numbus/numbus-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update TPM configuration. Added systemD pi-hole.service priority.

Browse Source
This commit is contained in:
Raphaël Numbus
2026-02-08 09:57:04 +01:00
parent d4a8f7f5bc
commit 1f26f51072
11 changed files with 66 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy.sh
+28 -10
View File
@@ -161,6 +161,7 @@ if ls -l /sys/class/tpm/tpm0/ > /dev/null 2>&1; then
TARGET_TPM_VERSION=\$(cat /sys/class/tpm/tpm0/tpm_version_major) TARGET_TPM_VERSION=\$(cat /sys/class/tpm/tpm0/tpm_version_major)
else else
TARGET_TPM="false" TARGET_TPM="false"
TARGET_TPM_VERSION="N/A"
fi fi
HDD=1 HDD=1
@@ -641,10 +642,11 @@ nix_generation() {
sed -i "s*PODMAN_NETWORKS*${PODMAN_NETWORKS//$'\n'/\\n}*" final-nix-config/etc/nixos/misc/activation.nix sed -i "s*PODMAN_NETWORKS*${PODMAN_NETWORKS//$'\n'/\\n}*" final-nix-config/etc/nixos/misc/activation.nix
sed -i "s|TRAEFIK_NETWORKS|${TRAEFIK_NETWORKS//$'\n'/\\n}|" final-nix-config/etc/nixos/podman/traefik.nix sed -i "s|TRAEFIK_NETWORKS|${TRAEFIK_NETWORKS//$'\n'/\\n}|" final-nix-config/etc/nixos/podman/traefik.nix
sed -i "s|TRAEFIK_REF_NETWORKS|${TRAEFIK_REF_NETWORKS//$'\n'/\\n}|" final-nix-config/etc/nixos/podman/traefik.nix sed -i "s|TRAEFIK_REF_NETWORKS|${TRAEFIK_REF_NETWORKS//$'\n'/\\n}|" final-nix-config/etc/nixos/podman/traefik.nix
if [[ "${TARGET_TPM}" == "true" ]]; then if [[ "${TARGET_TPM}" == "true" && ${TARGET_TPM_VERSION} -eq 2 ]]; then
sed -i "s|# boot.initrd.systemd.tpm2.enable = true;| boot.initrd.systemd.tpm2.enable = true;|" final-nix-config/etc/nixos/configuration.nix
cp -avu templates/nix-config/disks/pcr-check.nix final-nix-config/etc/nixos/disks/
sed -i "s|# ./disks/pcr-check.nix| ./disks/pcr-check.nix|" final-nix-config/etc/nixos/configuration.nix sed -i "s|# ./disks/pcr-check.nix| ./disks/pcr-check.nix|" final-nix-config/etc/nixos/configuration.nix
sed -i "s|# boot.initrd.systemd.tpm2.enable = true;| boot.initrd.systemd.tpm2.enable = true;|" final-nix-config/etc/nixos/configuration.nix
sed -i "s|# systemIdentity.enable = true;| systemIdentity.enable = true;|" /etc/nixos/configuration.nix
cp -avu templates/nix-config/disks/pcr-check.nix final-nix-config/etc/nixos/disks/
fi fi
} }
@@ -869,7 +871,19 @@ postrun_action() {
fi fi
done done
ssh_to_host 'bash -s' << EOF if [[ "${TARGET_TPM}" == "true" && "${TARGET_TPM_VERSION}" == "2" ]]; then
gum style --border normal --margin "1" --padding "1 2" --border-foreground 212 "
A TPM version 2 has been detected on the system. You can choose to enable automatic disk decryption on boot.
Enabling automatic disk decryption on boot means that you won't have to enter your disk password everytime you start your server.
This comes in very handy if you don't plan to leave your server accessible with a keyboard or if you don't have an IP KVM.
Note : This feature is currently vulnerable to on-site attacks. This means that an attacker with physical access to your machine
could steal the password from the TPM, and therefore have access to all your date.
Do you want to enable automatic disk decryption on boot ?"
if gum confirm "➡️ I understand, 'yes' to proceed."; then
ssh_to_host 'bash -s' << EOF
echo "Enrolling boot disk key to TPM..." echo "Enrolling boot disk key to TPM..."
if [[ ${#BOOT_DISKS_ID[@]} -eq 1 ]]; then if [[ ${#BOOT_DISKS_ID[@]} -eq 1 ]]; then
echo ${REMOTE_PASS} | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-1 /dev/${BOOT_DISK_1_NAME} echo ${REMOTE_PASS} | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-1 /dev/${BOOT_DISK_1_NAME}
@@ -881,16 +895,20 @@ fi
echo "Getting PCRS 15 hash..." echo "Getting PCRS 15 hash..."
PCR_HASH=\$(echo ${REMOTE_PASS} | sudo -S systemd-analyze pcrs 15 --json=short) PCR_HASH=\$(echo ${REMOTE_PASS} | sudo -S systemd-analyze pcrs 15 --json=short)
sed -i "s|# systemIdentity.enable = true;| systemIdentity.enable = true;|" /etc/nixos/configuration.nix
sed -i "s|# systemIdentity.pcr15 = "PCR_HASH";| systemIdentity.pcr15 = "PCR_HASH";|" /etc/nixos/configuration.nix
sed -i "s|PCR_HASH|\${PCR_HASH}|" /etc/nixos/configuration.nix sed -i "s|PCR_HASH|\${PCR_HASH}|" /etc/nixos/configuration.nix
EOF EOF
else
echo "Skipping TPM configuration."
fi
else
echo "No supported TPM detected (TPM2 required). Skipping TPM configuration."
fi
gum style --border normal --margin "1" --padding "1 2" --border-foreground 212 " gum style --border normal --margin "1" --padding "1 2" --border-foreground 212 "
⚠️ $(gum style --foreground 212 'WARNING:') You will now set the password of the numbus-admin user. \ ⚠️ $(gum style --foreground 212 'WARNING:') You will now set the password of the numbus-admin user. \
You will almost never user it. Consider using a very strong password : you can write it down \ You will almost never user it. Consider using a very strong password : you can write it down \
securely on a hidden sheet of paper or add it to your password manager (local with Passbolt \ securely on a hidden sheet of paper or add it to your password manager (locally with Passbolt \
any other online password manager provider.)." with any other online password manager provider)."
gum confirm "➡️ I understand, 'yes' to proceed." || { echo -e "\n\n❌ Aborting as requested."; exit 1; } gum confirm "➡️ I understand, 'yes' to proceed." || { echo -e "\n\n❌ Aborting as requested."; exit 1; }
@@ -968,7 +986,7 @@ if [[ "$ACTION_ANSWER" == "[1] 🌐 Deploy NixOS on a remote machine" ]]; then
sum_up sum_up
export_configuration export_configuration
deploy deploy
[[ ${TARGET_TPM} == "true" ]] && postrun_action postrun_action
congrats congrats
elif [[ "$ACTION_ANSWER" == "[2] 💽 Deploy NixOS on a remote machine with a file configuration" ]]; then elif [[ "$ACTION_ANSWER" == "[2] 💽 Deploy NixOS on a remote machine with a file configuration" ]]; then
@@ -990,7 +1008,7 @@ elif [[ "$ACTION_ANSWER" == "[2] 💽 Deploy NixOS on a remote machine with a fi
sum_up sum_up
export_configuration export_configuration
deploy deploy
[[ ${TARGET_TPM} == "true" ]] && postrun_action postrun_action
congrats congrats
elif [[ "$ACTION_ANSWER" == "[3] 🛠️ Update a NixOS remote machine" ]]; then elif [[ "$ACTION_ANSWER" == "[3] 🛠️ Update a NixOS remote machine" ]]; then
templates/nix-config/configuration.nix
+3 -3
View File
@@ -10,7 +10,7 @@
./misc/mail.nix ./misc/mail.nix
./misc/networking.nix ./misc/networking.nix
./misc/smart.nix ./misc/smart.nix
## ./disks/pcr-check.nix # ./disks/pcr-check.nix
# ./disks/snapraid.nix # ./disks/snapraid.nix
# ./pcie-coral/coral.nix # ./pcie-coral/coral.nix
]; ];
@@ -48,8 +48,8 @@
# boot.initrd.systemd.tpm2.enable = true; # boot.initrd.systemd.tpm2.enable = true;
# # TPM2 PCR check # # TPM2 PCR check
## systemIdentity.enable = true; # systemIdentity.enable = true;
## systemIdentity.pcr15 = "PCR_HASH"; # systemIdentity.pcr15 = "PCR_HASH";
# Timezone # Timezone
time.timeZone = "Europe/Paris"; time.timeZone = "Europe/Paris";
templates/nix-config/podman/adguard.coming
+27 -9
View File
@@ -15,27 +15,45 @@ in
'' ''
''; '';
systemd.services.${container_name} = { systemd.services."${container_name}" = {
description = "Podman container : ${container_name}"; description = "Podman container : ${container_name}";
after = [ "network.target" "traefik.service" ]; after = [ "network.target" ];
requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman-compose pkgs.podman ]; path = [ pkgs.podman pkgs.coreutils ];
serviceConfig = { serviceConfig = {
User = "numbus-admin"; User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ]; Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec"; Type = "exec";
# Pull the latest image before running TimeoutStartSec = "600";
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull"; ExecStartPre = [
# Bring the service up "${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % 180))'"
"-${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull"
];
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans"; ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down"; ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10m"; RestartSec = "5m";
StartLimitBurst = "3"; StartLimitBurst = "3";
StartLimitIntervalSec = "30s";
}; };
}; };
systemd.services."update-${container_name}" = {
description = "Update ${container_name} container";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl restart ${container_name}.service";
};
};
systemd.timers."update-${container_name}" = {
timerConfig = {
OnCalendar = "02:00";
RandomizedDelaySec = "60m";
Unit = "update-${container_name}.service";
};
wantedBy = [ "timers.target" ];
};
}; };
} }
templates/nix-config/podman/frigate.nix
+1 -1
View File
@@ -55,7 +55,7 @@ in
systemd.services."${container_name}" = { systemd.services."${container_name}" = {
description = "Podman container : ${container_name}"; description = "Podman container : ${container_name}";
after = [ "network.target" ]; after = [ "traefik.service" "home-assistant.service" "pi-hole.service" ];
requires = [ "traefik.service" "home-assistant.service" ]; requires = [ "traefik.service" "home-assistant.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman pkgs.coreutils ]; path = [ pkgs.podman pkgs.coreutils ];
templates/nix-config/podman/gitea.nix
+1 -1
View File
@@ -68,7 +68,7 @@ in
systemd.services."${container_name}" = { systemd.services."${container_name}" = {
description = "Podman container : ${container_name}"; description = "Podman container : ${container_name}";
after = [ "network.target" ]; after = [ "network.target" "traefik.service" "pi-hole.service" ];
requires = [ "traefik.service" ]; requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman pkgs.coreutils ]; path = [ pkgs.podman pkgs.coreutils ];
templates/nix-config/podman/home-assistant.nix
+1 -1
View File
@@ -55,7 +55,7 @@ in
''; '';
systemd.services.${container_name} = { systemd.services.${container_name} = {
description = "Podman container : ${container_name}"; description = "Podman container : ${container_name}";
after = [ "network.target" ]; after = [ "network.target" "traefik.service" "pi-hole.service" ];
requires = [ "traefik.service" ]; requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman pkgs.coreutils ]; path = [ pkgs.podman pkgs.coreutils ];
templates/nix-config/podman/immich.nix
+1 -1
View File
@@ -92,7 +92,7 @@ in
systemd.services."${container_name}" = { systemd.services."${container_name}" = {
description = "Podman container : ${container_name}"; description = "Podman container : ${container_name}";
after = [ "network.target" ]; after = [ "network.target" "traefik.service" "pi-hole.service" ];
requires = [ "traefik.service" ]; requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman pkgs.coreutils ]; path = [ pkgs.podman pkgs.coreutils ];
templates/nix-config/podman/it-tools.nix
+1 -1
View File
@@ -35,7 +35,7 @@ in
systemd.services."${container_name}" = { systemd.services."${container_name}" = {
description = "Podman container : ${container_name}"; description = "Podman container : ${container_name}";
after = [ "network.target" ]; after = [ "network.target" "traefik.service" "pi-hole.service" ];
requires = [ "traefik.service" ]; requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman pkgs.coreutils ]; path = [ pkgs.podman pkgs.coreutils ];
templates/nix-config/podman/nextcloud.nix
+1 -1
View File
@@ -58,7 +58,7 @@ in
systemd.services."${container_name}" = { systemd.services."${container_name}" = {
description = "Podman container : ${container_name}"; description = "Podman container : ${container_name}";
after = [ "network.target" ]; after = [ "network.target" "traefik.service" "pi-hole.service" ];
requires = [ "traefik.service" ]; requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman pkgs.coreutils ]; path = [ pkgs.podman pkgs.coreutils ];
templates/nix-config/podman/passbolt.nix
+1 -1
View File
@@ -87,7 +87,7 @@ in
systemd.services."${container_name}" = { systemd.services."${container_name}" = {
description = "Podman container : ${container_name}"; description = "Podman container : ${container_name}";
after = [ "network.target" ]; after = [ "network.target" "traefik.service" "pi-hole.service" ];
requires = [ "traefik.service" ]; requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman pkgs.coreutils ]; path = [ pkgs.podman pkgs.coreutils ];
templates/nix-config/podman/pi-hole.nix
+1 -1
View File
@@ -64,7 +64,7 @@ in
systemd.services."${container_name}" = { systemd.services."${container_name}" = {
description = "Podman container : ${container_name}"; description = "Podman container : ${container_name}";
after = [ "network.target" ]; after = [ "network.target" "traefik.service" "pi-hole.service" ];
requires = [ "traefik.service" ]; requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman pkgs.coreutils ]; path = [ pkgs.podman pkgs.coreutils ];