Raphael Numbus
4.2 KiB
I am working on a homelab deployer tool. The description of this homelab deployer tool is available in the README.md file, you shall read it to better understand your job. Your job as a NixOS expert will be to help me change the current broken configuration into my wanted configuration.
Here is how I want my setup to be
Disks selection
My script allows the selection of disks.
The disks are separated in two categories : boot and data disks. Data disks include content disks and parity disks.
First, the user chooses the boot disks : he can choose one boot disk or two boot disks in a mirror setup. User has to choose at least one boot disk.
Then, the user chooses data disks. He can choose how many data disks he desires up to 9, or no disks at all. Then the scripts automatically assigns data disks to the content and parity disks according to 3 conditions :
- if there is only one data disk selected, it must be a content disk
- if more than one data disk is selected, the larger (or equal if all disks are the same size) disks are necessarily parity disks
- if more than one data disk is selected, the content/parity repartition must be 1 parity disk for up to 2 content disks.
RAID configuration
If there is only one boot disk selected, the boot disk will be striped. If there are 2 boot disks selected, it will be a mirror.
The data disks mountpoints are dynamically and logically set :
- /mnt/content-1
- /mnt/content-2
- /mnt/content-3
- /mnt/content-4
- /mnt/content-5
- /mnt/content-6
- /mnt/parity-1
- /mnt/parity-2
- /mnt/parity-3
SnapRAID is used to get a RAID configuration working with the content and parity drives even if their size is not the same. MergerFS is used to obtain one clean path to the data storage. The script uses a combination of code to find the UUIDs of the disks to reference them in the final disk-config.nix configuration file.
Disks unlocking
The boot disks are unlocked manually by providing the passphrase on boot.
The data disks are unlocked automatically on boot using a keyfile that is located on the root partition. This means that I need to unlock the boot disk(s), and once it is unlocked the keyfiles for the data disks are decrypted and ready to be used.
The keyfile are dynamically and logically ordered and referenced on the root partition :
- /etc/secrets/disks/content-disk-1
- /etc/secrets/disks/content-disk-2
- /etc/secrets/disks/content-disk-3
- /etc/secrets/disks/content-disk-4
- /etc/secrets/disks/content-disk-5
- /etc/secrets/disks/content-disk-6
- /etc/secrets/disks/parity-disk-1
- /etc/secrets/disks/parity-disk-2
- /etc/secrets/disks/parity-disk-3
The LUKS partition on the disks are dynamically and logically ordered :
- crypted-content-disk-1
- crypted-content-disk-2
- crypted-content-disk-3
- crypted-content-disk-4
- crypted-content-disk-5
- crypted-content-disk-6
- crypted-parity-disk-1
- crypted-parity-disk-2
- crypted-parity-disk-3
To automatically unlock the data disks, you need to set a crypttab entry. Since we are using NixOS, we will set the boot.initrd.luks.devices option.
This option needs to following : volume-name (i.e. crypted-content-1 for example), encrypted-device (i.e. the UUID path), key-file (i.e. the keyfile path). Here is a static example for a disk.
boot.initrd.luks.devices = {
"my-device-mapper" = {
device = "/dev/disk/by-uuid/YOUR-UUID-HERE";
keyFile = "/path/to/your-keyfile";
};
};
Volume names are logically ordered : crypted-data-1, crypted-data-2, crypted-data-3, [...], crypted-data-6, or crypted-parity-1, [...], crypted-parity-3.
Encrypted-device is the path to the device, using the /dev/by-id/YOUR-UUID-HERE UUID path. This is the tricky part since the disks are dynamically selected. The configuration needs to find the correct UUIDs, the same ones as those selected in the script.
Key-file is the path to the keyfile which are logically ordered : /etc/secrets/disks/data-disk-1, /etc/secrets/disks/data-disk-2, /etc/secrets/disks/data-disk-3, [...], /etc/secrets/disks/data-disk-6 or /etc/secrets/disks/parity-disk-1, [...], /etc/secrets/disks/parity-disk-3.