From dd8b23f5a9f7d1663c16f6d5dd6e98fd9cf579f8 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 13 Nov 2023 22:44:43 +0100 Subject: [PATCH 1/8] initial nixos-anywhere --- README.md | 4 +++ configuration.nix | 2 +- disk-config.nix | 55 ++++++++++++++++++++++++++++++++++++++ flake.nix | 6 +++-- hardware-configuration.nix | 20 +++++++------- 5 files changed, 74 insertions(+), 13 deletions(-) create mode 100644 disk-config.nix diff --git a/README.md b/README.md index b939dd7..0c6ba9b 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,10 @@ Currently, only one physical server (named jefke) is implemented. ## Deployment +### NEW + +`nix run github:numtide/nixos-anywhere -- --flake .#hypervisor root@jefke.hyp` + ### Prerequisites Before a NixOS definition can be deployed, some prerequite preparational steps must be performed. diff --git a/configuration.nix b/configuration.nix index 47e479c..0758029 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,5 +1,5 @@ { pkgs, ... }: { - imports = [ ./hardware-configuration.nix ]; + imports = [ ./hardware-configuration.nix ./disk-config.nix ]; boot.loader = { systemd-boot.enable = true; diff --git a/disk-config.nix b/disk-config.nix new file mode 100644 index 0000000..19ed6a6 --- /dev/null +++ b/disk-config.nix @@ -0,0 +1,55 @@ +# Running system: + +# NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS +# nvme0n1 259:0 0 465,8G 0 disk +# ├─nvme0n1p1 259:1 0 512M 0 part /boot +# ├─nvme0n1p2 259:2 0 456,5G 0 part /nix/store +# │ / +# └─nvme0n1p3 259:3 0 8,8G 0 part [SWAP] + +# Filesystem 1K-blocks Used Available Use% Mounted on +# devtmpfs 809892 0 809892 0% /dev +# tmpfs 8098920 0 8098920 0% /dev/shm +# tmpfs 4049460 3988 4045472 1% /run +# tmpfs 8098920 456 8098464 1% /run/wrappers +# /dev/nvme0n1p2 469995160 17597168 428450100 4% / +# /dev/nvme0n1p1 523248 119660 403588 23% /boot +# tmpfs 1619784 0 1619784 0% /run/user/0 + +# Disk name: nvme0n1 +# disko template: simple-efi +# https://raw.githubusercontent.com/nix-community/disko/master/example/simple-efi.nix + +{ + disko.devices = { + disk = { + vdb = { + device = "/dev/nvme0n1"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + type = "EF00"; + size = "500M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} + diff --git a/flake.nix b/flake.nix index b1143c8..2a4f509 100644 --- a/flake.nix +++ b/flake.nix @@ -4,9 +4,11 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; deploy-rs.url = "github:serokell/deploy-rs"; + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = { self, nixpkgs, deploy-rs, ... }: + outputs = { self, nixpkgs, deploy-rs, disko, ... }: let system = "x86_64-linux"; in { @@ -14,7 +16,7 @@ nixosConfigurations.hypervisor = nixpkgs.lib.nixosSystem { inherit system; - modules = [ ./configuration.nix ]; + modules = [ disko.nixosModules.disko ./configuration.nix ]; }; deploy = { diff --git a/hardware-configuration.nix b/hardware-configuration.nix index 37e8dd0..56e0248 100644 --- a/hardware-configuration.nix +++ b/hardware-configuration.nix @@ -7,18 +7,18 @@ boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = { - device = "/dev/disk/by-uuid/b78f591c-c9b6-4dae-9837-56716d38990b"; - fsType = "ext4"; - }; + # fileSystems."/" = { + # device = "/dev/disk/by-uuid/b78f591c-c9b6-4dae-9837-56716d38990b"; + # fsType = "ext4"; + # }; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/6936-84C2"; - fsType = "vfat"; - }; + # fileSystems."/boot" = { + # device = "/dev/disk/by-uuid/6936-84C2"; + # fsType = "vfat"; + # }; - swapDevices = - [{ device = "/dev/disk/by-uuid/79fbd322-e58d-4e45-8969-06ef494cefea"; }]; + # swapDevices = + # [{ device = "/dev/disk/by-uuid/79fbd322-e58d-4e45-8969-06ef494cefea"; }]; networking.useDHCP = false; From 022a6aabb42b5b4bc78f93c56d3df19b0f5cf749 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 14 Nov 2023 23:53:04 +0100 Subject: [PATCH 2/8] remove ansible deploy ssh host and user keys using agenix deploy ssh certificates using ssh --- agenix.nix | 11 +++ ansible/.envrc | 1 - ansible/ansible.cfg | 8 -- ansible/deploy_secrets.yml | 32 ------- ansible/files/jefke_host_ed25519 | 25 ----- ansible/files/jefke_host_ed25519.pub | 1 - ansible/files/jefke_user_ed25519 | 25 ----- ansible/files/jefke_user_ed25519.pub | 1 - ansible/flake.lock | 27 ------ ansible/flake.nix | 26 ------ ansible/inventory/hosts.yml | 5 - configuration.nix | 13 ++- flake.lock | 87 ++++++++++++++++++ flake.nix | 18 +++- ...ed25519.crt => jefke_host_ed25519-cert.pub | 0 ...ed25519.crt => jefke_user_ed25519-cert.pub | 0 nixos-anywhere.sh | 23 +++++ secrets/jefke_host_ed25519.age | Bin 0 -> 680 bytes secrets/jefke_user_ed25519.age | Bin 0 -> 715 bytes secrets/secrets.nix | 16 ++++ 20 files changed, 159 insertions(+), 160 deletions(-) create mode 100644 agenix.nix delete mode 100644 ansible/.envrc delete mode 100644 ansible/ansible.cfg delete mode 100644 ansible/deploy_secrets.yml delete mode 100644 ansible/files/jefke_host_ed25519 delete mode 100644 ansible/files/jefke_host_ed25519.pub delete mode 100644 ansible/files/jefke_user_ed25519 delete mode 100644 ansible/files/jefke_user_ed25519.pub delete mode 100644 ansible/flake.lock delete mode 100644 ansible/flake.nix delete mode 100644 ansible/inventory/hosts.yml rename ansible/files/jefke_host_ed25519.crt => jefke_host_ed25519-cert.pub (100%) rename ansible/files/jefke_user_ed25519.crt => jefke_user_ed25519-cert.pub (100%) create mode 100644 nixos-anywhere.sh create mode 100644 secrets/jefke_host_ed25519.age create mode 100644 secrets/jefke_user_ed25519.age create mode 100644 secrets/secrets.nix diff --git a/agenix.nix b/agenix.nix new file mode 100644 index 0000000..2bd6b1b --- /dev/null +++ b/agenix.nix @@ -0,0 +1,11 @@ +{ + age = { + identityPaths = [ "/root/age_ed25519" ]; + + secrets = { + # TODO: make machine independent + "jefke_host_ed25519".file = ./secrets/jefke_host_ed25519.age; + "jefke_user_ed25519".file = ./secrets/jefke_user_ed25519.age; + }; + }; +} diff --git a/ansible/.envrc b/ansible/.envrc deleted file mode 100644 index 3550a30..0000000 --- a/ansible/.envrc +++ /dev/null @@ -1 +0,0 @@ -use flake diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg deleted file mode 100644 index 816bbb8..0000000 --- a/ansible/ansible.cfg +++ /dev/null @@ -1,8 +0,0 @@ -[defaults] -inventory=inventory -vault_password_file=$HOME/.config/home/ansible-vault-secret -host_key_checking = False -remote_user = root - -[diff] -always = True diff --git a/ansible/deploy_secrets.yml b/ansible/deploy_secrets.yml deleted file mode 100644 index 4d2f64d..0000000 --- a/ansible/deploy_secrets.yml +++ /dev/null @@ -1,32 +0,0 @@ -- name: Deploy secrets - hosts: jefke - tasks: - - name: Place user certificate - copy: - src: files/jefke_user_ed25519.crt - dest: /etc/ssh/ssh_user_ed25519_key-cert.pub - - - name: Place user public key - copy: - src: files/jefke_user_ed25519.pub - dest: /etc/ssh/ssh_user_ed25519_key.pub - - - name: Place user private key - copy: - src: files/jefke_user_ed25519 - dest: /etc/ssh/ssh_user_ed25519_key - - - name: Place host certificate - copy: - src: files/jefke_host_ed25519.crt - dest: /etc/ssh/ssh_host_ed25519_key-cert.pub - - - name: Place host public key - copy: - src: files/jefke_host_ed25519.pub - dest: /etc/ssh/ssh_host_ed25519_key.pub - - - name: Place host private key - copy: - src: files/jefke_host_ed25519 - dest: /etc/ssh/ssh_host_ed25519_key diff --git a/ansible/files/jefke_host_ed25519 b/ansible/files/jefke_host_ed25519 deleted file mode 100644 index 1b2f8fa..0000000 --- a/ansible/files/jefke_host_ed25519 +++ /dev/null @@ -1,25 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -37613631656435623262663132613734663862346638313566623466663838333634663934663539 -3035363062373461313937383365383233643861346562660a666235323134663361366635343037 -35316364633964333963363866333364333834646636326632313261633863616661373763346539 -3266346433356362620a663634356331306538386463616261626232396464663166316533613330 -63633664626261333862623366666235383862386233313761616561623932666364636237346663 -32616633616364356537336463643237383233356232363836376337343166336332386530653338 -31643635303630386166393236616237343262653862323436636465613736393762623239646538 -35666266656465656333666266326639326161323230326232363461383634356264336333663664 -61656361666430356238666366363138343239316631313861636463376462613336613631633233 -38343161356464353138376131333563633539323231646530636566386434613463623934646162 -36323665353766313034623261336336393862366561343165613733396236326365656436373930 -65633838333438356464353436343638616163363637313665333336313137623035346235323332 -36383731663366356634653837306561613037633166653939336434623637353665326538303165 -66636332363131313332663130663332393237643361363166663634633661626137346264303938 -30383132376331633938353934393939373437343438613861653837613337373638336636653039 -39336637373730333434636134633062623064653432633730366139666265373066346132373639 -64353536646639366636656634633431316330656634383234343631626138393936663637653239 -62393130366136396363633264623139323437643862343964383963663162636332386630363363 -34636535376264323564383533306162316437306462326636313936316430326235633761356138 -39666235646364353332613038623935343265346661633032303036653461396139383933316263 -36316465383063643961353031633365613962383264663636623662363461626365356330663232 -39393632366439623063326232373733333766353638393466396365663039666130383239366534 -32326139306235306332376565366137373630303363346366306337306439643866393361333032 -38626139633761613365 diff --git a/ansible/files/jefke_host_ed25519.pub b/ansible/files/jefke_host_ed25519.pub deleted file mode 100644 index f20ed71..0000000 --- a/ansible/files/jefke_host_ed25519.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTzrsjwRmKg3JbRLY/RrWnIBfCupfFdMWZ/8AQAXg9u root@jefke diff --git a/ansible/files/jefke_user_ed25519 b/ansible/files/jefke_user_ed25519 deleted file mode 100644 index 68f9b78..0000000 --- a/ansible/files/jefke_user_ed25519 +++ /dev/null @@ -1,25 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -61393933316139623835666133666433393235376532643538363733656439356465393062636265 -3236373661386566326631636333346430316264616537320a386336376239613865363032666239 -63616166363837393562643836333765393536363564636365616638333939323436383735616262 -3331363766353038620a626662666331613734313564636564633238653762336364666237353635 -36353837666366346565626162666466353661646630376261643133393966336236656234626139 -38326164366565646539396139343538636234646330623965623430303535316131636261336133 -61373763326566666565366432353535653430326466316130376337656431363038666334653332 -63646439323635303432653536643464666266303533633330663137376432353563366133663661 -31393430356235323535303562323662313936393132383162316238666162373232313736646630 -34343131393963313839393330356539636532613936383932393537346134356337306336633434 -32653961616161656136306234313335653336336230366237303336346631623735646564323962 -31316165333264613433313761393936643433323762363161393730363161613839333038363032 -63393038346365353362366639386334666134613961383033306566333361373630353539366635 -32363732353262313436376462616437363337623933363964333763396233656438346638633432 -66383338336237313266666161656633656264623532633764333565663331666665623031353265 -31646233383238313734633234653666313734343263653936333636323463653636333535656565 -30646133366265363938363561623335653239643637656339393236313535326366643238396562 -30623631656530353362613536633935343131353961353735333561626463353632623465613063 -37373661333339353030626437653863653736353939643966373834663262383035336337656335 -34333836373535373164623436666465346564356539313032316130616439323161653134646364 -32363938356235343736396431333639656366663130366439363062643137326162366563346266 -30343834386135616663613964353262333462613465646362353437373362326363326136333131 -66356466656162393038316361323335363261653036316533646563376262353039623939306663 -35333430633836373064 diff --git a/ansible/files/jefke_user_ed25519.pub b/ansible/files/jefke_user_ed25519.pub deleted file mode 100644 index 2ff4efc..0000000 --- a/ansible/files/jefke_user_ed25519.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZ3aw6gjrOt561j1Mh7kINqlavorKeujN1Q8mn/Fy69 root@jefke diff --git a/ansible/flake.lock b/ansible/flake.lock deleted file mode 100644 index 342453d..0000000 --- a/ansible/flake.lock +++ /dev/null @@ -1,27 +0,0 @@ -{ - "nodes": { - "nixpkgs": { - "locked": { - "lastModified": 1698434055, - "narHash": "sha256-Phxi5mUKSoL7A0IYUiYtkI9e8NcGaaV5PJEaJApU1Ko=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "1a3c95e3b23b3cdb26750621c08cc2f1560cb883", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "nixpkgs": "nixpkgs" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/ansible/flake.nix b/ansible/flake.nix deleted file mode 100644 index f39a364..0000000 --- a/ansible/flake.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; - }; - - outputs = { - self, - nixpkgs, - ... - }: let - supportedSystems = ["x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin"]; - forEachSupportedSystem = f: - nixpkgs.lib.genAttrs supportedSystems (system: - f { - pkgs = import nixpkgs {inherit system;}; - }); - in { - devShells = forEachSupportedSystem ({pkgs}: { - default = pkgs.mkShell { - packages = with pkgs; [ - ansible - ]; - }; - }); - }; -} diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml deleted file mode 100644 index 3b608e7..0000000 --- a/ansible/inventory/hosts.yml +++ /dev/null @@ -1,5 +0,0 @@ -all: - hosts: - jefke: - ansible_user: root - ansible_host: jefke.hyp diff --git a/configuration.nix b/configuration.nix index 0758029..d20f040 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,5 +1,5 @@ -{ pkgs, ... }: { - imports = [ ./hardware-configuration.nix ./disk-config.nix ]; +{ pkgs, config, ... }: { + imports = [ ./hardware-configuration.nix ./disk-config.nix ./agenix.nix ]; boot.loader = { systemd-boot.enable = true; @@ -31,8 +31,10 @@ PasswordAuthentication = false; KbdInteractiveAuthentication = false; }; + # TODO! machine independent extraConfig = '' - HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub + HostCertificate ${builtins.toFile "jefke_host_ed25519-cert.pub" (builtins.readFile ./jefke_host_ed25519-cert.pub)} + HostKey ${config.age.secrets.jefke_host_ed25519.path} ''; }; @@ -64,9 +66,10 @@ }; }; + # TODO: machine independent extraConfig = '' - CertificateFile /etc/ssh/ssh_user_ed25519_key-cert.pub - HostKey /etc/ssh/ssh_user_ed25519_key + CertificateFile ${builtins.toFile "jefke_user_ed25519-cert.pub" (builtins.readFile ./jefke_user_ed25519-cert.pub)} + HostKey ${config.age.secrets.jefke_user_ed25519.path} ''; }; diff --git a/flake.lock b/flake.lock index 5390c4e..c5676f1 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,49 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1696775529, + "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=", + "owner": "ryantm", + "repo": "agenix", + "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "deploy-rs": { "inputs": { "flake-compat": "flake-compat", @@ -20,6 +64,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1699781810, + "narHash": "sha256-LD+PIUbm1yQmQmGIbSsc/PB1dtJtGqXFgxRc1C7LlfQ=", + "owner": "nix-community", + "repo": "disko", + "rev": "2d7d77878c5d70f66f3d676ff66708d8d4f9d7df", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -36,6 +100,27 @@ "type": "github" } }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682203081, + "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1671417167, @@ -70,7 +155,9 @@ }, "root": { "inputs": { + "agenix": "agenix", "deploy-rs": "deploy-rs", + "disko": "disko", "nixpkgs": "nixpkgs_2" } }, diff --git a/flake.nix b/flake.nix index 2a4f509..585f61e 100644 --- a/flake.nix +++ b/flake.nix @@ -4,11 +4,17 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; deploy-rs.url = "github:serokell/deploy-rs"; - disko.url = "github:nix-community/disko"; - disko.inputs.nixpkgs.follows = "nixpkgs"; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { self, nixpkgs, deploy-rs, disko, ... }: + outputs = { self, nixpkgs, deploy-rs, disko, agenix, ... }: let system = "x86_64-linux"; in { @@ -16,7 +22,11 @@ nixosConfigurations.hypervisor = nixpkgs.lib.nixosSystem { inherit system; - modules = [ disko.nixosModules.disko ./configuration.nix ]; + modules = [ + disko.nixosModules.disko + agenix.nixosModules.default + ./configuration.nix + ]; }; deploy = { diff --git a/ansible/files/jefke_host_ed25519.crt b/jefke_host_ed25519-cert.pub similarity index 100% rename from ansible/files/jefke_host_ed25519.crt rename to jefke_host_ed25519-cert.pub diff --git a/ansible/files/jefke_user_ed25519.crt b/jefke_user_ed25519-cert.pub similarity index 100% rename from ansible/files/jefke_user_ed25519.crt rename to jefke_user_ed25519-cert.pub diff --git a/nixos-anywhere.sh b/nixos-anywhere.sh new file mode 100644 index 0000000..d6b6131 --- /dev/null +++ b/nixos-anywhere.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +# Create a temporary directory +temp=$(mktemp -d) + +# Function to cleanup temporary directory on exit +cleanup() { + rm -rf "$temp" +} +trap cleanup EXIT + +# TODO from here +# Create the directory where sshd expects to find the host keys +install -d -m755 "$temp/etc/ssh" + +# Decrypt your private key from the password store and copy it to the temporary directory +pass ssh_host_ed25519_key > "$temp/etc/ssh/ssh_host_ed25519_key" + +# Set the correct permissions so sshd will accept the key +chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key" + +# Install NixOS to the host system with our secrets +nixos-anywhere --extra-files "$temp" --flake '.#your-host' root@yourip diff --git a/secrets/jefke_host_ed25519.age b/secrets/jefke_host_ed25519.age new file mode 100644 index 0000000000000000000000000000000000000000..f4fbc01386d0090b9f89e7a07b6d3a6c6dc7b1e3 GIT binary patch literal 680 zcmV;Z0$2TEXJsvAZewzJaCB*JZZ2>vYj;#?X=rR>XKip-Zf0`|j^BhZ zgZ@#23?|4JblDZ*g{Ca26S>z1>fBbfq*=4B6wa{zrSdU13n3!qR(x?|U^(pw!Pnz4 zb-js|_NeKQu(}p$aYCxDDe+YR;<1n+rthh=Zv4%gbdBs)?e;8m6FjG_n+eT~-i39g zJ2z}~Gr(S$GO9aH-z_cr!lHWh`3E-06ALi9$e?C`4` zRA#_O4HOE#Ar)*)d@o3#3?b&sfSk+Mw$~*b3`PaFb}1u{UlG@TpBHwPcF`oMlDzz< z1dK$ynMESqY~eH3qZ99YXEPtcI$a66cg)UkN33PzZ5D6a;(09x)Ic?-WvYf$FLCr# z^PSC(m(=V{;;mcSD|lV9PNkW61hZd)O;P9Wfd$IQ__QkMWI&~5UA&(%))0b685W{v Oiw@&fbP9bps literal 0 HcmV?d00001 diff --git a/secrets/jefke_user_ed25519.age b/secrets/jefke_user_ed25519.age new file mode 100644 index 0000000000000000000000000000000000000000..50588c77dcae630c7fc1c89f413c302d3c6b1cbb GIT binary patch literal 715 zcmV;+0yO<$XJsvAZewzJaCB*JZZ27EJ6fv}MfCxqBCLbq)D` zP8>EafFMhD@w%1$HyQ~%A+kG}C*A+Rx809YT`INHx|OoX2b)P-TXTGF5Dl{9ZMcV) z!Jzq9L>HQ|yqJo>2)pYGs);1$K)pTg>QRhnRem4a8%A+H<2r|I+d3OffO3OPK&6)2NMP4g-( xV*K>Z(@iY9q?KM;eY(GrIyP9H1@7=jRyF1ka|#QQDtjcg%OmdXH#rL`AMzC@B*g## literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..03a5dd7 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,16 @@ +let + pkgs = import { }; + lib = pkgs.lib; + secrets = { + jefke = { + publicKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJUSH2IQg8Y/CCcej7J6oe4co++6HlDo1MYDCR3gV3a pim@x260" + ]; + encryptedFiles = [ "jefke_host_ed25519.age" "jefke_user_ed25519.age" ]; + }; + }; +in lib.attrsets.mergeAttrsList (builtins.map ({ publicKeys, encryptedFiles }: + lib.attrsets.mergeAttrsList (builtins.map + (encryptedFile: { "${encryptedFile}" = { inherit publicKeys; }; }) + encryptedFiles)) (lib.attrsets.attrValues secrets)) + From b4fbc0b95549fe039ecb3625d6f84150459bb63e Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 15 Nov 2023 11:41:45 +0100 Subject: [PATCH 3/8] improve nixos anywhere script: - deploy age identity - make script machine indepdendent - add sanity check for wiping the system create nix shell for running the script --- .envrc | 1 + flake.lock | 19 ++++++++++++++++++- flake.nix | 15 +++++++++++---- nixos-anywhere.sh | 38 +++++++++++++++++++++++++++++--------- 4 files changed, 59 insertions(+), 14 deletions(-) create mode 100644 .envrc mode change 100644 => 100755 nixos-anywhere.sh diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..c4b17d7 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use_flake diff --git a/flake.lock b/flake.lock index c5676f1..c86dadb 100644 --- a/flake.lock +++ b/flake.lock @@ -137,6 +137,22 @@ "type": "github" } }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1699725108, + "narHash": "sha256-NTiPW4jRC+9puakU4Vi8WpFEirhp92kTOSThuZke+FA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "911ad1e67f458b6bcf0278fa85e33bb9924fed7e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1699291058, @@ -158,7 +174,8 @@ "agenix": "agenix", "deploy-rs": "deploy-rs", "disko": "disko", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_2", + "nixpkgs-unstable": "nixpkgs-unstable" } }, "utils": { diff --git a/flake.nix b/flake.nix index 585f61e..42b3f0a 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; deploy-rs.url = "github:serokell/deploy-rs"; disko = { url = "github:nix-community/disko"; @@ -14,11 +15,17 @@ }; }; - outputs = { self, nixpkgs, deploy-rs, disko, agenix, ... }: - let system = "x86_64-linux"; + outputs = { self, nixpkgs, deploy-rs, disko, agenix, nixpkgs-unstable, ... }: + let + system = "x86_64-linux"; + pkgs = nixpkgs.legacyPackages.${system}; + pkgs-unstable = nixpkgs-unstable.legacyPackages.${system}; in { + devShells.${system}.default = pkgs.mkShell { + packages = with pkgs-unstable; [ libsecret nixos-anywhere ]; + }; - formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt; + formatter = pkgs.nixfmt; nixosConfigurations.hypervisor = nixpkgs.lib.nixosSystem { inherit system; @@ -36,7 +43,7 @@ nodes.jefke = { hostname = "jefke.hyp"; profiles.hypervisor = { - path = deploy-rs.lib.x86_64-linux.activate.nixos + path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.hypervisor; }; }; diff --git a/nixos-anywhere.sh b/nixos-anywhere.sh old mode 100644 new mode 100755 index d6b6131..738cfe4 --- a/nixos-anywhere.sh +++ b/nixos-anywhere.sh @@ -1,4 +1,25 @@ #!/usr/bin/env bash +set -euo pipefail +IFS=$'\n\t' + +servername="${1-}" + +if [ -z "$servername" ] + then + echo "Usage: $0 SERVERNAME" + exit 1 +fi + +confirmation="Yes, wipe ${servername}." + +echo "⚠️ This will wipe ${servername} completely! ⚠️" +echo "Confirm by typing: \"${confirmation}\"" +read response + +if [ "$response" != "$confirmation" ]; then + echo "Aborting." + exit 1 +fi # Create a temporary directory temp=$(mktemp -d) @@ -9,15 +30,14 @@ cleanup() { } trap cleanup EXIT -# TODO from here -# Create the directory where sshd expects to find the host keys -install -d -m755 "$temp/etc/ssh" +# Create directory where age key will go. +# Nixos-anwhere creates a kind of overlay and retains this structure on the final file system. +mkdir "$temp/root" -# Decrypt your private key from the password store and copy it to the temporary directory -pass ssh_host_ed25519_key > "$temp/etc/ssh/ssh_host_ed25519_key" +secret-tool lookup age-identity "$servername" > "$temp/root/age_ed25519" -# Set the correct permissions so sshd will accept the key -chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key" +# Set the correct permissions +chmod 600 "$temp/root/age_ed25519" -# Install NixOS to the host system with our secrets -nixos-anywhere --extra-files "$temp" --flake '.#your-host' root@yourip +# Install NixOS to the host system with our age identity +nix run github:numtide/nixos-anywhere -- --extra-files "$temp" --flake '.#hypervisor' "root@$servername.hyp" From 3550a6e8a808a40806c591134e284b73df34794e Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 15 Nov 2023 12:55:57 +0100 Subject: [PATCH 4/8] create top-level machine definition that is used by both deploy-rs and nixos rename bootstrap script --- agenix.nix | 6 ++-- nixos-anywhere.sh => bootstrap.sh | 0 configuration.nix | 12 +++---- flake.nix | 58 +++++++++++++++++++++---------- 4 files changed, 48 insertions(+), 28 deletions(-) rename nixos-anywhere.sh => bootstrap.sh (100%) diff --git a/agenix.nix b/agenix.nix index 2bd6b1b..2f442c0 100644 --- a/agenix.nix +++ b/agenix.nix @@ -1,11 +1,11 @@ +{ machine, ...}: { age = { identityPaths = [ "/root/age_ed25519" ]; secrets = { - # TODO: make machine independent - "jefke_host_ed25519".file = ./secrets/jefke_host_ed25519.age; - "jefke_user_ed25519".file = ./secrets/jefke_user_ed25519.age; + "host_ed25519".file = ./secrets/${machine.name}_host_ed25519.age; + "user_ed25519".file = ./secrets/${machine.name}_user_ed25519.age; }; }; } diff --git a/nixos-anywhere.sh b/bootstrap.sh similarity index 100% rename from nixos-anywhere.sh rename to bootstrap.sh diff --git a/configuration.nix b/configuration.nix index d20f040..15c49d8 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,4 +1,4 @@ -{ pkgs, config, ... }: { +{ pkgs, config, machine, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix ./agenix.nix ]; boot.loader = { @@ -31,10 +31,9 @@ PasswordAuthentication = false; KbdInteractiveAuthentication = false; }; - # TODO! machine independent extraConfig = '' - HostCertificate ${builtins.toFile "jefke_host_ed25519-cert.pub" (builtins.readFile ./jefke_host_ed25519-cert.pub)} - HostKey ${config.age.secrets.jefke_host_ed25519.path} + HostCertificate ${builtins.toFile "host_ed25519-cert.pub" machine.host-cert} + HostKey ${config.age.secrets.host_ed25519.path} ''; }; @@ -66,10 +65,9 @@ }; }; - # TODO: machine independent extraConfig = '' - CertificateFile ${builtins.toFile "jefke_user_ed25519-cert.pub" (builtins.readFile ./jefke_user_ed25519-cert.pub)} - HostKey ${config.age.secrets.jefke_user_ed25519.path} + CertificateFile ${builtins.toFile "user_ed25519-cert.pub" machine.user-cert} + HostKey ${config.age.secrets.user_ed25519.path} ''; }; diff --git a/flake.nix b/flake.nix index 42b3f0a..c5056ad 100644 --- a/flake.nix +++ b/flake.nix @@ -20,33 +20,55 @@ system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages.${system}; pkgs-unstable = nixpkgs-unstable.legacyPackages.${system}; + machines = { + jefke = { + name = "jefke"; + hostname = "jefke.hyp"; + user-cert = builtins.readFile ./jefke_user_ed25519-cert.pub; + host-cert = builtins.readFile ./jefke_host_ed25519-cert.pub; + }; + }; in { devShells.${system}.default = pkgs.mkShell { - packages = with pkgs-unstable; [ libsecret nixos-anywhere ]; - }; - - formatter = pkgs.nixfmt; - - nixosConfigurations.hypervisor = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - disko.nixosModules.disko - agenix.nixosModules.default - ./configuration.nix + packages = [ + pkgs.libsecret + pkgs-unstable.nixos-anywhere + pkgs-unstable.deploy-rs ]; }; + # TODO. if uncommented, nix flake check fails + # formatter = pkgs.nixfmt; + + # TODO create helper + nixosConfigurations = nixpkgs.lib.foldlAttrs (acc: name: machine: + acc // { + "${name}" = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit machine; }; + modules = [ + disko.nixosModules.disko + agenix.nixosModules.default + ./configuration.nix + ]; + }; + }) { } machines; + deploy = { sshUser = "root"; user = "root"; - nodes.jefke = { - hostname = "jefke.hyp"; - profiles.hypervisor = { - path = deploy-rs.lib.${system}.activate.nixos - self.nixosConfigurations.hypervisor; - }; - }; + # TODO create helper + nodes = nixpkgs.lib.foldlAttrs (acc: name: machine: + acc // { + "${name}" = { + hostname = machine.hostname; + profiles.hypervisor = { + path = deploy-rs.lib.${system}.activate.nixos + self.nixosConfigurations.${name}; + }; + }; + }) { } machines; }; checks = builtins.mapAttrs From 37f1e07e742562e82fa13f0fbd83c2450030cdb3 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 15 Nov 2023 13:06:59 +0100 Subject: [PATCH 5/8] create helpers for creating nixos system and deploy nodes move machine definitions to separate directory --- flake.nix | 58 +++++++++---------- machines/default.nix | 8 +++ .../jefke_host_ed25519-cert.pub | 0 .../jefke_user_ed25519-cert.pub | 0 4 files changed, 34 insertions(+), 32 deletions(-) create mode 100644 machines/default.nix rename jefke_host_ed25519-cert.pub => machines/jefke_host_ed25519-cert.pub (100%) rename jefke_user_ed25519-cert.pub => machines/jefke_user_ed25519-cert.pub (100%) diff --git a/flake.nix b/flake.nix index c5056ad..9b2b797 100644 --- a/flake.nix +++ b/flake.nix @@ -20,14 +20,16 @@ system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages.${system}; pkgs-unstable = nixpkgs-unstable.legacyPackages.${system}; - machines = { - jefke = { - name = "jefke"; - hostname = "jefke.hyp"; - user-cert = builtins.readFile ./jefke_user_ed25519-cert.pub; - host-cert = builtins.readFile ./jefke_host_ed25519-cert.pub; - }; - }; + machines = import ./machines; + mkNixosSystems = systemDef: + nixpkgs.lib.foldlAttrs (acc: name: machine: + acc // { + "${name}" = nixpkgs.lib.nixosSystem (systemDef machine); + }) { } machines; + mkDeployNodes = nodeDef: + nixpkgs.lib.foldlAttrs + (acc: name: machine: acc // { "${name}" = nodeDef machine; }) { } + machines; in { devShells.${system}.default = pkgs.mkShell { packages = [ @@ -40,35 +42,27 @@ # TODO. if uncommented, nix flake check fails # formatter = pkgs.nixfmt; - # TODO create helper - nixosConfigurations = nixpkgs.lib.foldlAttrs (acc: name: machine: - acc // { - "${name}" = nixpkgs.lib.nixosSystem { - inherit system; - specialArgs = { inherit machine; }; - modules = [ - disko.nixosModules.disko - agenix.nixosModules.default - ./configuration.nix - ]; - }; - }) { } machines; + nixosConfigurations = mkNixosSystems (machine: { + inherit system; + specialArgs = { inherit machine; }; + modules = [ + disko.nixosModules.disko + agenix.nixosModules.default + ./configuration.nix + ]; + }); deploy = { sshUser = "root"; user = "root"; - # TODO create helper - nodes = nixpkgs.lib.foldlAttrs (acc: name: machine: - acc // { - "${name}" = { - hostname = machine.hostname; - profiles.hypervisor = { - path = deploy-rs.lib.${system}.activate.nixos - self.nixosConfigurations.${name}; - }; - }; - }) { } machines; + nodes = mkDeployNodes (machine: { + hostname = machine.hostname; + profiles.hypervisor = { + path = deploy-rs.lib.${system}.activate.nixos + self.nixosConfigurations.${machine.name}; + }; + }); }; checks = builtins.mapAttrs diff --git a/machines/default.nix b/machines/default.nix new file mode 100644 index 0000000..c9ebbe4 --- /dev/null +++ b/machines/default.nix @@ -0,0 +1,8 @@ +{ + jefke = { + name = "jefke"; + hostname = "jefke.hyp"; + user-cert = builtins.readFile ./jefke_user_ed25519-cert.pub; + host-cert = builtins.readFile ./jefke_host_ed25519-cert.pub; + }; +} diff --git a/jefke_host_ed25519-cert.pub b/machines/jefke_host_ed25519-cert.pub similarity index 100% rename from jefke_host_ed25519-cert.pub rename to machines/jefke_host_ed25519-cert.pub diff --git a/jefke_user_ed25519-cert.pub b/machines/jefke_user_ed25519-cert.pub similarity index 100% rename from jefke_user_ed25519-cert.pub rename to machines/jefke_user_ed25519-cert.pub From 8e6a40e87831743565a56006848c9b4c3fa2d56b Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 15 Nov 2023 13:10:27 +0100 Subject: [PATCH 6/8] fix formatter error --- agenix.nix | 3 +-- configuration.nix | 8 ++++++-- flake.nix | 3 +-- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/agenix.nix b/agenix.nix index 2f442c0..afaaeb7 100644 --- a/agenix.nix +++ b/agenix.nix @@ -1,5 +1,4 @@ -{ machine, ...}: -{ +{ machine, ... }: { age = { identityPaths = [ "/root/age_ed25519" ]; diff --git a/configuration.nix b/configuration.nix index 15c49d8..bb8a309 100644 --- a/configuration.nix +++ b/configuration.nix @@ -32,7 +32,9 @@ KbdInteractiveAuthentication = false; }; extraConfig = '' - HostCertificate ${builtins.toFile "host_ed25519-cert.pub" machine.host-cert} + HostCertificate ${ + builtins.toFile "host_ed25519-cert.pub" machine.host-cert + } HostKey ${config.age.secrets.host_ed25519.path} ''; }; @@ -66,7 +68,9 @@ }; extraConfig = '' - CertificateFile ${builtins.toFile "user_ed25519-cert.pub" machine.user-cert} + CertificateFile ${ + builtins.toFile "user_ed25519-cert.pub" machine.user-cert + } HostKey ${config.age.secrets.user_ed25519.path} ''; }; diff --git a/flake.nix b/flake.nix index 9b2b797..bba273f 100644 --- a/flake.nix +++ b/flake.nix @@ -39,8 +39,7 @@ ]; }; - # TODO. if uncommented, nix flake check fails - # formatter = pkgs.nixfmt; + formatter.${system} = pkgs.nixfmt; nixosConfigurations = mkNixosSystems (machine: { inherit system; From 7fc138bc658a14d2433e139f9899326434199c2d Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 15 Nov 2023 13:24:06 +0100 Subject: [PATCH 7/8] update readme update boostrap script --- README.md | 38 +++++++++++++++++++++----------------- bootstrap.sh | 2 +- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 0c6ba9b..fef1f04 100644 --- a/README.md +++ b/README.md @@ -1,23 +1,27 @@ # nixos-servers Nix definitions to configure our physical servers. -Currently, only one physical server (named jefke) is implemented. +Currently, only one physical server (named jefke) is implemented but more are planned! + +## Prerequisites + +1. Install the Nix package manager or NixOS ([link](https://nixos.org/download)) +2. Enable flake and nix commands ([link](https://nixos.wiki/wiki/Flakes#Enable_flakes_permanently_in_NixOS)) +3. Install Direnv ([link](https://direnv.net/)) +4. Allow direnv for this repository: `direnv allow` + +## Bootstrapping + +We bootstrap our physical server using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere). +This reformats the hard disk of the server and installs a fresh NixOS. +Additionally, it deploys an age identity, which is later used for decrypting secrets. + +⚠️ This will wipe your server completely ⚠️ + +1. Make sure your have a [Secret service](https://www.gnu.org/software/emacs/manual/html_node/auth/Secret-Service-API.html) running (such as Keepassxc) that provides the age identity. +2. Ensure you have root SSH access to the server. +3. Run nixos-anywhere: `./bootstrap ` ## Deployment -### NEW - -`nix run github:numtide/nixos-anywhere -- --flake .#hypervisor root@jefke.hyp` - -### Prerequisites - -Before a NixOS definition can be deployed, some prerequite preparational steps must be performed. - -1. Manually install NixOS on the physical machine. This could potentially be automated in the future with [nixos-anywhere](https://github.com/nix-community/nixos-anywhere), but for now this is a manual process. -2. Enable SSH and install authorized keys. -3. Ensure Python3 is installed for Ansible. -4. Run Ansible playbook which deploys secrets `ansible-playbook deploy_secrets.yml`. - -### NixOS deployment - -Finally, the NixOS definition can be deployed as follows: `nix run github:serokell/deploy-rs`. +Deployment can simply be done as follows: `deploy` diff --git a/bootstrap.sh b/bootstrap.sh index 738cfe4..69257bc 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -40,4 +40,4 @@ secret-tool lookup age-identity "$servername" > "$temp/root/age_ed25519" chmod 600 "$temp/root/age_ed25519" # Install NixOS to the host system with our age identity -nix run github:numtide/nixos-anywhere -- --extra-files "$temp" --flake '.#hypervisor' "root@$servername.hyp" +nixos-anywhere --extra-files "$temp" --flake ".#${servername}" "root@${servername}.hyp" From 730ae4c4f22c1277e878d9447f357d263093977c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 15 Nov 2023 13:37:13 +0100 Subject: [PATCH 8/8] switch to flake version of nixos-anywhere due to nixos-unstable issue --- README.md | 2 +- bootstrap.sh | 2 +- flake.nix | 5 ++++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index fef1f04..c8e0376 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Additionally, it deploys an age identity, which is later used for decrypting sec 1. Make sure your have a [Secret service](https://www.gnu.org/software/emacs/manual/html_node/auth/Secret-Service-API.html) running (such as Keepassxc) that provides the age identity. 2. Ensure you have root SSH access to the server. -3. Run nixos-anywhere: `./bootstrap ` +3. Run nixos-anywhere: `./bootstrap.sh ` ## Deployment diff --git a/bootstrap.sh b/bootstrap.sh index 69257bc..0633b1d 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -40,4 +40,4 @@ secret-tool lookup age-identity "$servername" > "$temp/root/age_ed25519" chmod 600 "$temp/root/age_ed25519" # Install NixOS to the host system with our age identity -nixos-anywhere --extra-files "$temp" --flake ".#${servername}" "root@${servername}.hyp" +nix run github:numtide/nixos-anywhere -- --extra-files "$temp" --flake ".#${servername}" "root@${servername}.hyp" diff --git a/flake.nix b/flake.nix index bba273f..e034fd9 100644 --- a/flake.nix +++ b/flake.nix @@ -34,7 +34,10 @@ devShells.${system}.default = pkgs.mkShell { packages = [ pkgs.libsecret - pkgs-unstable.nixos-anywhere + # TODO: using nixos-anywhere from nixos-unstable produces buffer overflow. + # Related to this issue: https://github.com/nix-community/nixos-anywhere/issues/242 + # Should wait until this is merged in nixos-unstable. + # pkgs-unstable.nixos-anywhere pkgs-unstable.deploy-rs ]; };