TEST
This commit is contained in:
Raphael Numbus
+31
-53
@@ -1,28 +1,36 @@
|
||||
{ modulesPath, config, lib, pkgs, inputs, ... }:
|
||||
|
||||
let
|
||||
# # Find all mount points that start with "/mnt/data-"
|
||||
# dataDiskMounts = lib.attrsets.attrNames (
|
||||
# lib.attrsets.filterAttrs (name: value: lib.strings.hasPrefix "/mnt/data-" name) config.fileSystems
|
||||
# );
|
||||
#
|
||||
# # Find all mount points that start with "/mnt/parity-"
|
||||
# parityDiskMounts = lib.attrsets.attrNames (
|
||||
# lib.attrsets.filterAttrs (name: value: lib.strings.hasPrefix "/mnt/parity-" name) config.fileSystems
|
||||
# );
|
||||
#
|
||||
# # Create an attribute set for snapraid data disks, e.g. { d1 = "/mnt/data-1"; d2 = "/mnt/data-2"; }
|
||||
# snapraidDataDisks = lib.lists.foldl'
|
||||
# (acc: path: acc // { "d${toString (acc.i + 1)}" = path; i = acc.i + 1; })
|
||||
# { i = 0; }
|
||||
# dataDiskMounts;
|
||||
#in
|
||||
# Find all mount points that start with "/mnt/data-"
|
||||
dataDiskMounts = lib.attrsets.attrNames (
|
||||
lib.attrsets.filterAttrs (name: value: lib.strings.hasPrefix "/mnt/data-" name) config.fileSystems
|
||||
);
|
||||
|
||||
# Helper to get mount points for data and parity disks from disko config
|
||||
getMounts = prefix: lib.attrsets.attrNames (lib.attrsets.filterAttrs (n: v: v.mountPoint != null && lib.strings.hasPrefix v.mountPoint prefix) config.disko.devices.fs);
|
||||
dataDiskMounts = getMounts "/mnt/data-";
|
||||
parityDiskMounts = getMounts "/mnt/parity-";
|
||||
snapraidDataDisks = lib.listToAttrs (lib.imap0 (i: path: { name = "d${toString (i + 1)}"; value = path; }) dataDiskMounts);
|
||||
# Find all mount points that start with "/mnt/parity-"
|
||||
parityDiskMounts = lib.attrsets.attrNames (
|
||||
lib.attrsets.filterAttrs (name: value: lib.strings.hasPrefix "/mnt/parity-" name) config.fileSystems
|
||||
);
|
||||
|
||||
# Create an attribute set for snapraid data disks, e.g. { d1 = "/mnt/data-1"; d2 = "/mnt/data-2"; }
|
||||
snapraidDataDisks = lib.lists.foldl'
|
||||
(acc: path: acc // { "d${toString (acc.i + 1)}" = path; i = acc.i + 1; })
|
||||
{ i = 0; }
|
||||
dataDiskMounts;
|
||||
|
||||
# Dynamically create LUKS device entries for data and parity disks.
|
||||
# This assumes the keyfiles are stored at /etc/secrets/disks/data-disk-1, /etc/secrets/disks/parity-disk-1, etc.
|
||||
# and that the LUKS devices are named luks-data-1, luks-parity-1, etc. in disk-config.nix.
|
||||
luksDataDevices = lib.lists.foldl'
|
||||
(acc: path: let index = builtins.elemAt (lib.strings.splitString "-" path) 2; in
|
||||
acc // { "luks-data-${index}" = { keyFile = "/run/secrets/disks/data-disk-${index}"; }; })
|
||||
{ }
|
||||
dataDiskMounts;
|
||||
|
||||
luksParityDevices = lib.lists.foldl'
|
||||
(acc: path: let index = builtins.elemAt (lib.strings.splitString "-" path) 2; in
|
||||
acc // { "luks-parity-${index}" = { keyFile = "/run/secrets/disks/parity-disk-${index}"; }; })
|
||||
{ }
|
||||
parityDiskMounts;
|
||||
in
|
||||
|
||||
{
|
||||
@@ -56,6 +64,7 @@ in
|
||||
# Bootloader options
|
||||
boot.initrd.systemd.enable = true;
|
||||
boot.initrd.systemd.tpm2.enable = true;
|
||||
boot.initrd.luks.devices = luksDataDevices // luksParityDevices;
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
@@ -204,43 +213,12 @@ in
|
||||
];
|
||||
};
|
||||
|
||||
# # Hard drives decryption
|
||||
# environment.etc."crypttab".text = ''
|
||||
# crypted-data-1 /dev/disk/by-uuid/THE-UUID-OF-DATA-DISK-1 /run/secrets/disks/data-disk-1
|
||||
# crypted-data-2 /dev/disk/by-uuid/THE-UUID-OF-DATA-DISK-2 /run/secrets/disks/data-disk-2
|
||||
# crypted-data-3 /dev/disk/by-uuid/THE-UUID-OF-DATA-DISK-3 /run/secrets/disks/data-disk-3
|
||||
# crypted-data-4 /dev/disk/by-uuid/THE-UUID-OF-DATA-DISK-4 /run/secrets/disks/data-disk-4
|
||||
# crypted-data-5 /dev/disk/by-uuid/THE-UUID-OF-DATA-DISK-5 /run/secrets/disks/data-disk-5
|
||||
# crypted-data-6 /dev/disk/by-uuid/THE-UUID-OF-DATA-DISK-6 /run/secrets/disks/data-disk-6
|
||||
# crypted-parity-1 /dev/disk/by-uuid/THE-UUID-OF-PARITY-DISK-1 /run/secrets/disks/parity-disk-1
|
||||
# crypted-parity-2 /dev/disk/by-uuid/THE-UUID-OF-PARITY-DISK-2 /run/secrets/disks/parity-disk-2
|
||||
# crypted-parity-3 /dev/disk/by-uuid/THE-UUID-OF-PARITY-DISK-3 /run/secrets/disks/parity-disk-3
|
||||
# '';
|
||||
|
||||
# Declarative LUKS decryption for data and parity disks
|
||||
boot.luks.devices =
|
||||
let
|
||||
# This function generates the attribute set for a LUKS device
|
||||
mkLuksDevice = type: index:
|
||||
lib.nameValuePair "crypted-${type}-${toString index}" {
|
||||
device = "/dev/disk/by-partlabel/${type}-disk-${toString index}";
|
||||
keyFile = "/run/secrets/disks/${type}-disk-${toString index}";
|
||||
# This option tells systemd to measure the LUKS header into PCR 15
|
||||
};
|
||||
in
|
||||
# Merge attributes for data and parity disks
|
||||
lib.attrsets.listToAttrs (
|
||||
(lib.lists.imap1 (i: _: mkLuksDevice "data" i) dataDiskMounts) ++
|
||||
(lib.lists.imap1 (i: _: mkLuksDevice "parity" i) parityDiskMounts)
|
||||
);
|
||||
|
||||
# SnapRAID for data redundancy
|
||||
services.snapraid = {
|
||||
enable = true;
|
||||
contentFiles = map (disk: "${disk}/snapraid.content") dataDiskMounts;
|
||||
parityFiles = map (disk: "${disk}/snapraid.parity") parityDiskMounts;
|
||||
# dataDisks = builtins.removeAttrs snapraidDataDisks [ "i" ]; # This correctly creates the required attribute set.
|
||||
dataDisks = snapraidDataDisks;
|
||||
dataDisks = builtins.removeAttrs snapraidDataDisks [ "i" ];
|
||||
# Using default sync and scrub schedules:
|
||||
# Sync runs daily at 01:00.
|
||||
# Scrub runs weekly on Monday at 02:00.
|
||||
|
||||
@@ -149,6 +149,7 @@ services_selection() {
|
||||
|
||||
files_generation() {
|
||||
echo -e "\n\n ✅ Generating necessary folder tree..."
|
||||
mkdir -p extra-files/run/secrets/disks/
|
||||
mkdir -p extra-files/var/lib/sops-nix/
|
||||
mkdir -p extra-files/etc/nixos/secrets/
|
||||
mkdir -p extra-files/mnt/config-storage/traefik/config/conf/
|
||||
@@ -185,6 +186,9 @@ files_generation() {
|
||||
export PARITY_DISK_3_KEY="$(openssl rand -base64 10 | tr -d '\=+/ ')"
|
||||
export BOOT_DISK_1_KEY="$(openssl rand -base64 10 | tr -d '\=+/ ')"
|
||||
export BOOT_DISK_2_KEY="$(openssl rand -base64 10 | tr -d '\=+/ ')"
|
||||
for i in {1..6}; do echo -n "${!DATA_DISK_${i}_KEY}" > "extra-files/run/secrets/disks/data-disk-$i"; done
|
||||
for i in {1..3}; do echo -n "${!PARITY_DISK_${i}_KEY}" > "extra-files/run/secrets/disks/parity-disk-$i"; done
|
||||
for i in {1..2}; do echo -n "${!BOOT_DISK_${i}_KEY}" > "extra-files/run/secrets/disks/boot-disk-$i"; done
|
||||
|
||||
echo "$REMOTE_PASS" | ssh_to_host """
|
||||
sudo -S mkdir -p /run/secrets/disks/
|
||||
@@ -200,16 +204,6 @@ files_generation() {
|
||||
echo -n $BOOT_DISK_1_KEY | sudo -S tee /run/secrets/disks/boot-disk-1 > /dev/null
|
||||
echo -n $BOOT_DISK_2_KEY | sudo -S tee /run/secrets/disks/boot-disk-2 > /dev/null
|
||||
"""
|
||||
mkdir -p extra-files/run/secrets/disks/
|
||||
echo -n $DATA_DISK_1_KEY > extra-files/run/secrets/disks/data-disk-1
|
||||
echo -n $DATA_DISK_2_KEY > extra-files/run/secrets/disks/data-disk-2
|
||||
echo -n $DATA_DISK_3_KEY > extra-files/run/secrets/disks/data-disk-3
|
||||
echo -n $DATA_DISK_4_KEY > extra-files/run/secrets/disks/data-disk-4
|
||||
echo -n $DATA_DISK_5_KEY > extra-files/run/secrets/disks/data-disk-5
|
||||
echo -n $DATA_DISK_6_KEY > extra-files/run/secrets/disks/data-disk-6
|
||||
echo -n $PARITY_DISK_1_KEY > extra-files/run/secrets/disks/parity-disk-1
|
||||
echo -n $PARITY_DISK_2_KEY > extra-files/run/secrets/disks/parity-disk-2
|
||||
echo -n $PARITY_DISK_3_KEY > extra-files/run/secrets/disks/parity-disk-3
|
||||
|
||||
echo -e "\n ✅ Encrypting secrets in the correct file..."
|
||||
envsubst < "config-files/sops-nix/secrets.yaml" | sops encrypt --filename-override secrets.yaml \
|
||||
|
||||
Reference in New Issue
Block a user