Compare commits

..

No commits in common. "0e3e67554a03b7d0f10fa597b837b9cb9cd80cd3" and "70b76d149ac2cca9913fc4b0c1eadef44c6b668f" have entirely different histories.

11 changed files with 423 additions and 79 deletions

View file

@ -8,6 +8,7 @@
with lib; with lib;
with types; with types;
let let
defaultRootKeyFiles = [ "${assets}/mrvandalo_rsa.pub" ];
cfg = config.components.network.sshd; cfg = config.components.network.sshd;
# maybe ascii-image-converter is also nice here # maybe ascii-image-converter is also nice here
@ -29,6 +30,11 @@ in
type = bool; type = bool;
default = true; default = true;
}; };
rootKeyFiles = mkOption {
type = with types; listOf path;
default = [ ];
description = "keys to root login";
};
onlyTincAccess = mkOption { onlyTincAccess = mkOption {
type = bool; type = bool;
default = false; default = false;
@ -58,13 +64,14 @@ in
# settings.LoginGraceTime = 0; # settings.LoginGraceTime = 0;
}; };
users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;
# todo enable again when I can it's possible to set the `-q` ssh option in clan # todo enable again when I can it's possible to set the `-q` ssh option in clan
#services.openssh.banner = builtins.readFile sshBanner; #services.openssh.banner = builtins.readFile sshBanner;
}) })
(mkIf (cfg.onlyTincAccess && cfg.enable) { (mkIf (cfg.onlyTincAccess && cfg.enable) {
# fixme: this is not working
networking.firewall.extraCommands = '' networking.firewall.extraCommands = ''
iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0 iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
''; '';

View file

@ -224,11 +224,18 @@
]; ];
}; };
defaultAuthorizedKeys = defaultModules = [
# make flake inputs accessiable in NixOS
{
_module.args.self = self;
_module.args.inputs = self.inputs;
}
# ssh keys
(
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
users.users.root.openssh.authorizedKeys.keyFiles = [ users.users.root.openssh.authorizedKeys.keyFiles = [
# yubikey key # master key
./assets/mrvandalo_rsa.pub ./assets/mrvandalo_rsa.pub
# backup key # backup key
"${config.clan.core.clanDir}/machines/chungus/facts/ssh.syncoid.id_ed25519.pub" "${config.clan.core.clanDir}/machines/chungus/facts/ssh.syncoid.id_ed25519.pub"
@ -236,14 +243,8 @@
"${config.clan.core.clanDir}/machines/chungus/facts/ssh.paperless-ngx.id_ed25519.pub" "${config.clan.core.clanDir}/machines/chungus/facts/ssh.paperless-ngx.id_ed25519.pub"
]; ];
environment.systemPackages = [ pkgs.borgbackup ]; environment.systemPackages = [ pkgs.borgbackup ];
};
defaultModules = [
# make flake inputs accessiable in NixOS
{
_module.args.self = self;
_module.args.inputs = self.inputs;
} }
)
{ {
# disable emergency mode everywhere, although it might be needed on laptops # disable emergency mode everywhere, although it might be needed on laptops
boot.initrd.systemd.emergencyAccess = false; boot.initrd.systemd.emergencyAccess = false;
@ -408,7 +409,6 @@
name = "cream"; name = "cream";
host = "cream.bear"; host = "cream.bear";
modules = [ modules = [
defaultAuthorizedKeys
zerotierModules zerotierModules
nixos-hardware.nixosModules.framework-12th-gen-intel nixos-hardware.nixosModules.framework-12th-gen-intel
retiolum.nixosModules.retiolum retiolum.nixosModules.retiolum
@ -445,12 +445,6 @@
{ {
clan.core.machineDescription = "Laptop"; clan.core.machineDescription = "Laptop";
} }
{
users.users.root.openssh.authorizedKeys.keyFiles = [
# yubikey key
./assets/mrvandalo_rsa.pub
];
}
]; ];
}; };
@ -472,15 +466,6 @@
{ {
clan.core.machineDescription = "Home Server"; clan.core.machineDescription = "Home Server";
} }
(
{ config, ... }:
{
# keys only to access chungus
users.users.root.openssh.authorizedKeys.keyFiles = [
"${config.clan.core.clanDir}/machines/cherry/facts/ssh.root.chungus.id_ed25519.pub"
];
}
)
]; ];
}; };
@ -489,7 +474,6 @@
host = "orbi.bear"; host = "orbi.bear";
#host = "95.216.66.212"; #host = "95.216.66.212";
modules = [ modules = [
defaultAuthorizedKeys
healthchecks.nixosModules.default healthchecks.nixosModules.default
homeManagerModules homeManagerModules
stylixModules stylixModules
@ -512,7 +496,6 @@
#host = "167.235.205.150"; #host = "167.235.205.150";
host = "95.217.18.54"; host = "95.217.18.54";
modules = [ modules = [
defaultAuthorizedKeys
homeManagerModules homeManagerModules
stylixModules stylixModules
srvos.nixosModules.hardware-hetzner-cloud srvos.nixosModules.hardware-hetzner-cloud
@ -534,7 +517,6 @@
#host = "usbstick.bear"; #host = "usbstick.bear";
host = "10.100.0.100"; host = "10.100.0.100";
modules = [ modules = [
defaultAuthorizedKeys
homeManagerModules homeManagerModules
stylixModules stylixModules
zerotierModules zerotierModules

View file

@ -20,8 +20,6 @@
./37c3.nix ./37c3.nix
./topology.nix ./topology.nix
./ssh.nix
]; ];
#time.timeZone = lib.mkForce "Asia/Bangkok"; #time.timeZone = lib.mkForce "Asia/Bangkok";

View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhrmPLOY18azllQEsK+je42aaqnpHm0k3f0bjQEnQXW palo@cherry

View file

@ -1,39 +0,0 @@
{ config, factsGenerator, ... }:
{
# Defines the root SSH key to be used exclusively for accessing the backup server.
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
# If the target machine becomes compromised by an attacker,
# they could potentially leverage the forwarded SSH agent to access the backup server.
# This file prevents that scenario by restricting access strictly to the defined SSH key,
# which is only used to access the backup server, so no other ssh-agent will contain this ssh key
clan.core.facts.services."mainUser.ssh.chungus" = factsGenerator.ssh { name = "root.chungus"; };
systemd.tmpfiles.settings.mainUser = {
"/run/facts/ssh.mainUser.chungus.id_ed25519"."C+" = {
user = config.users.users.mainUser.name;
group = config.users.users.mainUser.group;
mode = "400";
argument =
config.clan.core.facts.services."mainUser.ssh.chungus".secret."ssh.root.chungus.id_ed25519".path;
};
};
home-manager.users.mainUser.programs.ssh.matchBlocks = {
"chungus.bear" = {
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
identitiesOnly = true;
};
"chungus.private" = {
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
identitiesOnly = true;
};
"chungus.wg0" = {
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
identitiesOnly = true;
};
};
}

View file

@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5cHogtLN70T5g7b30r2RR4l6TEFB4t8O8FZ+NMUTfj paperless@chungus ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5cHogtLN70T5g7b30r2RR4l6TEFB4t8O8FZ+NMUTfj nixbld@cherry

View file

@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrcZBnx2h1cOlpHImuYhOu08gUdchzbKwbmOMUd54f3 rbackup@chungus ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrcZBnx2h1cOlpHImuYhOu08gUdchzbKwbmOMUd54f3 nixbld@cream

View file

@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHGxMlaCoAyD/lIYAxEts7vyWYJ7ut4P9Cjw7mvAPiL syncoid@chungus ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHGxMlaCoAyD/lIYAxEts7vyWYJ7ut4P9Cjw7mvAPiL nixbld@cream

View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrdJ4EXJ0HeZXTb4AzRKQeAORBWwcawOxj4EJhV62De nixbld@cherry

View file

@ -28,8 +28,24 @@
# Set your time zone. # Set your time zone.
#time.timeZone = "Europe/Berlin"; #time.timeZone = "Europe/Berlin";
#environment.systemPackages = with pkgs; [
# vim
# wget
# htop
# silver-searcher
#];
#environment.extraInit = ''
# # use vi shortcuts
# # ----------------
# set -o vi
# EDITOR=vim
#'';
services.openssh.enable = true; services.openssh.enable = true;
#users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== contact@ingolf-wagner.de" ];
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions # settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave # on your system were taken. Its perfectly fine and recommended to leave

View file

@ -0,0 +1,380 @@
#!/usr/bin/env bash
# Adepted from :
# * https://mazzo.li/posts/hetzner-zfs.html
# * https://nixos.wiki/wiki/Install_NixOS_on_Hetzner_Online
# Installs NixOS on a Hetzner server, wiping the server.
#
# This is for a specific server configuration; adjust where needed.
#
# Prerequisites:
# * Update the script wherever FIXME is present
#
# Usage:
# ssh root@YOUR_SERVERS_IP bash -s < hetzner-dedicated-wipe-and-install-nixos.sh
#
# When the script is done, make sure to boot the server from HD, not rescue mode again.
# Explanations:
#
# * Adapted from https://gist.github.com/nh2/78d1c65e33806e7728622dbe748c2b6a
# * Following largely https://nixos.org/nixos/manual/index.html#sec-installing-from-other-distro.
# * **Important:** We boot in legacy-BIOS mode, not UEFI, because that's what Hetzner uses.
# * NVMe devices aren't supported for booting (those require EFI boot)
# * We set a custom `configuration.nix` so that we can connect to the machine afterwards,
# inspired by https://nixos.wiki/wiki/Install_NixOS_on_Hetzner_Online
# * This server has 2 HDDs.
# We encrypt all hard drives and put an LVM on it the main logical volume is mirrored
# Storage scheme: `partitions -> dm-crypt -> LVM -> ext4`.
#
# ┌────────┐ ┌────────┐
# │ sda1 │ ◄──── grub ─────► │ sdb1 │
# ├────────┤ ├────────┤
# │ sda2 │ ◄──── /boot ─────► │ sdb2 │
# ├────────┤ ├────────┤
# │ sda3 ├───┐ ┌───┤ sdb3 │
# └────────┘ │ │ └────────┘
# │ │
# ┌────────────▼┐ ┌▼────────────┐
# │ a_encrypted │ │ b_encrypted │
# └────────┬────┘ └────┬────────┘
# │ ┌──────────┐ │
# └─────► LVM vg ◄─────┘
# └────┬─────┘
# │
# ┌─────────────▼──────────────┐
# │ root (mirrored/raid1) │
# ├────────────────────────────┤
# │ nextcloud (mirrored/raid1) │
# ├────────────────────────────┤
# │ media (raid0) │
# └────────────────────────────┘
# * A root user with empty password is created, so that you can just login
# as root and press enter when using the Hetzner spider KVM.
# Of course that empty-password login isn't exposed to the Internet.
# Change the password afterwards to avoid anyone with physical access
# being able to login without any authentication.
# * The script reboots at the end.
# * does not use uefi (check if you can : efibootmgr)
#
# FIXME : change password
MAIN_PASSWORD="YOLO"
set -eu
set -o pipefail
set -x
# Inspect existing disks
lsblk
# Cleanup
# -------
# Undo existing setups to allow running the script multiple times to iterate on it.
# We allow these operations to fail for the case the script runs the first time.
set +e
umount /mnt/boot-{1,2}
umount /mnt
vgchange -an
cryptsetup close a_encrypted
cryptsetup close b_encrypted
set -e
# Stop all mdadm arrays that the boot may have activated.
mdadm --stop --scan
# Create partition tables (--script to not ask)
# ---------------------------------------------
format() {
parted --script "$1" -- mklabel gpt
parted --script "$1" -- mkpart 'BIOS-boot-partition' 1MB 2MB set 1 bios_grub on
#parted --script "$1" -- mkpart 'boot' 2MB 512MiB
#parted --script "$1" -- mkpart ESP fat32 2MB 512MiB
parted --script "$1" -- mkpart 'boot' fat32 2MB 512MiB set 2 boot on
parted --script "$1" -- mkpart primary 512MiB 100%
parted --script "$1" -- print
}
# In this particular machine we have two NVMe disks
format /dev/sda
format /dev/sdb
# Relaod partitions
partprobe
# Wait for all devices to exist
udevadm settle --timeout=5 --exit-if-exists=/dev/sda1
udevadm settle --timeout=5 --exit-if-exists=/dev/sda2
udevadm settle --timeout=5 --exit-if-exists=/dev/sda3
udevadm settle --timeout=5 --exit-if-exists=/dev/sdb1
udevadm settle --timeout=5 --exit-if-exists=/dev/sdb2
udevadm settle --timeout=5 --exit-if-exists=/dev/sdb3
# Disable RAID recovery. We don't want this to slow down machine provisioning
# in the rescue mode. It can run in normal operation after reboot.
echo 0 > /proc/sys/dev/raid/speed_limit_max
# LVM
encrypt() {
device=$1
label=$2
echo -n "$MAIN_PASSWORD" | cryptsetup luksFormat ${device}3 -
echo -n "$MAIN_PASSWORD" | cryptsetup --key-file - open --type luks ${device}3 ${label}_encrypted
}
encrypt /dev/sda "a"
encrypt /dev/sdb "b"
# /boot partitions
# ----------------
mkfs.fat -F 32 -n boot /dev/sda2
mkfs.fat -F 32 -n boot /dev/sdb2
# PVs
pvcreate /dev/mapper/a_encrypted
pvcreate /dev/mapper/b_encrypted
# VGs
vgcreate vg /dev/mapper/a_encrypted /dev/mapper/b_encrypted
# LVs (--yes to automatically wipe detected file system signatures)
# the root partition should be raid1
lvcreate --mirrors 1 --type raid1 -L 150G -n root vg
# Filesystems (-F to not ask on preexisting FS)
mkfs.ext4 -F -L root /dev/mapper/vg-root
# Creating file systems changes their UUIDs.
# Trigger udev so that the entries in /dev/disk/by-uuid get refreshed.
# `nixos-generate-config` depends on those being up-to-date.
# See https://github.com/NixOS/nixpkgs/issues/62444
udevadm trigger
# Wait for FS labels to appear
udevadm settle --timeout=5 --exit-if-exists=/dev/disk/by-label/root
# NixOS pre-installation mounts
# -----------------------------
# Mount target root partition
mount /dev/disk/by-label/root /mnt
mkdir -p /mnt/boot-{1,2}
modprobe vfat
mount /dev/sda2 /mnt/boot-1
mount /dev/sdb2 /mnt/boot-2
# Installing nix
# --------------
# Installing nix requires `sudo`; the Hetzner rescue mode doesn't have it.
apt-get install -y sudo
# Allow installing nix as root, see
# https://github.com/NixOS/nix/issues/936#issuecomment-475795730
mkdir -p /etc/nix
echo "build-users-group =" > /etc/nix/nix.conf
curl -L https://nixos.org/nix/install | sh
set +u +x # sourcing this may refer to unset variables that we have no control over
. $HOME/.nix-profile/etc/profile.d/nix.sh
set -u -x
# FIXME Keep in sync with `system.stateVersion` set below!
nix-channel --add https://nixos.org/channels/nixos-21.05 nixpkgs
nix-channel --update
# Getting NixOS installation tools
nix-env -iE "_: with import <nixpkgs/nixos> { configuration = {}; }; with config.system.build; [ nixos-generate-config nixos-install nixos-enter manual.manpages ]"
nixos-generate-config --root /mnt
# Detect
# ------
# Find the name of the network interface that connects us to the Internet.
# Inspired by https://unix.stackexchange.com/questions/14961/how-to-find-out-which-interface-am-i-using-for-connecting-to-the-internet/302613#302613
RESCUE_INTERFACE=$(ip route get 8.8.8.8 | grep -Po '(?<=dev )(\S+)')
# Find what its name will be under NixOS, which uses stable interface names.
# See https://major.io/2015/08/21/understanding-systemds-predictable-network-device-names/#comment-545626
# NICs for most Hetzner servers are not onboard, which is why we use
# `ID_NET_NAME_PATH`otherwise it would be `ID_NET_NAME_ONBOARD`.
INTERFACE_DEVICE_PATH=$(udevadm info -e | grep -Po "(?<=^P: )(.*${RESCUE_INTERFACE})")
UDEVADM_PROPERTIES_FOR_INTERFACE=$(udevadm info --query=property "--path=$INTERFACE_DEVICE_PATH")
NIXOS_INTERFACE=$(echo "$UDEVADM_PROPERTIES_FOR_INTERFACE" | grep -o -E 'ID_NET_NAME_PATH=\w+' | cut -d= -f2)
echo "Determined NIXOS_INTERFACE as '$NIXOS_INTERFACE'"
#NIXOS_INTERFACE='eth0'
IP_V4=$(ip route get 8.8.8.8 | grep -Po '(?<=src )(\S+)')
echo "Determined IP_V4 as $IP_V4"
# Determine Internet IPv6 by checking route, and using ::1
# (because Hetzner rescue mode uses ::2 by default).
# The `ip -6 route get` output on Hetzner looks like:
# # ip -6 route get 2001:4860:4860:0:0:0:0:8888
# 2001:4860:4860::8888 via fe80::1 dev eth0 src 2a01:4f8:151:62aa::2 metric 1024 pref medium
IP_V6="$(ip route get 2001:4860:4860:0:0:0:0:8888 | head -1 | cut -d' ' -f7 | cut -d: -f1-4)::1"
echo "Determined IP_V6 as $IP_V6"
# From https://stackoverflow.com/questions/1204629/how-do-i-get-the-default-gateway-in-linux-given-the-destination/15973156#15973156
read _ _ DEFAULT_GATEWAY _ < <(ip route list match 0/0); echo "$DEFAULT_GATEWAY"
echo "Determined DEFAULT_GATEWAY as $DEFAULT_GATEWAY"
# Generate `configuration.nix`. Note that we splice in shell variables.
cat > /mnt/etc/nixos/configuration.nix <<EOF
{ config, pkgs, modulesPath, lib, ... }:
let
hostName = "hetzner";
# FIXME configure network driver
# in rescue
# apt install -y lshw
# lshw -C network | grep -Poh 'driver=[[:alnum:]]+'
networkInterfaceModule = "r8169";
networkInterface = "$NIXOS_INTERFACE";
# From the Hetzner control panel
ipv4 = {
address = "$IP_V4"; # the ip address
gateway = "$DEFAULT_GATEWAY"; # the gateway ip address
netmask = "255.255.255.224"; # the netmask -- might not be the same for you!
prefixLength = 27; # must match the netmask, see <https://www.pawprint.net/designresources/netmask-converter.php>
};
ipv6 = {
address = "$IP_V6"; # the ipv6 addres
gateway = "fe80::1"; # the ipv6 gateway
prefixLength = 64; # shown in the control panel
};
in
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
# needed lvm for raid
boot.initrd.kernelModules = [
"dm-snapshot"
"dm_mirror"
"dm_raid"
"dm_region_hash"
];
# Use GRUB2 as the boot loader.
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
boot.loader.systemd-boot.enable = false;
boot.loader.grub = {
enable = true;
efiSupport = false;
version = 2;
};
# This will mirror all UEFI files, kernels, grub menus and
# things needed to boot to the other drive.
boot.loader.grub.mirroredBoots = [
{ path = "/boot-1"; devices = [ "/dev/sda" ]; }
{ path = "/boot-2"; devices = [ "/dev/sdb" ]; }
];
# We want to still be able to boot without one of these
fileSystems."/boot-1".options = [ "nofail" ];
fileSystems."/boot-2".options = [ "nofail" ];
boot.initrd.luks.reusePassphrases = true;
boot.initrd.luks.devices = {
a_encrypted = {
device = "/dev/sda3";
preLVM = true;
};
b_encrypted = {
device = "/dev/sdb3";
preLVM = true;
};
};
networking.hostName = hostName;
# Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here)
networking.useDHCP = false;
networking.interfaces.\${networkInterface} = {
ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; };
ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; };
};
networking.defaultGateway = ipv4.gateway;
networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; };
networking.nameservers = [ "8.8.8.8" ];
# Initial empty root password for easy login:
users.users.root.initialHashedPassword = "";
services.openssh.permitRootLogin = "prohibit-password";
users.users.root.openssh.authorizedKeys.keys = [
# FIXME : add ssh key
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw=="
];
services.openssh.enable = true;
system.stateVersion = "21.05";
# enable ssh on init
# ------------------
boot.kernelParams = [
# See <https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for docs on this
# ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
# The server ip refers to the NFS server -- we don't need it.
"ip=\${ipv4.address}::\${ipv4.gateway}:\${ipv4.netmask}:\${hostName}-initrd:\${networkInterface}:off:8.8.8.8"
];
boot.initrd.availableKernelModules = [ networkInterfaceModule ];
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
port = 22;
hostKeys = [
/etc/secrets/initrd/ssh_host_rsa_key
/etc/secrets/initrd/ssh_host_ed25519_key
];
};
}
EOF
mkdir -p /mnt/etc/secrets/initrd/
ssh-keygen -t rsa -N "" -f /mnt/etc/secrets/initrd/ssh_host_rsa_key
ssh-keygen -t ed25519 -N "" -f /mnt/etc/secrets/initrd/ssh_host_ed25519_key
# Install NixOS
#PATH="$PATH" NIX_PATH="$NIX_PATH" `which nixos-install` --no-root-passwd --root /mnt --max-jobs 40
PATH="$PATH" $( which nixos-install` --no-root-passwd --root /mnt --max-jobs 40 )
umount /mnt/boot-{1,2}
umount /mnt
echo "Determined NIXOS_INTERFACE as '$NIXOS_INTERFACE'"
echo "Determined IP_V4 as $IP_V4"
echo "Determined IP_V6 as $IP_V6"
echo "Determined DEFAULT_GATEWAY as $DEFAULT_GATEWAY"
reboot