diff --git a/deploy.sh b/deploy.sh index e7e2a64..dbd8815 100644 --- a/deploy.sh +++ b/deploy.sh @@ -161,6 +161,7 @@ if ls -l /sys/class/tpm/tpm0/ > /dev/null 2>&1; then TARGET_TPM_VERSION=\$(cat /sys/class/tpm/tpm0/tpm_version_major) else TARGET_TPM="false" + TARGET_TPM_VERSION="N/A" fi HDD=1 @@ -641,10 +642,11 @@ nix_generation() { sed -i "s*PODMAN_NETWORKS*${PODMAN_NETWORKS//$'\n'/\\n}*" final-nix-config/etc/nixos/misc/activation.nix sed -i "s|TRAEFIK_NETWORKS|${TRAEFIK_NETWORKS//$'\n'/\\n}|" final-nix-config/etc/nixos/podman/traefik.nix sed -i "s|TRAEFIK_REF_NETWORKS|${TRAEFIK_REF_NETWORKS//$'\n'/\\n}|" final-nix-config/etc/nixos/podman/traefik.nix - if [[ "${TARGET_TPM}" == "true" ]]; then - sed -i "s|# boot.initrd.systemd.tpm2.enable = true;| boot.initrd.systemd.tpm2.enable = true;|" final-nix-config/etc/nixos/configuration.nix - cp -avu templates/nix-config/disks/pcr-check.nix final-nix-config/etc/nixos/disks/ + if [[ "${TARGET_TPM}" == "true" && ${TARGET_TPM_VERSION} -eq 2 ]]; then sed -i "s|# ./disks/pcr-check.nix| ./disks/pcr-check.nix|" final-nix-config/etc/nixos/configuration.nix + sed -i "s|# boot.initrd.systemd.tpm2.enable = true;| boot.initrd.systemd.tpm2.enable = true;|" final-nix-config/etc/nixos/configuration.nix + sed -i "s|# systemIdentity.enable = true;| systemIdentity.enable = true;|" /etc/nixos/configuration.nix + cp -avu templates/nix-config/disks/pcr-check.nix final-nix-config/etc/nixos/disks/ fi } @@ -869,7 +871,19 @@ postrun_action() { fi done - ssh_to_host 'bash -s' << EOF + if [[ "${TARGET_TPM}" == "true" && "${TARGET_TPM_VERSION}" == "2" ]]; then + gum style --border normal --margin "1" --padding "1 2" --border-foreground 212 " + A TPM version 2 has been detected on the system. You can choose to enable automatic disk decryption on boot. + Enabling automatic disk decryption on boot means that you won't have to enter your disk password everytime you start your server. + This comes in very handy if you don't plan to leave your server accessible with a keyboard or if you don't have an IP KVM. + + Note : This feature is currently vulnerable to on-site attacks. This means that an attacker with physical access to your machine + could steal the password from the TPM, and therefore have access to all your date. + + Do you want to enable automatic disk decryption on boot ?" + + if gum confirm "➡️ I understand, 'yes' to proceed."; then + ssh_to_host 'bash -s' << EOF echo "Enrolling boot disk key to TPM..." if [[ ${#BOOT_DISKS_ID[@]} -eq 1 ]]; then echo ${REMOTE_PASS} | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-1 /dev/${BOOT_DISK_1_NAME} @@ -881,16 +895,20 @@ fi echo "Getting PCRS 15 hash..." PCR_HASH=\$(echo ${REMOTE_PASS} | sudo -S systemd-analyze pcrs 15 --json=short) -sed -i "s|# systemIdentity.enable = true;| systemIdentity.enable = true;|" /etc/nixos/configuration.nix -sed -i "s|# systemIdentity.pcr15 = "PCR_HASH";| systemIdentity.pcr15 = "PCR_HASH";|" /etc/nixos/configuration.nix sed -i "s|PCR_HASH|\${PCR_HASH}|" /etc/nixos/configuration.nix EOF + else + echo "Skipping TPM configuration." + fi + else + echo "No supported TPM detected (TPM2 required). Skipping TPM configuration." + fi gum style --border normal --margin "1" --padding "1 2" --border-foreground 212 " ⚠️ $(gum style --foreground 212 'WARNING:') You will now set the password of the numbus-admin user. \ You will almost never user it. Consider using a very strong password : you can write it down \ -securely on a hidden sheet of paper or add it to your password manager (local with Passbolt \ - any other online password manager provider.)." +securely on a hidden sheet of paper or add it to your password manager (locally with Passbolt \ + with any other online password manager provider)." gum confirm "➡️ I understand, 'yes' to proceed." || { echo -e "\n\n❌ Aborting as requested."; exit 1; } @@ -968,7 +986,7 @@ if [[ "$ACTION_ANSWER" == "[1] 🌐 Deploy NixOS on a remote machine" ]]; then sum_up export_configuration deploy - [[ ${TARGET_TPM} == "true" ]] && postrun_action + postrun_action congrats elif [[ "$ACTION_ANSWER" == "[2] 💽 Deploy NixOS on a remote machine with a file configuration" ]]; then @@ -990,7 +1008,7 @@ elif [[ "$ACTION_ANSWER" == "[2] 💽 Deploy NixOS on a remote machine with a fi sum_up export_configuration deploy - [[ ${TARGET_TPM} == "true" ]] && postrun_action + postrun_action congrats elif [[ "$ACTION_ANSWER" == "[3] 🛠️ Update a NixOS remote machine" ]]; then diff --git a/templates/nix-config/configuration.nix b/templates/nix-config/configuration.nix index 85a74c5..1ab3e48 100644 --- a/templates/nix-config/configuration.nix +++ b/templates/nix-config/configuration.nix @@ -10,7 +10,7 @@ ./misc/mail.nix ./misc/networking.nix ./misc/smart.nix -## ./disks/pcr-check.nix +# ./disks/pcr-check.nix # ./disks/snapraid.nix # ./pcie-coral/coral.nix ]; @@ -48,8 +48,8 @@ # boot.initrd.systemd.tpm2.enable = true; # # TPM2 PCR check -## systemIdentity.enable = true; -## systemIdentity.pcr15 = "PCR_HASH"; +# systemIdentity.enable = true; +# systemIdentity.pcr15 = "PCR_HASH"; # Timezone time.timeZone = "Europe/Paris"; diff --git a/templates/nix-config/podman/adguard.coming b/templates/nix-config/podman/adguard.coming index e49c61e..e3adc73 100644 --- a/templates/nix-config/podman/adguard.coming +++ b/templates/nix-config/podman/adguard.coming @@ -15,27 +15,45 @@ in '' ''; - systemd.services.${container_name} = { + systemd.services."${container_name}" = { description = "Podman container : ${container_name}"; - after = [ "network.target" "traefik.service" ]; + after = [ "network.target" ]; + requires = [ "traefik.service" ]; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.podman-compose pkgs.podman ]; + path = [ pkgs.podman pkgs.coreutils ]; serviceConfig = { User = "numbus-admin"; Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ]; Type = "exec"; - # Pull the latest image before running - ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull"; - # Bring the service up + TimeoutStartSec = "600"; + ExecStartPre = [ + "${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % 180))'" + "-${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull" + ]; ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans"; - # Take it down gracefully ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down"; Restart = "on-failure"; - RestartSec = "10m"; + RestartSec = "5m"; StartLimitBurst = "3"; - StartLimitIntervalSec = "30s"; }; }; + + systemd.services."update-${container_name}" = { + description = "Update ${container_name} container"; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.systemd}/bin/systemctl restart ${container_name}.service"; + }; + }; + + systemd.timers."update-${container_name}" = { + timerConfig = { + OnCalendar = "02:00"; + RandomizedDelaySec = "60m"; + Unit = "update-${container_name}.service"; + }; + wantedBy = [ "timers.target" ]; + }; }; } \ No newline at end of file diff --git a/templates/nix-config/podman/frigate.nix b/templates/nix-config/podman/frigate.nix index af1faec..1cecdb4 100644 --- a/templates/nix-config/podman/frigate.nix +++ b/templates/nix-config/podman/frigate.nix @@ -55,7 +55,7 @@ in systemd.services."${container_name}" = { description = "Podman container : ${container_name}"; - after = [ "network.target" ]; + after = [ "traefik.service" "home-assistant.service" "pi-hole.service" ]; requires = [ "traefik.service" "home-assistant.service" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.podman pkgs.coreutils ]; diff --git a/templates/nix-config/podman/gitea.nix b/templates/nix-config/podman/gitea.nix index 5e3014f..849f4e2 100644 --- a/templates/nix-config/podman/gitea.nix +++ b/templates/nix-config/podman/gitea.nix @@ -68,7 +68,7 @@ in systemd.services."${container_name}" = { description = "Podman container : ${container_name}"; - after = [ "network.target" ]; + after = [ "network.target" "traefik.service" "pi-hole.service" ]; requires = [ "traefik.service" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.podman pkgs.coreutils ]; diff --git a/templates/nix-config/podman/home-assistant.nix b/templates/nix-config/podman/home-assistant.nix index 70f9977..af89e46 100644 --- a/templates/nix-config/podman/home-assistant.nix +++ b/templates/nix-config/podman/home-assistant.nix @@ -55,7 +55,7 @@ in ''; systemd.services.${container_name} = { description = "Podman container : ${container_name}"; - after = [ "network.target" ]; + after = [ "network.target" "traefik.service" "pi-hole.service" ]; requires = [ "traefik.service" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.podman pkgs.coreutils ]; diff --git a/templates/nix-config/podman/immich.nix b/templates/nix-config/podman/immich.nix index 44827e7..746c6c2 100644 --- a/templates/nix-config/podman/immich.nix +++ b/templates/nix-config/podman/immich.nix @@ -92,7 +92,7 @@ in systemd.services."${container_name}" = { description = "Podman container : ${container_name}"; - after = [ "network.target" ]; + after = [ "network.target" "traefik.service" "pi-hole.service" ]; requires = [ "traefik.service" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.podman pkgs.coreutils ]; diff --git a/templates/nix-config/podman/it-tools.nix b/templates/nix-config/podman/it-tools.nix index de6ed25..ee29889 100644 --- a/templates/nix-config/podman/it-tools.nix +++ b/templates/nix-config/podman/it-tools.nix @@ -35,7 +35,7 @@ in systemd.services."${container_name}" = { description = "Podman container : ${container_name}"; - after = [ "network.target" ]; + after = [ "network.target" "traefik.service" "pi-hole.service" ]; requires = [ "traefik.service" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.podman pkgs.coreutils ]; diff --git a/templates/nix-config/podman/nextcloud.nix b/templates/nix-config/podman/nextcloud.nix index 4953e29..a719286 100644 --- a/templates/nix-config/podman/nextcloud.nix +++ b/templates/nix-config/podman/nextcloud.nix @@ -58,7 +58,7 @@ in systemd.services."${container_name}" = { description = "Podman container : ${container_name}"; - after = [ "network.target" ]; + after = [ "network.target" "traefik.service" "pi-hole.service" ]; requires = [ "traefik.service" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.podman pkgs.coreutils ]; diff --git a/templates/nix-config/podman/passbolt.nix b/templates/nix-config/podman/passbolt.nix index 654fe8a..bc3364c 100644 --- a/templates/nix-config/podman/passbolt.nix +++ b/templates/nix-config/podman/passbolt.nix @@ -87,7 +87,7 @@ in systemd.services."${container_name}" = { description = "Podman container : ${container_name}"; - after = [ "network.target" ]; + after = [ "network.target" "traefik.service" "pi-hole.service" ]; requires = [ "traefik.service" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.podman pkgs.coreutils ]; diff --git a/templates/nix-config/podman/pi-hole.nix b/templates/nix-config/podman/pi-hole.nix index 4c36f4f..54d05da 100644 --- a/templates/nix-config/podman/pi-hole.nix +++ b/templates/nix-config/podman/pi-hole.nix @@ -64,7 +64,7 @@ in systemd.services."${container_name}" = { description = "Podman container : ${container_name}"; - after = [ "network.target" ]; + after = [ "network.target" "traefik.service" "pi-hole.service" ]; requires = [ "traefik.service" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.podman pkgs.coreutils ];