Update TPM configuration. Added systemD pi-hole.service priority.

2026-02-08 09:57:04 +01:00
parent d4a8f7f5bc
commit 1f26f51072
11 changed files with 66 additions and 30 deletions
@@ -161,6 +161,7 @@ if ls -l /sys/class/tpm/tpm0/ > /dev/null 2>&1; then
  TARGET_TPM_VERSION=\$(cat /sys/class/tpm/tpm0/tpm_version_major)
 else
  TARGET_TPM="false"
+  TARGET_TPM_VERSION="N/A"
 fi

 HDD=1
@@ -641,10 +642,11 @@ nix_generation() {
  sed -i "s*PODMAN_NETWORKS*${PODMAN_NETWORKS//$'\n'/\\n}*" final-nix-config/etc/nixos/misc/activation.nix
  sed -i "s|TRAEFIK_NETWORKS|${TRAEFIK_NETWORKS//$'\n'/\\n}|" final-nix-config/etc/nixos/podman/traefik.nix
  sed -i "s|TRAEFIK_REF_NETWORKS|${TRAEFIK_REF_NETWORKS//$'\n'/\\n}|" final-nix-config/etc/nixos/podman/traefik.nix
-  if [[ "${TARGET_TPM}" == "true" ]]; then
-    sed -i "s|#  boot.initrd.systemd.tpm2.enable = true;|  boot.initrd.systemd.tpm2.enable = true;|" final-nix-config/etc/nixos/configuration.nix
-    cp -avu templates/nix-config/disks/pcr-check.nix final-nix-config/etc/nixos/disks/
+  if [[ "${TARGET_TPM}" == "true" && ${TARGET_TPM_VERSION} -eq 2 ]]; then
    sed -i "s|#    ./disks/pcr-check.nix|    ./disks/pcr-check.nix|" final-nix-config/etc/nixos/configuration.nix
+    sed -i "s|#  boot.initrd.systemd.tpm2.enable = true;|  boot.initrd.systemd.tpm2.enable = true;|" final-nix-config/etc/nixos/configuration.nix
+    sed -i "s|#  systemIdentity.enable = true;|  systemIdentity.enable = true;|" /etc/nixos/configuration.nix
+    cp -avu templates/nix-config/disks/pcr-check.nix final-nix-config/etc/nixos/disks/
  fi
 }

@@ -869,7 +871,19 @@ postrun_action() {
    fi
  done

-  ssh_to_host 'bash -s' << EOF
+  if [[ "${TARGET_TPM}" == "true" && "${TARGET_TPM_VERSION}" == "2" ]]; then
+    gum style --border normal --margin "1" --padding "1 2" --border-foreground 212 "
+        A TPM version 2 has been detected on the system. You can choose to enable automatic disk decryption on boot.
+    Enabling automatic disk decryption on boot means that you won't have to enter your disk password everytime you start your server.
+      This comes in very handy if you don't plan to leave your server accessible with a keyboard or if you don't have an IP KVM.
+
+    Note : This feature is currently vulnerable to on-site attacks. This means that an attacker with physical access to your machine
+                            could steal the password from the TPM, and therefore have access to all your date.
+
+                                      Do you want to enable automatic disk decryption on boot ?"
+
+    if gum confirm "➡️  I understand, 'yes' to proceed."; then
+      ssh_to_host 'bash -s' << EOF
 echo "Enrolling boot disk key to TPM..."
 if [[ ${#BOOT_DISKS_ID[@]} -eq 1 ]]; then
  echo ${REMOTE_PASS} | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-1 /dev/${BOOT_DISK_1_NAME}
@@ -881,16 +895,20 @@ fi
 echo "Getting PCRS 15 hash..."
 PCR_HASH=\$(echo ${REMOTE_PASS} | sudo -S systemd-analyze pcrs 15 --json=short)

-sed -i "s|#  systemIdentity.enable = true;|  systemIdentity.enable = true;|" /etc/nixos/configuration.nix
-sed -i "s|#  systemIdentity.pcr15 = "PCR_HASH";|  systemIdentity.pcr15 = "PCR_HASH";|" /etc/nixos/configuration.nix
 sed -i "s|PCR_HASH|\${PCR_HASH}|" /etc/nixos/configuration.nix
 EOF
+    else
+      echo "Skipping TPM configuration."
+    fi
+    else
+      echo "No supported TPM detected (TPM2 required). Skipping TPM configuration."
+  fi

  gum style --border normal --margin "1" --padding "1 2" --border-foreground 212 "
  ⚠️  $(gum style --foreground 212 'WARNING:') You will now set the password of the numbus-admin user. \
 You will almost never user it. Consider using a very strong password : you can write it down \
-securely on a hidden sheet of paper or add it to your password manager (local with Passbolt \
-                    any other online password manager provider.)."
+securely on a hidden sheet of paper or add it to your password manager (locally with Passbolt \
+                    with any other online password manager provider)."

  gum confirm "➡️  I understand, 'yes' to proceed." || { echo -e "\n\n❌ Aborting as requested."; exit 1; }

@@ -968,7 +986,7 @@ if [[ "$ACTION_ANSWER" == "[1] 🌐 Deploy NixOS on a remote machine" ]]; then
  sum_up
  export_configuration
  deploy
-  [[ ${TARGET_TPM} == "true" ]] && postrun_action
+  postrun_action
  congrats

 elif [[ "$ACTION_ANSWER" == "[2] 💽 Deploy NixOS on a remote machine with a file configuration" ]]; then
@@ -990,7 +1008,7 @@ elif [[ "$ACTION_ANSWER" == "[2] 💽 Deploy NixOS on a remote machine with a fi
  sum_up
  export_configuration
  deploy
-  [[ ${TARGET_TPM} == "true" ]] && postrun_action
+  postrun_action
  congrats

 elif [[ "$ACTION_ANSWER" == "[3] 🛠️ Update a NixOS remote machine" ]]; then
@@ -10,7 +10,7 @@
    ./misc/mail.nix
    ./misc/networking.nix
    ./misc/smart.nix
-##    ./disks/pcr-check.nix
+#    ./disks/pcr-check.nix
 #    ./disks/snapraid.nix
 #    ./pcie-coral/coral.nix
  ];
@@ -48,8 +48,8 @@
 #  boot.initrd.systemd.tpm2.enable = true;

 #  # TPM2 PCR check
-##  systemIdentity.enable = true;
-##  systemIdentity.pcr15 = "PCR_HASH"; 
+#  systemIdentity.enable = true;
+#  systemIdentity.pcr15 = "PCR_HASH"; 

  # Timezone
  time.timeZone = "Europe/Paris";
@@ -15,27 +15,45 @@ in
      ''
      '';

-    systemd.services.${container_name} = {
+    systemd.services."${container_name}" = {
      description = "Podman container : ${container_name}";
-      after = [ "network.target" "traefik.service" ];
+      after = [ "network.target" ];
+      requires = [ "traefik.service" ];
      wantedBy = [ "multi-user.target" ];
-      path = [ pkgs.podman-compose pkgs.podman ];
+      path = [ pkgs.podman pkgs.coreutils ];

      serviceConfig = {
        User = "numbus-admin";
        Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
        Type = "exec";
-        # Pull the latest image before running
-        ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
-        # Bring the service up
+        TimeoutStartSec = "600";
+        ExecStartPre = [
+          "${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % 180))'"
+          "-${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull"
+        ];
        ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
-        # Take it down gracefully
        ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
        Restart = "on-failure";
-        RestartSec = "10m";
+        RestartSec = "5m";
        StartLimitBurst = "3";
-        StartLimitIntervalSec = "30s";
      };
    };
+
+    systemd.services."update-${container_name}" = {
+      description = "Update ${container_name} container";
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.systemd}/bin/systemctl restart ${container_name}.service";
+      };
+    };
+
+    systemd.timers."update-${container_name}" = {
+      timerConfig = {
+        OnCalendar = "02:00";
+        RandomizedDelaySec = "60m";
+        Unit = "update-${container_name}.service";
+      };
+      wantedBy = [ "timers.target" ];
+    };
  };
 }
@@ -55,7 +55,7 @@ in

    systemd.services."${container_name}" = {
      description = "Podman container : ${container_name}";
-      after = [ "network.target" ];
+      after = [ "traefik.service" "home-assistant.service" "pi-hole.service" ];
      requires = [ "traefik.service" "home-assistant.service" ];
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.podman pkgs.coreutils ];
@@ -68,7 +68,7 @@ in

    systemd.services."${container_name}" = {
      description = "Podman container : ${container_name}";
-      after = [ "network.target" ];
+      after = [ "network.target" "traefik.service" "pi-hole.service" ];
      requires = [ "traefik.service" ];
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.podman pkgs.coreutils ];
@@ -55,7 +55,7 @@ in
      '';
    systemd.services.${container_name} = {
      description = "Podman container : ${container_name}";
-      after = [ "network.target" ];
+      after = [ "network.target" "traefik.service" "pi-hole.service" ];
      requires = [ "traefik.service" ];
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.podman pkgs.coreutils ];
@@ -92,7 +92,7 @@ in

    systemd.services."${container_name}" = {
      description = "Podman container : ${container_name}";
-      after = [ "network.target" ];
+      after = [ "network.target" "traefik.service" "pi-hole.service" ];
      requires = [ "traefik.service" ];
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.podman pkgs.coreutils ];
@@ -35,7 +35,7 @@ in

    systemd.services."${container_name}" = {
      description = "Podman container : ${container_name}";
-      after = [ "network.target" ];
+      after = [ "network.target" "traefik.service" "pi-hole.service" ];
      requires = [ "traefik.service" ];
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.podman pkgs.coreutils ];
@@ -58,7 +58,7 @@ in

    systemd.services."${container_name}" = {
      description = "Podman container : ${container_name}";
-      after = [ "network.target" ];
+      after = [ "network.target" "traefik.service" "pi-hole.service" ];
      requires = [ "traefik.service" ];
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.podman pkgs.coreutils ];
@@ -87,7 +87,7 @@ in

    systemd.services."${container_name}" = {
      description = "Podman container : ${container_name}";
-      after = [ "network.target" ];
+      after = [ "network.target" "traefik.service" "pi-hole.service" ];
      requires = [ "traefik.service" ];
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.podman pkgs.coreutils ];
@@ -64,7 +64,7 @@ in

    systemd.services."${container_name}" = {
      description = "Podman container : ${container_name}";
-      after = [ "network.target" ];
+      after = [ "network.target" "traefik.service" "pi-hole.service" ];
      requires = [ "traefik.service" ];
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.podman pkgs.coreutils ];