From b3464e477bbc5cbafb60651804cb593e11120910 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Numbus?= Date: Sun, 15 Feb 2026 13:41:37 +0100 Subject: [PATCH] Updates. Bugfixes. --- deploy.sh | 19 ++++++++++++------- templates/nix-config/configuration.nix | 5 +++++ templates/nix-config/misc/networking.nix | 2 +- templates/nix-config/podman/frigate.nix | 1 + templates/nix-config/podman/nextcloud.nix | 2 -- templates/nix-config/podman/traefik.nix | 3 +-- 6 files changed, 20 insertions(+), 12 deletions(-) diff --git a/deploy.sh b/deploy.sh index 664c6a9..4134335 100644 --- a/deploy.sh +++ b/deploy.sh @@ -901,17 +901,22 @@ postrun_action() { if gum confirm "➡️ I understand, 'yes' to proceed."; then ssh_to_host 'bash -s' << EOF echo "Enrolling boot disk key to TPM..." -if [[ ${#BOOT_DISKS_ID[@]} -eq 1 ]]; then - echo ${REMOTE_PASS} | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-1 /dev/${BOOT_DISK_1_NAME} -elif [[ ${#BOOT_DISKS_ID[@]} -eq 2 ]]; then - echo ${REMOTE_PASS} | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-1 /dev/${BOOT_DISK_1_NAME} - echo ${REMOTE_PASS} | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-2 /dev/${BOOT_DISK_2_NAME} -fi + +j=1 +for i in ${!BOOT_DISKS_ID[@]}; do + if [[ echo "${BOOT_DISKS_ID[${i}]}" | grep -iq "nvme" ]]; then + DISK_PATH="/dev/${BOOT_DISKS_ID[${i}]}p2" + else + DISK_PATH="/dev/${BOOT_DISKS_ID[${i}]}2" + fi + echo ${REMOTE_PASS} | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-${j} ${DISK_PATH} + ((j++)) +done echo "Getting PCRS 15 hash..." PCR_HASH=\$(echo ${REMOTE_PASS} | sudo -S systemd-analyze pcrs 15 --json=short) -sed -i "s|PCR_HASH|\${PCR_HASH}|" /etc/nixos/configuration.nix +echo ${REMOTE_PASS} | sudo -S sed -i "s|PCR_HASH|\${PCR_HASH}|" /etc/nixos/configuration.nix EOF else echo "Skipping TPM configuration." diff --git a/templates/nix-config/configuration.nix b/templates/nix-config/configuration.nix index 1ab3e48..9c90dc0 100644 --- a/templates/nix-config/configuration.nix +++ b/templates/nix-config/configuration.nix @@ -47,6 +47,10 @@ boot.swraid.mdadmConf = "MAILADDR ${config.email.userAddress},${config.email.adminAddress}"; # boot.initrd.systemd.tpm2.enable = true; + boot.kernel.sysctl = { + vm.overcommit_memory=1; + }; + # # TPM2 PCR check # systemIdentity.enable = true; # systemIdentity.pcr15 = "PCR_HASH"; @@ -122,6 +126,7 @@ # Enable Podman virtualisation.podman.enable = true; + virtualisation.podman.defaultNetwork.settings.dns_enabled = true; # Enable libvirt # virtualisation.libvirtd.enable = true; diff --git a/templates/nix-config/misc/networking.nix b/templates/nix-config/misc/networking.nix index 9b3d791..d43c090 100644 --- a/templates/nix-config/misc/networking.nix +++ b/templates/nix-config/misc/networking.nix @@ -15,7 +15,7 @@ # Bridge configuration for VMs networking.bridges.br0.interfaces = [ "TARGET_INTERFACE" ]; networking.interfaces.br0.useDHCP = false; - networking.nameservers = [ "9.9.9.9" ]; + networking.nameservers = [ "HOME_SERVER_IP" "9.9.9.9" ]; networking.interfaces.br0.ipv4.addresses = [{ address = "HOME_SERVER_IP"; prefixLength = 24; diff --git a/templates/nix-config/podman/frigate.nix b/templates/nix-config/podman/frigate.nix index 1cecdb4..ff82aa3 100644 --- a/templates/nix-config/podman/frigate.nix +++ b/templates/nix-config/podman/frigate.nix @@ -38,6 +38,7 @@ in # --- frigate devices --- # labels: - traefik.enable=true + - traefik.docker.network=home-assistant_frontend - traefik.http.services.frigate.loadbalancer.server.port=8971 - traefik.http.services.frigate.loadbalancer.server.scheme=http - traefik.http.routers.frigate-https.entrypoints=websecure diff --git a/templates/nix-config/podman/nextcloud.nix b/templates/nix-config/podman/nextcloud.nix index a719286..1259eaf 100644 --- a/templates/nix-config/podman/nextcloud.nix +++ b/templates/nix-config/podman/nextcloud.nix @@ -24,8 +24,6 @@ in - /run/user/1000/podman/podman.sock:/var/run/docker.sock:ro environment: APACHE_PORT: 11000 - NEXTCLOUD_TRUSTED_DOMAINS: nextcloud.$DOMAIN_NAME nextcloud-aio.$DOMAIN_NAME - TRUSTED_PROXIES: 172.16.1.253 APACHE_IP_BINDING: 127.0.0.1 NEXTCLOUD_DATADIR: ${data_dir} NEXTCLOUD_ENABLE_DRI_DEVICE: $NEXTCLOUD_ENABLE_DRI_DEVICE diff --git a/templates/nix-config/podman/traefik.nix b/templates/nix-config/podman/traefik.nix index 82056b9..e8594f6 100644 --- a/templates/nix-config/podman/traefik.nix +++ b/templates/nix-config/podman/traefik.nix @@ -31,7 +31,6 @@ TRAEFIK_NETWORKS - CF_DNS_API_TOKEN=$CF_DNS_API_TOKEN labels: - traefik.enable=true - - traefik.docker.network=home-assistant_frontend - traefik.http.services.traefik.loadbalancer.server.port=8080 - traefik.http.services.traefik.loadbalancer.server.scheme=http - traefik.http.routers.traefik-https.entrypoints=websecure @@ -45,7 +44,7 @@ TRAEFIK_REF_NETWORKS systemd.services.traefik = { description = "Podman container : ${container_name}"; - after = [ "numbus-activation-networked.service" "numbus-activation-chowned.service" ]; + after = [ "numbus-activation.service" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.podman pkgs.coreutils ];