numbus/numbus
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

TEST

Browse Source
This commit is contained in:
Raphaël Billet
2025-12-04 10:46:18 +01:00
parent 3a5b786b36
commit 0c07311b0d
4 changed files with 113 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config-files/disks/boot-1.nix
+2 -1
View File
@@ -41,8 +41,9 @@
size = "100%"; size = "100%";
content = { content = {
type = "luks"; type = "luks";
name = "crypted"; name = "crypted-boot-1";
settings = { settings = {
keyFile = "/run/secrets/disks/boot-disk-1";
allowDiscards = true; allowDiscards = true;
}; };
content = { content = {
config-files/disks/boot-2.nix
+4 -3
View File
@@ -22,8 +22,9 @@
size = "100%"; size = "100%";
content = { content = {
type = "luks"; type = "luks";
name = "nixos-p1"; name = "crypted-boot-1";
settings = { settings = {
keyFile = "/run/secrets/disks/boot-disk-2";
allowDiscards = true; allowDiscards = true;
}; };
}; };
@@ -41,7 +42,7 @@
size = "100%"; size = "100%";
content = { content = {
type = "luks"; type = "luks";
name = "nixos-p2"; name = "crypted-boot-2";
settings = { settings = {
allowDiscards = true; allowDiscards = true;
}; };
@@ -49,7 +50,7 @@
type = "btrfs"; type = "btrfs";
extraArgs = [ extraArgs = [
"-d raid1" "-d raid1"
"/dev/mapper/nixos-p1" "/dev/mapper/crypted-boot-1"
]; ];
subvolumes = { subvolumes = {
"/root" = { "/root" = {
configuration.nix
+61 -24
View File
@@ -1,21 +1,28 @@
{ modulesPath, config, lib, pkgs, inputs, ... }: { modulesPath, config, lib, pkgs, inputs, ... }:
let let
# Find all mount points that start with "/mnt/data-" # # Find all mount points that start with "/mnt/data-"
dataDiskMounts = lib.attrsets.attrNames ( # dataDiskMounts = lib.attrsets.attrNames (
lib.attrsets.filterAttrs (name: value: lib.strings.hasPrefix "/mnt/data-" name) config.fileSystems # lib.attrsets.filterAttrs (name: value: lib.strings.hasPrefix "/mnt/data-" name) config.fileSystems
); # );
#
# # Find all mount points that start with "/mnt/parity-"
# parityDiskMounts = lib.attrsets.attrNames (
# lib.attrsets.filterAttrs (name: value: lib.strings.hasPrefix "/mnt/parity-" name) config.fileSystems
# );
#
# # Create an attribute set for snapraid data disks, e.g. { d1 = "/mnt/data-1"; d2 = "/mnt/data-2"; }
# snapraidDataDisks = lib.lists.foldl'
# (acc: path: acc // { "d${toString (acc.i + 1)}" = path; i = acc.i + 1; })
# { i = 0; }
# dataDiskMounts;
#in
# Find all mount points that start with "/mnt/parity-" # Helper to get mount points for data and parity disks from disko config
parityDiskMounts = lib.attrsets.attrNames ( getMounts = prefix: lib.attrsets.attrNames (lib.attrsets.filterAttrs (n: v: v.mountPoint != null && lib.strings.hasPrefix v.mountPoint prefix) config.disko.devices.fs);
lib.attrsets.filterAttrs (name: value: lib.strings.hasPrefix "/mnt/parity-" name) config.fileSystems dataDiskMounts = getMounts "/mnt/data-";
); parityDiskMounts = getMounts "/mnt/parity-";
snapraidDataDisks = lib.listToAttrs (lib.imap0 (i: path: { name = "d${toString (i + 1)}"; value = path; }) dataDiskMounts);
# Create an attribute set for snapraid data disks, e.g. { d1 = "/mnt/data-1"; d2 = "/mnt/data-2"; }
snapraidDataDisks = lib.lists.foldl'
(acc: path: acc // { "d${toString (acc.i + 1)}" = path; i = acc.i + 1; })
{ i = 0; }
dataDiskMounts;
in in
{ {
@@ -24,6 +31,7 @@ in
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
./disk-config.nix ./disk-config.nix
./ensure-pcr.nix
]; ];
# Hardware settings # Hardware settings
@@ -44,21 +52,19 @@ in
sops.secrets."docker/hass" = { owner = "numbus-admin"; path = "/etc/docker-compose/hass/.env"; }; sops.secrets."docker/hass" = { owner = "numbus-admin"; path = "/etc/docker-compose/hass/.env"; };
sops.secrets."docker/pihole" = { owner = "numbus-admin"; path = "/etc/docker-compose/pihole/.env"; }; sops.secrets."docker/pihole" = { owner = "numbus-admin"; path = "/etc/docker-compose/pihole/.env"; };
sops.secrets."docker/immich" = { owner = "numbus-admin"; path = "/etc/docker-compose/immich/.env"; }; sops.secrets."docker/immich" = { owner = "numbus-admin"; path = "/etc/docker-compose/immich/.env"; };
sops.secrets."disks/data_disk_1" = { owner = "root"; };
sops.secrets."disks/data_disk_2" = { owner = "root"; };
sops.secrets."disks/data_disk_3" = { owner = "root"; };
sops.secrets."disks/data_disk_4" = { owner = "root"; };
sops.secrets."disks/data_disk_5" = { owner = "root"; };
sops.secrets."disks/data_disk_6" = { owner = "root"; };
sops.secrets."disks/parity_disk_1" = { owner = "root"; };
sops.secrets."disks/parity_disk_2" = { owner = "root"; };
sops.secrets."disks/parity_disk_3" = { owner = "root"; };
# Bootloader options # Bootloader options
boot.initrd.systemd.enable = true; boot.initrd.systemd.enable = true;
boot.initrd.systemd.tpm2.enable = true;
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
# TPM2 PCR check
systemIdentity.enable = true;
# On first boot, get the value with: systemd-analyze pcrs 15 --json=short | jq -r ".[0].sha256"
# and place it here.
systemIdentity.pcr15 = null; # "6214de8c3d861c4b451acc8c4e24294c95d55bcec516bbf15c077ca3bffb6547";
# Timezone # Timezone
time.timeZone = "Europe/Paris"; time.timeZone = "Europe/Paris";
@@ -198,12 +204,43 @@ in
]; ];
}; };
# # Hard drives decryption
# environment.etc."crypttab".text = ''
# crypted-data-1 /dev/disk/by-uuid/THE-UUID-OF-DATA-DISK-1 /run/secrets/disks/data-disk-1
# crypted-data-2 /dev/disk/by-uuid/THE-UUID-OF-DATA-DISK-2 /run/secrets/disks/data-disk-2
# crypted-data-3 /dev/disk/by-uuid/THE-UUID-OF-DATA-DISK-3 /run/secrets/disks/data-disk-3
# crypted-data-4 /dev/disk/by-uuid/THE-UUID-OF-DATA-DISK-4 /run/secrets/disks/data-disk-4
# crypted-data-5 /dev/disk/by-uuid/THE-UUID-OF-DATA-DISK-5 /run/secrets/disks/data-disk-5
# crypted-data-6 /dev/disk/by-uuid/THE-UUID-OF-DATA-DISK-6 /run/secrets/disks/data-disk-6
# crypted-parity-1 /dev/disk/by-uuid/THE-UUID-OF-PARITY-DISK-1 /run/secrets/disks/parity-disk-1
# crypted-parity-2 /dev/disk/by-uuid/THE-UUID-OF-PARITY-DISK-2 /run/secrets/disks/parity-disk-2
# crypted-parity-3 /dev/disk/by-uuid/THE-UUID-OF-PARITY-DISK-3 /run/secrets/disks/parity-disk-3
# '';
# Declarative LUKS decryption for data and parity disks
boot.luks.devices =
let
# This function generates the attribute set for a LUKS device
mkLuksDevice = type: index:
lib.nameValuePair "crypted-${type}-${toString index}" {
device = "/dev/disk/by-partlabel/${type}-disk-${toString index}";
keyFile = "/run/secrets/disks/${type}-disk-${toString index}";
# This option tells systemd to measure the LUKS header into PCR 15
};
in
# Merge attributes for data and parity disks
lib.attrsets.listToAttrs (
(lib.lists.imap1 (i: _: mkLuksDevice "data" i) dataDiskMounts) ++
(lib.lists.imap1 (i: _: mkLuksDevice "parity" i) parityDiskMounts)
);
# SnapRAID for data redundancy # SnapRAID for data redundancy
services.snapraid = { services.snapraid = {
enable = true; enable = true;
contentFiles = map (disk: "${disk}/snapraid.content") dataDiskMounts; contentFiles = map (disk: "${disk}/snapraid.content") dataDiskMounts;
parityFiles = map (disk: "${disk}/snapraid.parity") parityDiskMounts; parityFiles = map (disk: "${disk}/snapraid.parity") parityDiskMounts;
dataDisks = builtins.removeAttrs snapraidDataDisks [ "i" ]; # This correctly creates the required attribute set. # dataDisks = builtins.removeAttrs snapraidDataDisks [ "i" ]; # This correctly creates the required attribute set.
dataDisks = snapraidDataDisks;
# Using default sync and scrub schedules: # Using default sync and scrub schedules:
# Sync runs daily at 01:00. # Sync runs daily at 01:00.
# Scrub runs weekly on Monday at 02:00. # Scrub runs weekly on Monday at 02:00.
deploy.sh
+46 -27
View File
@@ -174,38 +174,42 @@ files_generation() {
export IMMICH_DB_DATABASE_NAME="$(openssl rand -hex 10)" export IMMICH_DB_DATABASE_NAME="$(openssl rand -hex 10)"
export IMMICH_DB_USERNAME="$(openssl rand -hex 10)" export IMMICH_DB_USERNAME="$(openssl rand -hex 10)"
export IMMICH_DB_PASSWORD="$(openssl rand -base64 32 | tr -d '\=+/')" export IMMICH_DB_PASSWORD="$(openssl rand -base64 32 | tr -d '\=+/')"
export DATA_DISK_1="$(openssl rand -base64 32 | tr -d '\=+/')" export DATA_DISK_1_KEY="$(openssl rand -base64 10 | tr -d '\=+/')"
export DATA_DISK_2="$(openssl rand -base64 32 | tr -d '\=+/')" export DATA_DISK_2_KEY="$(openssl rand -base64 10 | tr -d '\=+/')"
export DATA_DISK_3="$(openssl rand -base64 32 | tr -d '\=+/')" export DATA_DISK_3_KEY="$(openssl rand -base64 10 | tr -d '\=+/')"
export DATA_DISK_4="$(openssl rand -base64 32 | tr -d '\=+/')" export DATA_DISK_4_KEY="$(openssl rand -base64 10 | tr -d '\=+/')"
export DATA_DISK_5="$(openssl rand -base64 32 | tr -d '\=+/')" export DATA_DISK_5_KEY="$(openssl rand -base64 10 | tr -d '\=+/')"
export DATA_DISK_6="$(openssl rand -base64 32 | tr -d '\=+/')" export DATA_DISK_6_KEY="$(openssl rand -base64 10 | tr -d '\=+/')"
export PARITY_DISK_1="$(openssl rand -base64 32 | tr -d '\=+/ ')" export PARITY_DISK_1_KEY="$(openssl rand -base64 10 | tr -d '\=+/ ')"
export PARITY_DISK_2="$(openssl rand -base64 32 | tr -d '\=+/ ')" export PARITY_DISK_2_KEY="$(openssl rand -base64 10 | tr -d '\=+/ ')"
export PARITY_DISK_3="$(openssl rand -base64 32 | tr -d '\=+/ ')" export PARITY_DISK_3_KEY="$(openssl rand -base64 10 | tr -d '\=+/ ')"
export BOOT_DISK_1_KEY="$(openssl rand -base64 10 | tr -d '\=+/ ')"
export BOOT_DISK_2_KEY="$(openssl rand -base64 10 | tr -d '\=+/ ')"
echo "$REMOTE_PASS" | ssh_to_host """ echo "$REMOTE_PASS" | ssh_to_host """
sudo -S mkdir -p /run/secrets/disks/ sudo -S mkdir -p /run/secrets/disks/
echo -n $DATA_DISK_1 | sudo -S tee /run/secrets/disks/data-disk-1 > /dev/null echo -n $DATA_DISK_1_KEY | sudo -S tee /run/secrets/disks/data-disk-1 > /dev/null
echo -n $DATA_DISK_2 | sudo -S tee /run/secrets/disks/data-disk-2 > /dev/null echo -n $DATA_DISK_2_KEY | sudo -S tee /run/secrets/disks/data-disk-2 > /dev/null
echo -n $DATA_DISK_3 | sudo -S tee /run/secrets/disks/data-disk-3 > /dev/null echo -n $DATA_DISK_3_KEY | sudo -S tee /run/secrets/disks/data-disk-3 > /dev/null
echo -n $DATA_DISK_4 | sudo -S tee /run/secrets/disks/data-disk-4 > /dev/null echo -n $DATA_DISK_4_KEY | sudo -S tee /run/secrets/disks/data-disk-4 > /dev/null
echo -n $DATA_DISK_5 | sudo -S tee /run/secrets/disks/data-disk-5 > /dev/null echo -n $DATA_DISK_5_KEY | sudo -S tee /run/secrets/disks/data-disk-5 > /dev/null
echo -n $DATA_DISK_6 | sudo -S tee /run/secrets/disks/data-disk-6 > /dev/null echo -n $DATA_DISK_6_KEY | sudo -S tee /run/secrets/disks/data-disk-6 > /dev/null
echo -n $PARITY_DISK_1 | sudo -S tee /run/secrets/disks/parity-disk-1 > /dev/null echo -n $PARITY_DISK_1_KEY | sudo -S tee /run/secrets/disks/parity-disk-1 > /dev/null
echo -n $PARITY_DISK_2 | sudo -S tee /run/secrets/disks/parity-disk-2 > /dev/null echo -n $PARITY_DISK_2_KEY | sudo -S tee /run/secrets/disks/parity-disk-2 > /dev/null
echo -n $PARITY_DISK_3 | sudo -S tee /run/secrets/disks/parity-disk-3 > /dev/null echo -n $PARITY_DISK_3_KEY | sudo -S tee /run/secrets/disks/parity-disk-3 > /dev/null
echo -n $BOOT_DISK_1_KEY | sudo -S tee /run/secrets/disks/boot-disk-1 > /dev/null
echo -n $BOOT_DISK_2_KEY | sudo -S tee /run/secrets/disks/boot-disk-2 > /dev/null
""" """
mkdir -p extra-files/run/secrets/disks/ mkdir -p extra-files/run/secrets/disks/
echo -n $DATA_DISK_1 > extra-files/run/secrets/disks/data-disk-1 echo -n $DATA_DISK_1_KEY > extra-files/run/secrets/disks/data-disk-1
echo -n $DATA_DISK_2 > extra-files/run/secrets/disks/data-disk-2 echo -n $DATA_DISK_2_KEY > extra-files/run/secrets/disks/data-disk-2
echo -n $DATA_DISK_3 > extra-files/run/secrets/disks/data-disk-3 echo -n $DATA_DISK_3_KEY > extra-files/run/secrets/disks/data-disk-3
echo -n $DATA_DISK_4 > extra-files/run/secrets/disks/data-disk-4 echo -n $DATA_DISK_4_KEY > extra-files/run/secrets/disks/data-disk-4
echo -n $DATA_DISK_5 > extra-files/run/secrets/disks/data-disk-5 echo -n $DATA_DISK_5_KEY > extra-files/run/secrets/disks/data-disk-5
echo -n $DATA_DISK_6 > extra-files/run/secrets/disks/data-disk-6 echo -n $DATA_DISK_6_KEY > extra-files/run/secrets/disks/data-disk-6
echo -n $PARITY_DISK_1 > extra-files/run/secrets/disks/parity-disk-1 echo -n $PARITY_DISK_1_KEY > extra-files/run/secrets/disks/parity-disk-1
echo -n $PARITY_DISK_2 > extra-files/run/secrets/disks/parity-disk-2 echo -n $PARITY_DISK_2_KEY > extra-files/run/secrets/disks/parity-disk-2
echo -n $PARITY_DISK_3 > extra-files/run/secrets/disks/parity-disk-3 echo -n $PARITY_DISK_3_KEY > extra-files/run/secrets/disks/parity-disk-3
echo -e "\n ✅ Encrypting secrets in the correct file..." echo -e "\n ✅ Encrypting secrets in the correct file..."
envsubst < "config-files/sops-nix/secrets.yaml" | sops encrypt --filename-override secrets.yaml \ envsubst < "config-files/sops-nix/secrets.yaml" | sops encrypt --filename-override secrets.yaml \
@@ -486,6 +490,19 @@ deploy() {
sleep 1 sleep 1
} }
sum_up() {
echo $DATA_DISK_1_KEY
echo $DATA_DISK_2_KEY
echo $DATA_DISK_3_KEY
echo $DATA_DISK_4_KEY
echo $DATA_DISK_5_KEY
echo $DATA_DISK_6_KEY
echo $PARITY_DISK_1_KEY
echo $PARITY_DISK_2_KEY
echo $PARITY_DISK_3_KEY
}
postrun_action() { postrun_action() {
echo "" echo ""
} }
@@ -553,6 +570,8 @@ elif [[ "$ACTION_ANSWER" == "[2] 💽 Deploy NixOS on a remote machine with a fi
files_generation files_generation
disk_config_generation disk_config_generation
deploy deploy
sum_up
postrun_action
elif [[ "$ACTION_ANSWER" == "[3] 🛠️ Update a NixOS remote machine" ]]; then elif [[ "$ACTION_ANSWER" == "[3] 🛠️ Update a NixOS remote machine" ]]; then
echo -e "\n ➡️ Proceeding with update…" echo -e "\n ➡️ Proceeding with update…"
gum style --border normal --margin "1" --padding "1 2" --border-foreground 212 "➡️ On the target host : make sure the NixOS installation you want gum style --border normal --margin "1" --padding "1 2" --border-foreground 212 "➡️ On the target host : make sure the NixOS installation you want