" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
hardware.opengl = {
|
hardware.opengl = {
|
||||||
enable = true;
|
enable = true;
|
||||||
extraPackages = with pkgs; [
|
extraPackages = with pkgs; [
|
||||||
|
|
24
nixos/machines/chungus/hardware-configuration/default.nix
Normal file
24
nixos/machines/chungus/hardware-configuration/default.nix
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./disko-config.nix
|
||||||
|
./hardware-configuration.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
# todo : rename to component.init.ssh
|
||||||
|
# todo : make tor optional
|
||||||
|
configuration.init-ssh = {
|
||||||
|
enable = "enabled";
|
||||||
|
kernelModules = [ "e1000e" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
|
||||||
|
|
||||||
|
boot.supportedFilesystems = [ "zfs" ];
|
||||||
|
# head -c4 /dev/urandom | od -A none -t x4
|
||||||
|
networking.hostId = "e439b116";
|
||||||
|
services.zfs.autoSnapshot.enable = true;
|
||||||
|
|
||||||
|
}
|
|
@ -70,11 +70,6 @@
|
||||||
|
|
||||||
services.smartd.enable = true;
|
services.smartd.enable = true;
|
||||||
|
|
||||||
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
|
|
||||||
|
|
||||||
boot.supportedFilesystems = [ "zfs" ];
|
|
||||||
# head -c4 /dev/urandom | od -A none -t x4
|
|
||||||
networking.hostId = "5bb982a6";
|
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,10 +34,6 @@ in
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
environment.systemPackages = [
|
|
||||||
pkgs.mosh
|
|
||||||
];
|
|
||||||
|
|
||||||
# Use GRUB2 as the boot loader.
|
# Use GRUB2 as the boot loader.
|
||||||
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
|
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
|
||||||
boot.loader.grub = {
|
boot.loader.grub = {
|
||||||
|
@ -50,6 +46,7 @@ in
|
||||||
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
||||||
services.openssh.settings.PasswordAuthentication = false;
|
services.openssh.settings.PasswordAuthentication = false;
|
||||||
|
|
||||||
|
# todo : move this to the flake, this is always true
|
||||||
users.users.root.openssh.authorizedKeys.keys = [
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw=="
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw=="
|
||||||
];
|
];
|
||||||
|
@ -57,28 +54,14 @@ in
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
services.sshguard.enable = true;
|
services.sshguard.enable = true;
|
||||||
|
|
||||||
|
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
|
||||||
|
|
||||||
# enable ssh on init
|
boot.supportedFilesystems = [ "zfs" ];
|
||||||
# ------------------
|
# head -c4 /dev/urandom | od -A none -t x4
|
||||||
|
networking.hostId = "5bb982a6";
|
||||||
|
|
||||||
#boot.kernelParams = [
|
systemd.network.networks."10-uplink".networkConfig.Address = ipv6.address;
|
||||||
# # See <https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for docs on this
|
|
||||||
# # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
|
|
||||||
# # The server ip refers to the NFS server -- we don't need it.
|
|
||||||
# "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
|
|
||||||
#];
|
|
||||||
|
|
||||||
# luks unlock zeug
|
|
||||||
#boot.initrd.systemd.services.openssh = {
|
|
||||||
# enable = true;
|
|
||||||
#};
|
|
||||||
#unlock_root(){
|
|
||||||
# pw=$(rbw get 'zfs encryption')
|
|
||||||
# ssh root@eve.i -p 2222 "echo ${pw} | systemd-tty-ask-password-agent"
|
|
||||||
#}
|
|
||||||
#boot.initrd.systemd.users.root.shell = "/bin/cryptsetup-askpass";
|
|
||||||
|
|
||||||
#boot.kernelParams = [ "ip=dhcp" ];
|
|
||||||
boot.initrd.kernelModules = [ networkInterfaceModule ];
|
boot.initrd.kernelModules = [ networkInterfaceModule ];
|
||||||
boot.initrd.network = {
|
boot.initrd.network = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -95,14 +78,27 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.network.networks."10-uplink".networkConfig.Address = ipv6.address;
|
# enable ssh on init
|
||||||
boot.initrd.systemd.network.networks."10-uplink" = config.systemd.network.networks."10-uplink";
|
# ==================
|
||||||
|
|
||||||
|
|
||||||
|
# No SystemD at boot
|
||||||
|
# ------------------
|
||||||
|
#boot.kernelParams = [
|
||||||
|
# # See <https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for docs on this
|
||||||
|
# # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
|
||||||
|
# # The server ip refers to the NFS server -- we don't need it.
|
||||||
|
# "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
|
||||||
|
#];
|
||||||
|
#boot.initrd.systemd.enable = false;
|
||||||
|
#boot.kernelParams = [ "ip=dhcp" ];
|
||||||
|
#boot.initrd.network.ssh.shell = "/bin/cryptsetup-askpass";
|
||||||
|
#boot.initrd.luks.reusePassphrases = true;
|
||||||
|
|
||||||
|
# SystemD at boot
|
||||||
|
# ---------------
|
||||||
boot.initrd.systemd.enable = true;
|
boot.initrd.systemd.enable = true;
|
||||||
|
#boot.initrd.systemd.services.openssh.enable = true;
|
||||||
# root shell if not booting (usefull for debugging)
|
boot.initrd.systemd.network.networks."10-uplink" = config.systemd.network.networks."10-uplink";
|
||||||
boot.initrd.systemd.emergencyAccess = false;
|
|
||||||
|
|
||||||
# playing around with stuff
|
|
||||||
# boot.initrd.luks.reusePassphrases = true;
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,4 @@
|
||||||
# nix run github:nix-community/disko -- --mode zap_create_mount ./disko-config.nix
|
# nix run github:nix-community/nixos-anywhere -- --copy-host-keys --disk-encryption-keys /run/secret.key /home/palo/orbi/run/secret.key --flake .#orbi root@95.216.66.212
|
||||||
# nixos-generate-config --no-filesystems --root /mnt
|
|
||||||
# vim /mnt/configuration.nix
|
|
||||||
# nixos-install
|
|
||||||
{ config, lib, ... }:
|
{ config, lib, ... }:
|
||||||
let
|
let
|
||||||
disks = [ "sda" "sdb" ];
|
disks = [ "sda" "sdb" ];
|
||||||
|
@ -38,11 +35,12 @@ in
|
||||||
content = {
|
content = {
|
||||||
type = "luks";
|
type = "luks";
|
||||||
name = "root_${disk}";
|
name = "root_${disk}";
|
||||||
settings = {
|
|
||||||
# if you want to use the key for interactive login be sure there is no trailing newline
|
# if you want to use the key for interactive login be sure there is no trailing newline
|
||||||
# for example use `echo -n "password" > /run/secret.key`
|
# for example use `echo -n "password" > /run/secret.key`
|
||||||
|
# for example use `pass show hetzner/orbi/master_password | head -c -1 > /run/secret.key`
|
||||||
# or use nixos-anywhere --disk-encryption-keys /run/secret.key <local-path>
|
# or use nixos-anywhere --disk-encryption-keys /run/secret.key <local-path>
|
||||||
keyFile = "/run/secret.key";
|
passwordFile = "/run/secret.key";
|
||||||
|
settings = {
|
||||||
allowDiscards = true;
|
allowDiscards = true;
|
||||||
};
|
};
|
||||||
content = {
|
content = {
|
||||||
|
@ -56,10 +54,12 @@ in
|
||||||
size = "100%";
|
size = "100%";
|
||||||
content = {
|
content = {
|
||||||
type = "luks";
|
type = "luks";
|
||||||
settings = {
|
|
||||||
# if you want to use the key for interactive login be sure there is no trailing newline
|
# if you want to use the key for interactive login be sure there is no trailing newline
|
||||||
# for example use `echo -n "password" > /run/secret.key`
|
# for example use `echo -n "password" > /run/secret.key`
|
||||||
keyFile = "/run/secret.key";
|
# for example use `pass show hetzner/orbi/master_password | head -c -1 > /run/secret.key`
|
||||||
|
# or use nixos-anywhere --disk-encryption-keys /run/secret.key <local-path>
|
||||||
|
passwordFile = "/run/secret.key";
|
||||||
|
settings = {
|
||||||
allowDiscards = true;
|
allowDiscards = true;
|
||||||
};
|
};
|
||||||
name = "media_${disk}";
|
name = "media_${disk}";
|
||||||
|
|
Loading…
Reference in a new issue