zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:89c507bfaee75f90b97b59e153024a925d23f535
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client
..
compare: zuckerberg:kexec_luks2
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client

1 Commits
89c507bfae ... kexec_luks

Author SHA1 Message Date
Zuckerberg
b7549e63f5 prototype 2023-04-26 14:46:55 -06:00
30 changed files with 565 additions and 222 deletions
Expand all files Collapse all files

38
.gitea/workflows/check-flake.yaml
View File

@@ -1,38 +0,0 @@
name: Check Flake
on: [push]
env:
DEBIAN_FRONTEND: noninteractive
PATH: /run/current-system/sw/bin/:/nix/var/nix/profiles/per-user/gitea-runner/profile/bin
# defaults:
# run:
# shell: nix shell nixpkgs#nodejs-18_x
jobs:
check-flake:
runs-on: nixos
steps:
# - run: node --version
# - name: Install basic dependencies
# run: apt-get update && apt-get install -y --no-install-recommends sudo curl ca-certificates xz-utils
# - name: Install Nix
# uses: https://github.com/cachix/install-nix-action@v20
# with:
# github_access_token: ${{ secrets.__GITHUB_TOKEN }}
- name: Install dependencies
run: nix profile install nixpkgs#nodejs-18_x
- name: Checkout the repository
uses: actions/checkout@v3
with:
fetch-depth: 0
# - name: Get ENV var names
# run: printenv | cut -d'=' -f1
- name: Check Flake
run: nix flake check --show-trace

24
common/auto-update.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, ... }: { config, pkgs, lib, ... }:
# Modify auto-update so that it pulls a flake # Modify auto-update so that it pulls a flake
@@ -6,10 +6,20 @@ let
cfg = config.system.autoUpgrade; cfg = config.system.autoUpgrade;
in in
{ {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable (lib.mkMerge [
system.autoUpgrade = { {
flake = "git+https://git.neet.dev/zuckerberg/nix-config.git"; system.autoUpgrade = {
flags = [ "--recreate-lock-file" "--no-write-lock-file" ]; # ignore lock file, just pull the latest flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
}; flags = [ "--recreate-lock-file" "--no-write-lock-file" ]; # ignore lock file, just pull the latest
};
# dates = "03:40";
# kexecWindow = lib.mkDefault { lower = "01:00"; upper = "05:00"; };
# randomizedDelaySec = "45min";
};
system.autoUpgrade.allowKexec = lib.mkDefault true;
luks.enableKexec = cfg.allowKexec && builtins.length config.luks.devices > 0;
}
]);
} }

17
common/binary-cache.nix
View File

@@ -1,17 +0,0 @@
{ config, lib, ... }:
{
nix = {
settings = {
substituters = [
"https://cache.nixos.org/"
"https://nix-community.cachix.org"
"http://s0.koi-bebop.ts.net:5000"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
];
};
};
}

2
common/boot/default.nix
View File

@@ -5,6 +5,8 @@
./firmware.nix ./firmware.nix
./efi.nix ./efi.nix
./bios.nix ./bios.nix
./kexec-luks.nix
./luks.nix
./remote-luks-unlock.nix ./remote-luks-unlock.nix
]; ];
} }

121
common/boot/kexec-luks.nix Normal file
View File

@@ -0,0 +1,121 @@
# Allows kexec'ing as an alternative to rebooting for machines that
# have luks encrypted partitions that need to be mounted at boot.
# These luks partitions will be automatically unlocked, no password,
# or any interaction needed whatsoever.
# This is accomplished by fetching the luks key(s) while the system is running,
# then building a temporary initrd that contains the luks key(s), and kexec'ing.
{ config, lib, pkgs, ... }:
{
options.luks = {
enableKexec = lib.mkEnableOption "Enable support for transparent passwordless kexec while using luks";
};
config = lib.mkIf config.luks.enableKexec {
luks.fallbackToPassword = true;
luks.disableKeyring = true;
boot.initrd.luks.devices = lib.listToAttrs
(builtins.map
(item:
{
name = item;
value = {
masterKeyFile = "/etc/${item}.key";
};
})
config.luks.deviceNames);
systemd.services.prepare-luks-kexec-image = {
description = "Prepare kexec automatic LUKS unlock on kexec reboot without a password";
wantedBy = [ "kexec.target" ];
unitConfig.DefaultDependencies = false;
serviceConfig.Type = "oneshot";
path = with pkgs; [ file kexec-tools coreutils-full cpio findutils gzip xz zstd lvm2 xxd gawk ];
# based on https://github.com/flowztul/keyexec
script = ''
system=/nix/var/nix/profiles/system
old_initrd=$(readlink -f "$system/initrd")
umask 0077
CRYPTROOT_TMPDIR="$(mktemp -d --tmpdir=/dev/shm)"
cleanup() {
shred -fu "$CRYPTROOT_TMPDIR/initrd_contents/etc/"*.key || true
shred -fu "$CRYPTROOT_TMPDIR/new_initrd" || true
shred -fu "$CRYPTROOT_TMPDIR/secret/"* || true
rm -rf "$CRYPTROOT_TMPDIR"
}
# trap cleanup INT TERM EXIT
mkdir -p "$CRYPTROOT_TMPDIR"
cd "$CRYPTROOT_TMPDIR"
# Determine the compression type of the initrd image
compression=$(file -b --mime-type "$old_initrd" | awk -F'/' '{print $2}')
# Decompress the initrd image based on its compression type
case "$compression" in
gzip)
gunzip -c "$old_initrd" > initrd.cpio
;;
xz)
unxz -c "$old_initrd" > initrd.cpio
;;
zstd)
zstd -d -c "$old_initrd" > initrd.cpio
;;
*)
echo "Unsupported compression type: $compression"
exit 1
;;
esac
# Extract the contents of the cpio archive
mkdir -p initrd_contents
cd initrd_contents
cpio -idv < ../initrd.cpio
# Generate keys and add them to the extracted initrd filesystem
luksDeviceNames=(${builtins.concatStringsSep " " config.luks.deviceNames})
for item in "''${luksDeviceNames[@]}"; do
dmsetup --showkeys table "$item" | cut -d ' ' -f5 | xxd -ps -g1 -r > "./etc/$item.key"
done
# Add normal initrd secrets too
${lib.concatStringsSep "\n" (lib.mapAttrsToList (dest: source:
let source' = if source == null then dest else builtins.toString source; in
''
mkdir -p $(dirname "./${dest}")
cp -a ${source'} "./${dest}"
''
) config.boot.initrd.secrets)
}
# Create a new cpio archive with the modified contents
find . | cpio -o -H newc -v > ../new_initrd.cpio
# Compress the new cpio archive using the original compression type
cd ..
case "$compression" in
gzip)
gunzip -c new_initrd.cpio > new_initrd
;;
xz)
unxz -c new_initrd.cpio > new_initrd
;;
zstd)
zstd -c new_initrd.cpio > new_initrd
;;
esac
kexec --load "$system/kernel" --append "init=$system/init ${builtins.concatStringsSep " " config.boot.kernelParams}" --initrd "$CRYPTROOT_TMPDIR/new_initrd"
'';
};
};
}

74
common/boot/luks.nix Normal file
View File

@@ -0,0 +1,74 @@
# Makes it a little easier to configure luks partitions for boot
# Additionally, this solves a circular dependency between kexec luks
# and NixOS's luks module.
{ config, lib, ... }:
let
cfg = config.luks;
deviceCount = builtins.length cfg.devices;
deviceMap = lib.imap
(i: item: {
device = item;
name =
if deviceCount == 1 then "enc-pv"
else "enc-pv${builtins.toString (i + 1)}";
})
cfg.devices;
in
{
options.luks = {
devices = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
allowDiscards = lib.mkOption {
type = lib.types.bool;
default = true;
};
fallbackToPassword = lib.mkEnableOption
"Fallback to interactive passphrase prompt if the cannot be found.";
disableKeyring = lib.mkEnableOption
"When opening LUKS2 devices, don't use the kernel keyring";
# set automatically, don't touch
deviceNames = lib.mkOption {
type = lib.types.listOf lib.types.str;
};
};
config = lib.mkMerge [
{
assertions = [
{
assertion = deviceCount == builtins.length (builtins.attrNames config.boot.initrd.luks.devices);
message = ''
All luks devices must be specified using `luks.devices` not `boot.initrd.luks.devices`.
'';
}
];
}
(lib.mkIf (deviceCount != 0) {
luks.deviceNames = builtins.map (device: device.name) deviceMap;
boot.initrd.luks.devices = lib.listToAttrs (
builtins.map
(item:
{
name = item.name;
value = {
device = item.device;
allowDiscards = cfg.allowDiscards;
fallbackToPassword = cfg.fallbackToPassword;
disableKeyring = cfg.disableKeyring;
};
})
deviceMap);
})
];
}

5
common/boot/remote-luks-unlock.nix
View File

@@ -33,11 +33,6 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# boot.initrd.luks.devices.${cfg.device.name} = {
# device = cfg.device.path;
# allowDiscards = cfg.device.allowDiscards;
# };
# Unlock LUKS disk over ssh # Unlock LUKS disk over ssh
boot.initrd.network.enable = true; boot.initrd.network.enable = true;
boot.initrd.kernelModules = cfg.kernelModules; boot.initrd.kernelModules = cfg.kernelModules;

2
common/default.nix
View File

@@ -3,7 +3,6 @@
{ {
imports = [ imports = [
./backups.nix ./backups.nix
./binary-cache.nix
./flakes.nix ./flakes.nix
./auto-update.nix ./auto-update.nix
./shell.nix ./shell.nix
@@ -12,7 +11,6 @@
./server ./server
./pc ./pc
./machine-info ./machine-info
./nix-builder.nix
./ssh.nix ./ssh.nix
]; ];

60
common/nix-builder.nix
View File

@@ -1,60 +0,0 @@
{ config, lib, ... }:
let
builderRole = "nix-builder";
builderUserName = "nix-builder";
machinesByRole = role: lib.filterAttrs (hostname: cfg: builtins.elem role cfg.systemRoles) config.machines.hosts;
otherMachinesByRole = role: lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) (machinesByRole role);
thisMachineHasRole = role: builtins.hasAttr config.networking.hostName (machinesByRole role);
builders = machinesByRole builderRole;
thisMachineIsABuilder = thisMachineHasRole builderRole;
# builders don't include themselves as a remote builder
otherBuilders = lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) builders;
in
lib.mkMerge [
# configure builder
(lib.mkIf thisMachineIsABuilder {
users.users.${builderUserName} = {
description = "Distributed Nix Build User";
group = builderUserName;
isSystemUser = true;
createHome = true;
home = "/var/lib/nix-builder";
useDefaultShell = true;
openssh.authorizedKeys.keys = builtins.map
(builderCfg: builderCfg.hostKey)
(builtins.attrValues config.machines.hosts);
};
users.groups.${builderUserName} = { };
nix.settings.trusted-users = [
builderUserName
];
})
# use each builder
{
nix.distributedBuilds = true;
nix.buildMachines = builtins.map
(builderCfg: {
hostName = builtins.elemAt builderCfg.hostNames 0;
system = builderCfg.arch;
protocol = "ssh-ng";
sshUser = builderUserName;
sshKey = "/etc/ssh/ssh_host_ed25519_key";
maxJobs = 3;
speedFactor = 10;
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
})
(builtins.attrValues otherBuilders);
# It is very likely that the builder's internet is faster or just as fast
nix.extraOptions = ''
builders-use-substitutes = true
'';
}
]

1
common/pc/default.nix
View File

@@ -37,6 +37,7 @@ in
mumble mumble
tigervnc tigervnc
bluez-tools bluez-tools
vscodium
element-desktop element-desktop
mpv mpv
nextcloud-client nextcloud-client

15
common/pc/vscodium.nix
View File

@@ -4,19 +4,8 @@ let
cfg = config.de; cfg = config.de;
extensions = with pkgs.vscode-extensions; [ extensions = with pkgs.vscode-extensions; [
bbenoist.nix # nix syntax support # bbenoist.Nix # nix syntax support
arrterian.nix-env-selector # nix dev envs # arrterian.nix-env-selector # nix dev envs
dart-code.dart-code
dart-code.flutter
golang.go
jnoortheen.nix-ide
] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
{
name = "platformio-ide";
publisher = "platformio";
version = "3.1.1";
sha256 = "fwEct7Tj8bfTOLRozSZJGWoLzWRSvYz/KxcnfpO8Usg=";
}
]; ];
vscodium-with-extensions = pkgs.vscode-with-extensions.override { vscodium-with-extensions = pkgs.vscode-with-extensions.override {

46
common/server/gitea-runner.nix
View File

@@ -11,6 +11,12 @@ in
type = lib.types.str; type = lib.types.str;
description = lib.mdDoc "gitea runner data directory."; description = lib.mdDoc "gitea runner data directory.";
}; };
instanceUrl = lib.mkOption {
type = lib.types.str;
};
registrationTokenFile = lib.mkOption {
type = lib.types.path;
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
@@ -29,6 +35,13 @@ in
}; };
users.groups.gitea-runner = { }; users.groups.gitea-runner = { };
# registration token
services.gitea-runner.registrationTokenFile = "/run/agenix/gitea-runner-registration-token";
age.secrets.gitea-runner-registration-token = {
file = ../../secrets/gitea-runner-registration-token.age;
owner = "gitea-runner";
};
systemd.services.gitea-runner = { systemd.services.gitea-runner = {
description = "Gitea Runner"; description = "Gitea Runner";
@@ -44,7 +57,40 @@ in
path = with pkgs; [ gitea-actions-runner ]; path = with pkgs; [ gitea-actions-runner ];
# based on https://gitea.com/gitea/act_runner/src/branch/main/run.sh
script = '' script = ''
. ${cfg.registrationTokenFile}
if [[ ! -s .runner ]]; then
try=$((try + 1))
success=0
LOGFILE="$(mktemp)"
# The point of this loop is to make it simple, when running both act_runner and gitea in docker,
# for the act_runner to wait a moment for gitea to become available before erroring out. Within
# the context of a single docker-compose, something similar could be done via healthchecks, but
# this is more flexible.
while [[ $success -eq 0 ]] && [[ $try -lt ''${10:-10} ]]; do
act_runner register \
--instance "${cfg.instanceUrl}" \
--token "$GITEA_RUNNER_REGISTRATION_TOKEN" \
--name "${config.networking.hostName}" \
--no-interactive > $LOGFILE 2>&1
cat $LOGFILE
cat $LOGFILE | grep 'Runner registered successfully' > /dev/null
if [[ $? -eq 0 ]]; then
echo "SUCCESS"
success=1
else
echo "Waiting to retry ..."
sleep 5
fi
done
fi
exec act_runner daemon exec act_runner daemon
''; '';
}; };

11
common/server/mailserver.nix
View File

@@ -37,10 +37,6 @@ in
# catchall for all domains # catchall for all domains
aliases = map (domain: "@${domain}") domains; aliases = map (domain: "@${domain}") domains;
}; };
"cris@runyan.org" = {
hashedPasswordFile = "/run/agenix/cris-hashed-email-pw";
aliases = [ "chris@runyan.org" ];
};
"robot@runyan.org" = { "robot@runyan.org" = {
aliases = [ aliases = [
"no-reply@neet.dev" "no-reply@neet.dev"
@@ -56,16 +52,9 @@ in
"damon@runyan.org" "damon@runyan.org"
"jonas@runyan.org" "jonas@runyan.org"
]; ];
forwards = {
"amazon@runyan.org" = [
"jeremy@runyan.org"
"cris@runyan.org"
];
};
certificateScheme = 3; # use let's encrypt for certs certificateScheme = 3; # use let's encrypt for certs
}; };
age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age; age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age;
age.secrets.cris-hashed-email-pw.file = ../../secrets/cris-hashed-email-pw.age;
age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age; age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;
# sendmail to use xxx@domain instead of xxx@mail.domain # sendmail to use xxx@domain instead of xxx@mail.domain

20
flake.lock generated
View File

@@ -117,11 +117,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1683515103, "lastModified": 1682063650,
"narHash": "sha256-vWlnZ0twW+ekOC6JuAHDfupv+u4QNvWawG7+DaQJ4VA=", "narHash": "sha256-VaDHh2z6xlnTHaONlNVHP7qEMcK5rZ8Js3sT6mKb2XY=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "64160276cd6569694131ed8864d4d35470a84ec3", "rev": "c2ea4e642dc50fd44b537e9860ec95867af30d39",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -171,11 +171,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1683638468, "lastModified": 1681591833,
"narHash": "sha256-tQEaGZfZ2Hpw+XIVEHaJ8FaF1yNQyMDDhUyIQ7LTIEg=", "narHash": "sha256-lW+xOELafAs29yw56FG4MzNOFkh8VHC/X/tRs1wsGn8=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "219067a5e3cf4b9581c8b4fcfc59ecd5af953d07", "rev": "68ec961c51f48768f72d2bbdb396ce65a316677e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -186,11 +186,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1683741689, "lastModified": 1682133240,
"narHash": "sha256-VY6gjqAFQe0Xyz+olc979zbsW9dC4VG+mINGffFKVEw=", "narHash": "sha256-s6yRsI/7V+k/+rckp0+/2cs/UXnea3SEfMpy95QiGcc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "f431ee4a85cb985075b4ed27596913e8087f4264", "rev": "8dafae7c03d6aa8c2ae0a0612fbcb47e994e3fb8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -218,7 +218,7 @@
"nixpkgs-hostapd-pr": { "nixpkgs-hostapd-pr": {
"flake": false, "flake": false,
"locked": { "locked": {
"narHash": "sha256-35+g1EJMcDFhb3UP15fyR1aD4AX1ifz2EqaYItITZ7U=", "narHash": "sha256-1rGQKcB1jeRPc1n021ulyOVkA6L6xmNYKmeqQ94+iRc=",
"type": "file", "type": "file",
"url": "https://github.com/NixOS/nixpkgs/pull/222536.patch" "url": "https://github.com/NixOS/nixpkgs/pull/222536.patch"
}, },

1
flake.nix
View File

@@ -87,6 +87,7 @@
src = nixpkgs; src = nixpkgs;
patches = [ patches = [
inputs.nixpkgs-hostapd-pr inputs.nixpkgs-hostapd-pr
./patches/kexec-luks.patch
]; ];
}; };
patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; }); patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });

8
machines/phil/default.nix
View File

@@ -5,6 +5,10 @@
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
networking.hostName = "phil"; services.gitea-runner = {
services.gitea-runner.enable = true; enable = true;
instanceUrl = "https://git.neet.dev";
};
system.autoUpgrade.enable = true;
} }

5
machines/phil/hardware-configuration.nix
View File

@@ -20,10 +20,7 @@
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
boot.initrd.luks.devices."enc-pv" = { luks.devices = [ "/dev/disk/by-uuid/d26c1820-4c39-4615-98c2-51442504e194" ];
device = "/dev/disk/by-uuid/d26c1820-4c39-4615-98c2-51442504e194";
allowDiscards = true;
};
fileSystems."/" = fileSystems."/" =
{ {

1
machines/phil/properties.nix
View File

@@ -9,7 +9,6 @@
systemRoles = [ systemRoles = [
"server" "server"
"gitea-runner" "gitea-runner"
"nix-builder"
]; ];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2"; hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2";

3
machines/ponyo/default.nix
View File

@@ -6,6 +6,9 @@
]; ];
system.autoUpgrade.enable = true; system.autoUpgrade.enable = true;
# I want to manually trigger kexec updates for now on ponyo
system.autoUpgrade.allowKexec = false;
luks.enableKexec = true;
# p2p mesh network # p2p mesh network
services.tailscale.exitNode = true; services.tailscale.exitNode = true;

9
machines/ponyo/hardware-configuration.nix
View File

@@ -19,12 +19,15 @@
}; };
remoteLuksUnlock.enable = true; remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2";
boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/e52b01b3-81c8-4bb2-ae7e-a3d9c793cb00"; # expanded disk luks.devices = [
"/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2"
"/dev/disk/by-uuid/e52b01b3-81c8-4bb2-ae7e-a3d9c793cb00"
];
fileSystems."/" = fileSystems."/" =
{ {
device = "/dev/mapper/enc-pv"; device = "/dev/mapper/enc-pv1";
fsType = "btrfs"; fsType = "btrfs";
}; };

5
machines/ray/hardware-configuration.nix
View File

@@ -36,10 +36,7 @@
# disks # disks
remoteLuksUnlock.enable = true; remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv" = { luks.devices = [ "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce" ];
device = "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce";
allowDiscards = true;
};
fileSystems."/" = fileSystems."/" =
{ {
device = "/dev/vg/root"; device = "/dev/vg/root";

2
machines/router/hardware-configuration.nix
View File

@@ -32,7 +32,7 @@
# disks # disks
remoteLuksUnlock.enable = true; remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c"; luks.devices = [ "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c" ];
fileSystems."/" = fileSystems."/" =
{ {
device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce"; device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce";

17
machines/storage/s0/default.nix
View File

@@ -5,22 +5,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
networking.hostName = "s0"; system.autoUpgrade.enable = true;
# system.autoUpgrade.enable = true;
# gitea runner and allow it to build ARM derivations
services.gitea-runner.enable = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
nix.gc.automatic = lib.mkForce false; # allow the nix store to serve as a build cache
# binary cache
services.nix-serve = {
enable = true;
openFirewall = true;
secretKeyFile = "/run/agenix/binary-cache-private-key";
};
age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age;
services.iperf3.enable = true; services.iperf3.enable = true;
services.iperf3.openFirewall = true; services.iperf3.openFirewall = true;

10
machines/storage/s0/hardware-configuration.nix
View File

@@ -25,10 +25,12 @@
# luks # luks
remoteLuksUnlock.enable = true; remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv1".device = "/dev/disk/by-uuid/d52e99a9-8825-4d0a-afc1-8edbef7e0a86"; luks.devices = [
boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/f7275585-7760-4230-97de-36704b9a2aa3"; "/dev/disk/by-uuid/d52e99a9-8825-4d0a-afc1-8edbef7e0a86"
boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38"; "/dev/disk/by-uuid/f7275585-7760-4230-97de-36704b9a2aa3"
boot.initrd.luks.devices."enc-pv4".device = "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc"; "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38"
"/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc"
];
# mounts # mounts
fileSystems."/" = fileSystems."/" =

1
machines/storage/s0/properties.nix
View File

@@ -9,7 +9,6 @@
"storage" "storage"
"server" "server"
"pia" "pia"
"binary-cache"
]; ];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q"; hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";

264
patches/kexec-luks.patch Normal file
View File

@@ -0,0 +1,264 @@
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix
index b8f36538e70..cc320a04c70 100644
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@@ -146,6 +146,7 @@ let
csopen = "cryptsetup luksOpen ${dev.device} ${dev.name}"
+ optionalString dev.allowDiscards " --allow-discards"
+ optionalString dev.bypassWorkqueues " --perf-no_read_workqueue --perf-no_write_workqueue"
+ + optionalString dev.disableKeyring " --disable-keyring"
+ optionalString (dev.header != null) " --header=${dev.header}";
cschange = "cryptsetup luksChangeKey ${dev.device} ${optionalString (dev.header != null) "--header=${dev.header}"}";
fido2luksCredentials = dev.fido2.credentials ++ optional (dev.fido2.credential != null) dev.fido2.credential;
@@ -243,6 +244,26 @@ let
do_open_passphrase
fi
fi
+ '' else if (dev.masterKeyFile != null) then ''
+ if wait_target "key file" ${dev.masterKeyFile}; then
+ ${csopen} --master-key-file=${dev.masterKeyFile}
+ cs_status=$?
+ if [ $cs_status -ne 0 ]; then
+ echo "Key File ${dev.masterKeyFile} failed!"
+ if ! try_empty_passphrase; then
+ ${if dev.fallbackToPassword then "echo" else "die"} "${dev.masterKeyFile} is unavailable"
+ echo " - failing back to interactive password prompt"
+ do_open_passphrase
+ fi
+ fi
+ else
+ # If the key file never shows up we should also try the empty passphrase
+ if ! try_empty_passphrase; then
+ ${if dev.fallbackToPassword then "echo" else "die"} "${dev.masterKeyFile} is unavailable"
+ echo " - failing back to interactive password prompt"
+ do_open_passphrase
+ fi
+ fi
'' else ''
if ! try_empty_passphrase; then
do_open_passphrase
@@ -625,6 +646,15 @@ in
'';
};
+ masterKeyFile = mkOption {
+ default = null;
+ type = types.nullOr types.str;
+ description = lib.mdDoc ''
+ The name of the file (can be a raw device or a partition) that
+ should be used as the master decryption key for the encrypted device.
+ '';
+ };
+
tryEmptyPassphrase = mkOption {
default = false;
type = types.bool;
@@ -700,6 +730,15 @@ in
'';
};
+ disableKeyring = mkOption {
+ default = false;
+ type = types.bool;
+ description = lib.mdDoc ''
+ Disables using the kernel keyring for LUKS2 disks.
+ This is already the default behavior for LUKS1
+ '';
+ };
+
fallbackToPassword = mkOption {
default = false;
type = types.bool;
diff --git a/nixos/modules/tasks/auto-upgrade.nix b/nixos/modules/tasks/auto-upgrade.nix
index 29e3e313336..050bf09c208 100644
--- a/nixos/modules/tasks/auto-upgrade.nix
+++ b/nixos/modules/tasks/auto-upgrade.nix
@@ -4,7 +4,8 @@ with lib;
let cfg = config.system.autoUpgrade;
-in {
+in
+{
options = {
@@ -22,7 +23,7 @@ in {
};
operation = mkOption {
- type = types.enum ["switch" "boot"];
+ type = types.enum [ "switch" "boot" ];
default = "switch";
example = "boot";
description = lib.mdDoc ''
@@ -86,14 +87,14 @@ in {
'';
};
- allowReboot = mkOption {
+ allowKexec = mkOption {
default = false;
type = types.bool;
description = lib.mdDoc ''
- Reboot the system into the new generation instead of a switch
+ kexec the system into the new generation instead of a switch
if the new generation uses a different kernel, kernel modules
or initrd than the booted system.
- See {option}`rebootWindow` for configuring the times at which a reboot is allowed.
+ See {option}`kexecWindow` for configuring the times at which a kexec is allowed.
'';
};
@@ -109,25 +110,25 @@ in {
'';
};
- rebootWindow = mkOption {
+ kexecWindow = mkOption {
description = lib.mdDoc ''
Define a lower and upper time value (in HH:MM format) which
- constitute a time window during which reboots are allowed after an upgrade.
- This option only has an effect when {option}`allowReboot` is enabled.
- The default value of `null` means that reboots are allowed at any time.
+ constitute a time window during which kexecs are allowed after an upgrade.
+ This option only has an effect when {option}`allowKexec` is enabled.
+ The default value of `null` means that kexecs are allowed at any time.
'';
default = null;
example = { lower = "01:00"; upper = "05:00"; };
type = with types; nullOr (submodule {
options = {
lower = mkOption {
- description = lib.mdDoc "Lower limit of the reboot window";
+ description = lib.mdDoc "Lower limit of the kexec window";
type = types.strMatching "[[:digit:]]{2}:[[:digit:]]{2}";
example = "01:00";
};
upper = mkOption {
- description = lib.mdDoc "Upper limit of the reboot window";
+ description = lib.mdDoc "Upper limit of the kexec window";
type = types.strMatching "[[:digit:]]{2}:[[:digit:]]{2}";
example = "05:00";
};
@@ -165,12 +166,12 @@ in {
}];
system.autoUpgrade.flags = (if cfg.flake == null then
- [ "--no-build-output" ] ++ optionals (cfg.channel != null) [
- "-I"
- "nixpkgs=${cfg.channel}/nixexprs.tar.xz"
- ]
- else
- [ "--flake ${cfg.flake}" ]);
+ [ "--no-build-output" ] ++ optionals (cfg.channel != null) [
+ "-I"
+ "nixpkgs=${cfg.channel}/nixexprs.tar.xz"
+ ]
+ else
+ [ "--flake ${cfg.flake}" ]);
systemd.services.nixos-upgrade = {
description = "NixOS Upgrade";
@@ -195,54 +196,56 @@ in {
config.programs.ssh.package
];
- script = let
- nixos-rebuild = "${config.system.build.nixos-rebuild}/bin/nixos-rebuild";
- date = "${pkgs.coreutils}/bin/date";
- readlink = "${pkgs.coreutils}/bin/readlink";
- shutdown = "${config.systemd.package}/bin/shutdown";
- upgradeFlag = optional (cfg.channel == null) "--upgrade";
- in if cfg.allowReboot then ''
- ${nixos-rebuild} boot ${toString (cfg.flags ++ upgradeFlag)}
- booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})"
- built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
-
- ${optionalString (cfg.rebootWindow != null) ''
- current_time="$(${date} +%H:%M)"
-
- lower="${cfg.rebootWindow.lower}"
- upper="${cfg.rebootWindow.upper}"
-
- if [[ "''${lower}" < "''${upper}" ]]; then
- if [[ "''${current_time}" > "''${lower}" ]] && \
- [[ "''${current_time}" < "''${upper}" ]]; then
- do_reboot="true"
+ script =
+ let
+ nixos-rebuild = "${config.system.build.nixos-rebuild}/bin/nixos-rebuild";
+ date = "${pkgs.coreutils}/bin/date";
+ readlink = "${pkgs.coreutils}/bin/readlink";
+ systemctl_kexec = "${config.systemd.package}/bin/systemctl kexec";
+ upgradeFlag = optional (cfg.channel == null) "--upgrade";
+ in
+ if cfg.allowKexec then ''
+ ${nixos-rebuild} boot ${toString (cfg.flags ++ upgradeFlag)}
+ booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})"
+ built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
+
+ ${optionalString (cfg.kexecWindow != null) ''
+ current_time="$(${date} +%H:%M)"
+
+ lower="${cfg.kexecWindow.lower}"
+ upper="${cfg.kexecWindow.upper}"
+
+ if [[ "''${lower}" < "''${upper}" ]]; then
+ if [[ "''${current_time}" > "''${lower}" ]] && \
+ [[ "''${current_time}" < "''${upper}" ]]; then
+ do_kexec="true"
+ else
+ do_kexec="false"
+ fi
else
- do_reboot="false"
+ # lower > upper, so we are crossing midnight (e.g. lower=23h, upper=6h)
+ # we want to reboot if cur > 23h or cur < 6h
+ if [[ "''${current_time}" < "''${upper}" ]] || \
+ [[ "''${current_time}" > "''${lower}" ]]; then
+ do_kexec="true"
+ else
+ do_kexec="false"
+ fi
fi
+ ''}
+
+ if [ "''${booted}" = "''${built}" ]; then
+ ${nixos-rebuild} ${cfg.operation} ${toString cfg.flags}
+ ${optionalString (cfg.kexecWindow != null) ''
+ elif [ "''${do_kexec}" != true ]; then
+ echo "Outside of configured kexec window, skipping."
+ ''}
else
- # lower > upper, so we are crossing midnight (e.g. lower=23h, upper=6h)
- # we want to reboot if cur > 23h or cur < 6h
- if [[ "''${current_time}" < "''${upper}" ]] || \
- [[ "''${current_time}" > "''${lower}" ]]; then
- do_reboot="true"
- else
- do_reboot="false"
- fi
+ ${systemctl_kexec}
fi
- ''}
-
- if [ "''${booted}" = "''${built}" ]; then
- ${nixos-rebuild} ${cfg.operation} ${toString cfg.flags}
- ${optionalString (cfg.rebootWindow != null) ''
- elif [ "''${do_reboot}" != true ]; then
- echo "Outside of configured reboot window, skipping."
- ''}
- else
- ${shutdown} -r +1
- fi
- '' else ''
- ${nixos-rebuild} ${cfg.operation} ${toString (cfg.flags ++ upgradeFlag)}
- '';
+ '' else ''
+ ${nixos-rebuild} ${cfg.operation} ${toString (cfg.flags ++ upgradeFlag)}
+ '';
startAt = cfg.dates;

10
secrets/binary-cache-private-key.age
View File

@@ -1,10 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 hPp1nw 4fyRGsaEo25EOj/VwPsF0tayghF0URctont4/re6OmY
rs09DCSb2bd/v45a7ABxfLo+Sz3OPLkRzfnP5Tmgi0g
-> ssh-ed25519 dMQYog seRjdySBF1GISaSUWqZNvoW4INDUCxvBKJOgvGeyX1Q
fe6JE5f9A48ujVtuc0QZ7e7pWW+Tu0yyQEyexTvQWAQ
-> Uqf![<-grease O}' _h*Y~ .@=$H,~W
jDlO5MEGPDjJ44cAWuJaTeADbG+wz5PTqq9Pw75QV3Exrsb8/PNGOrUZKuSTCCl3
g/z3ZHelBBqHp16ZTc+LSxDYgvnEfWMPZKo4mxgu
--- GTBCzHJYUKbpcgq7+0HzBpqvo0F7TNSPjFKqdRDUYDk
ÈÚú¡T+ñ—êtµ(פÉF ÆS<C386>/R±+¢¼Š¯‘âLÃÝcÁ‰·1

9
secrets/cris-hashed-email-pw.age
View File

@@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g q8AlvC9Dt+b8320A4BP92FghOoPyKttivfrsxqG6DGM
GWz2QJY3QFc748DjHrybNxyAS/BmDgzIU8yoRFGbLjA
-> ssh-ed25519 dMQYog i/6mNjO8XZGAxnN1SxJGr5uD+hzCIrh28+N7cvvXZGA
hC+J+F9hVs8HZjLhCQ6RnGAHRE45G+p1oBPnwB+nBtE
-> ]d^>n#.%-grease Qe6&35Kb ,",Wb`% 0SRX@d
yXZqn1+E675gpQyFGk/c15Sc1/iwjI/6VrOE1RTcp0gJcsbtVv4kgYCkY+mK
--- ykoio7g3wxV3VDvo2d3p/Y39NCh+cWPh7uL+Go30BLY
i“˜Q+€hnïI¼_MßGrrf¯EE~µ(fFyâÿé&ȃ>sÀX<C380>ú¤9~<7E>ä*Ç~ŽBãÕ4R¯ü=;’Â{Ý´+^<5E>P…¨ûrFza·C䢞î4V

BIN
secrets/gitea-runner-registration-token.age Normal file
View File

Binary file not shown.

6
secrets/secrets.nix
View File

@@ -14,14 +14,12 @@ with roles;
{ {
# email # email
"hashed-email-pw.age".publicKeys = email-server; "hashed-email-pw.age".publicKeys = email-server;
"cris-hashed-email-pw.age".publicKeys = email-server;
"sasl_relay_passwd.age".publicKeys = email-server; "sasl_relay_passwd.age".publicKeys = email-server;
"hashed-robots-email-pw.age".publicKeys = email-server; "hashed-robots-email-pw.age".publicKeys = email-server;
"robots-email-pw.age".publicKeys = gitea; "robots-email-pw.age".publicKeys = gitea;
# nix binary cache # gitea
# public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU= "gitea-runner-registration-token.age".publicKeys = gitea-runner;
"binary-cache-private-key.age".publicKeys = binary-cache;
# vpn # vpn
"iodine.age".publicKeys = iodine; "iodine.age".publicKeys = iodine;