From f3820504dd833ddb804a3122d0073b7d2eb448c1 Mon Sep 17 00:00:00 2001 From: Astrid Yu Date: Mon, 25 Mar 2024 00:36:55 -0700 Subject: [PATCH] boop is boopstrapped --- machines/boop/README.md | 2 +- machines/boop/boot.nix | 20 ++--- machines/boop/bootstrap.sh | 28 +++++++ machines/boop/configuration.nix | 30 ++++++++ machines/boop/fs.nix | 1 + machines/boop/initrd/ssh_host_ed25519_key | 11 ++- machines/boop/initrd/ssh_host_ed25519_key.pub | 2 +- machines/boop/initrd/ssh_host_rsa_key | 73 +++++++++---------- machines/boop/initrd/ssh_host_rsa_key.pub | 2 +- nix/nixos-modules/roles/server.nix | 8 +- 10 files changed, 118 insertions(+), 59 deletions(-) create mode 100644 machines/boop/bootstrap.sh diff --git a/machines/boop/README.md b/machines/boop/README.md index 0999d27c..71400ed4 100644 --- a/machines/boop/README.md +++ b/machines/boop/README.md @@ -1,3 +1,3 @@ -# `xn--vp9h` (pronounced 🤓) +# boop another server for applications and compute and stuff diff --git a/machines/boop/boot.nix b/machines/boop/boot.nix index 4d1c103d..e9e6a9fc 100644 --- a/machines/boop/boot.nix +++ b/machines/boop/boot.nix @@ -1,16 +1,18 @@ inputs: -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; let constants = import ./constants.nix; in { boot.loader = { - efi.canTouchEfiVariables = true; + efi = { + efiSysMountPoint = "/boot"; + canTouchEfiVariables = true; + }; grub = { enable = true; devices = [ "nodev" ]; efiSupport = true; - useOSProber = true; # splashImage = ./nerd-emoji.jpg; }; }; @@ -23,17 +25,17 @@ in { # because we want to be able to decrypt host keys over SSH boot.initrd.network = { - udhcpc = { - enable = true; - extraArgs = [ "-i" constants.mgmt_if ]; - }; + enable = true; + udhcpc.enable = true; postCommands = '' ip addr ''; ssh = { enable = true; - port = 2222; - hostKeys = [ ./initrd/ssh_host_rsa_key ./initrd/ssh_host_ed25519_key ]; + hostKeys = [ + (pkgs.writeText "ssh_host_rsa_key" (builtins.readFile ./initrd/ssh_host_rsa_key)) + (pkgs.writeText "ssh_host_ed25519_key" (builtins.readFile ./initrd/ssh_host_ed25519_key)) + ]; authorizedKeys = inputs.self.lib.sshKeyDatabase.users.astrid; }; }; diff --git a/machines/boop/bootstrap.sh b/machines/boop/bootstrap.sh new file mode 100644 index 00000000..8fcbdf0a --- /dev/null +++ b/machines/boop/bootstrap.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +mkdisks() { + zpool create rpool mirror /dev/disk/by-id/nvme-eui.6479a7869ad03b89 /dev/disk/by-id/nvme-eui.6479a7869ad04a16 + zfs create -o encryption=on -o keylocation=prompt -o keyformat=passphrase rpool/enc + zfs set mountpoint=none rpool + zfs set compression=on rpool + for pool in rpool/enc/var rpool/enc/etc rpool/enc/tmp rpool/enc/home rpool/nix; do + zfs create -o mountpoint=legacy $pool + done + zfs list +} + +mountdisks() { + mount -t tmpfs -o size=256M,mode=755 rootfs /mnt + mount -t zfs -o x-mount.mkdir rpool/enc/tmp /mnt/tmp + mount -t zfs -o x-mount.mkdir rpool/nix /mnt/nix + mount -t zfs -o x-mount.mkdir rpool/enc/var /mnt/var + mount -t zfs -o x-mount.mkdir rpool/enc/etc /mnt/etc + mount -t zfs -o x-mount.mkdir rpool/enc/home /mnt/home + mount -o x-mount.mkdir /dev/disk/by-uuid/D30E-26C7 /mnt/boot +} + +runinstall() { + nixos-install --no-channel-copy --option substituters "" $@ +} \ No newline at end of file diff --git a/machines/boop/configuration.nix b/machines/boop/configuration.nix index 3db8db2b..f75ba20f 100644 --- a/machines/boop/configuration.nix +++ b/machines/boop/configuration.nix @@ -17,6 +17,7 @@ with lib; { astral = { users.alia.enable = true; + users.astrid.enable = true; virt = { docker.enable = true; libvirt.enable = true; @@ -44,4 +45,33 @@ with lib; { recommendedOptimisation = true; recommendedGzipSettings = true; }; + + # tmp for debug + services.getty.autologinUser = "root"; + + virtualisation.vmVariant = { + # Autologin as root because we testin here + services.getty.autologinUser = "root"; + + networking.interfaces.eth0.useDHCP = true; + networking.interfaces.eno0.useDHCP = mkForce false; + + virtualisation = { + graphics = false; + diskSize = 8192; + + forwardPorts = [ + { + from = "host"; + host.port = 2222; + guest.port = 22; + } + { + from = "host"; + guest.port = 80; + host.port = 8080; + } + ]; + }; + }; } diff --git a/machines/boop/fs.nix b/machines/boop/fs.nix index 50f3d457..557bc805 100644 --- a/machines/boop/fs.nix +++ b/machines/boop/fs.nix @@ -4,6 +4,7 @@ fileSystems."/" = { device = "rootfs"; fsType = "tmpfs"; + options = [ "defaults" "size=256M" "mode=755" ]; }; fileSystems."/tmp" = { diff --git a/machines/boop/initrd/ssh_host_ed25519_key b/machines/boop/initrd/ssh_host_ed25519_key index d51cad3e..f67144d3 100644 --- a/machines/boop/initrd/ssh_host_ed25519_key +++ b/machines/boop/initrd/ssh_host_ed25519_key @@ -1,8 +1,7 @@ -----BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDTxRDob4 -4LmmUE//yPbisVAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIGAtSF+Kx47/zdUe -5/3L06RbULmoEFnJi9Jmd9q2ia5NAAAAoGCPHycy7g8DVslaHrXmhhfwotFW6VnSUn7/pE -3UQAt5KMxNfWLWXsDNpxQBVJ6sYPesrirlWg2hcAPvt2fFGPLe4tbICKqje2F8cS5enTfr -S/GcusyaC4/xmD0udZEpFLqx1dvP3VxickCuml28NItZqspwny25htcahpOaE/RZeHLHXZ -CKzEGBnBHBdwgQUwIwXA67m2IyvjxO3ZmHLoo= +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACBC8L/jKIgAm/NtHruBIuj9ByVY0++i31NhVKwVpbKwAAAAAJhKZyfpSmcn +6QAAAAtzc2gtZWQyNTUxOQAAACBC8L/jKIgAm/NtHruBIuj9ByVY0++i31NhVKwVpbKwAA +AAAECfEM7PiuGMsWCwdnUVINnm5C5dhmpt6XtjD1d7OJKIqkLwv+MoiACb820eu4Ei6P0H +JVjT76LfU2FUrBWlsrAAAAAADmFzdHJpZEBjaHVuZ3VzAQIDBAUGBw== -----END OPENSSH PRIVATE KEY----- diff --git a/machines/boop/initrd/ssh_host_ed25519_key.pub b/machines/boop/initrd/ssh_host_ed25519_key.pub index 63f91b93..9be3e70e 100644 --- a/machines/boop/initrd/ssh_host_ed25519_key.pub +++ b/machines/boop/initrd/ssh_host_ed25519_key.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGAtSF+Kx47/zdUe5/3L06RbULmoEFnJi9Jmd9q2ia5N +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIELwv+MoiACb820eu4Ei6P0HJVjT76LfU2FUrBWlsrAA diff --git a/machines/boop/initrd/ssh_host_rsa_key b/machines/boop/initrd/ssh_host_rsa_key index fb9b26c9..82c682ff 100644 --- a/machines/boop/initrd/ssh_host_rsa_key +++ b/machines/boop/initrd/ssh_host_rsa_key @@ -1,39 +1,38 @@ -----BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAZK3ycH/ -YLIrOsQZ4ioVYWAAAAGAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCQmmjQlsrm -8RTETENBLzSfJfcxdeTATowvNSbmnHrEot0QX89KrbmfdeKTSP1ppp5CgSHU0ASNLYla23 -xz0HsszZFC3c8JJIH3/BS34f/FLIvfsT2Rn4x2OyWr0xw24n8fqBEca7nt3eyeKfj3oiq+ -pJ6xSMyuiGmywlYubGrFJJe6L/Yey1qgAlGXEOtbe9x3fO1tb1/6cOlYqSM8LeVbO+oWAx -iWsH68f8HsUo/equ6qk59LgiO5MegYZBHH+IyowW2cgQxe4RA5Hm+hdW7ibxvBAH0uu0NH -Uw3yi020jZaAKHNWLnapgRM2uaBHFtoGVVPsHALdZ0FVuzLWQOJIN2uE6PRdnwaZtnTxU3 -3IRdcos/bbZbTuq+5sFNhF3rZdwjd3ndAg/BdsDzXVGjppEHWdEd5cZ7zfbr7p7zmK7pO0 -lRRHg6FtSkWqCIakG3gQ+SAGdlVoRQIAmZ3AzwtJCUrQRMLE+dg/oLgI16XtQWOlbOXEgC -oUNj84iz1CMVEAAAWQ7vCnrJLZ18bXwU57mSx0rEPSap/k27YJGZnw0Es3XainxkuT1VuV -0INxPuzQ2i/KZRTljrjfx3I+BLMjhNmI1eJ3+rhLv3qJfD7NYRdmtCKSJE97iu4gxAoO4m -rn3Tmjjqw9FUJV7U7fWMZ5/WCb1kU6ofYVQiqXocOaz421uDRJ32TAzT3NncuqY2r6YYMm -/HWYbVExM1oluK+O28yrXwO6a1YZIp7NbvxTl+4NdO3JERmPJRt09u1I7+PAgB6HK/E3yF -kdSOMKL5LAOb02Fpa0Oo8FAbGkRCFKZy7hw/zvdBej2oxF0GvEEAPHrxbhLDu7gSpN4kBg -EcaOyINDjAhnV1iCSAFIRe9Vf+56Q0geXzusAXnRQpem+Hgr5wv8kr/GFeY2fJ/nn1Yfde -3RIWAy+fMXEbJ7+RUiwdWNeCXwP3eYdWCOuoD2Vkb2DtZNzwKtatZyZd2rm9O2JUrP4JUg -tLcw3AAQb9+NskDCB3dq5/dKCZjJobhleigIouy+o6OgQCCQu+Kc7uoNyGoccTDlZFJU0W -BuPao1JVaEZLq+Pr7IrLp+kir6lqu+LSQZ1bQsfqet6jatS7t5xLkk4ho+uBfp1dkM/gP8 -NLr3dSn5sL2M3JjybgXfPsUULu6Gtc8pUPqhvrG70DcfZv/Qrs7IrKLrazAfQZ6YFVGTCK -8z6RqQGOVUsuwbz4JbAxAGJAfmNSBIZsXsL/dOofybaiLfvf2OHzNBGGgNr2F8aplKgkbB -duu21OF6ikymyl4ozVatDwjZ71PNiZbx+qz02RPlj5Bo9lwEQ5YrxAoi8niPIYmV0h7R38 -ch8kTeyJYvuYRpI/H5rutP3PIv1JlLerRRPr3N1tPB3ifvtkM0tTaN6d+4/CNw+hcsfQd1 -aEpKrfkQCjGzzrcnVHItpTscrBUj0MsMKtupOoWbToOmKHulQDiGeY5BIHeIN0DEbeI/z7 -TmLv9PfXUsSqnSp2MB8IkGzizWhPcxG49PlIbvkWaoNcNrqKZgOc5bNJuHtcYtylayZ2yh -iT4rv5ymlpxFsW6cik39Posfssom6fmF8XDHZ2PdmskPCU6XoAST7ugvES0DIBWb9Te9fU -EUC2Ds59zrXWQrhYu8Q8KH3F9tRcHbbhFJzJ5VhrR+t2nbADx+wcJw0zT1CXh0DyDFAsCb -y/WseVeyUn/uOyKNXvaeBysSF3S6o2A5MCjjf5nl0/MY50pjyu5mwyNk0sCKl+yMWTaLFy -t1l1pK9FZhqFzor8ZIF0RwvA2A1GXV5dk0FAf0W/Io2qPNPU/rz/phYus4kLwjheU7AWAt -z7b32GLaBB622SZclFX3pWdtD0/NtQD0q9VWVpxDctmani6RAYrSn0S23hk6fEiJ1AblZ7 -FBQC5GwDYBvxycTJyHESQTfMa7N8LLISFDy5JFmbM37orCOAOi4IxWHqtw2RZyDBFIiCBf -UcyChP2w/8f6o9YgqmsSXvsaXebq4WsSqC7dfWKLZdKA093G4QTtDXNavMWGYwWxpzhZdO -SFc3AiU6aRNPvJDaQTVkVIcTySwV3cESU+ppEeqcMr6HOajaq8rcZRsyt3HSBUwGgJw7Kx -avbL5OpGi2lbmkHVgAEjh1mZLLFDqiNi4DmBIOg5ZsEMdclU+FUDPL9F3FrfQsy/MIQXOX -s1mfXUAZIuGW/PjcGty0JpAhqb9/Wh+F+9VdMXuOxNeLdYc1vheQio8MdjZO9rgUVYFhY4 -0UeRCjAIeb9fR3AXiGTlMvvSyDt/89Tqq5XVEpPpzuHfQLpZRUhsiOCUVaokobIP6n2Caq -F9NW7QrC35J9NO5j3o4rgcxSdMfX5EBKg+BddIM294jJD1FoWgUXnRsYy9UtRRbtBZeqL1 -ZTCXSCUR9OjKJy1rZW4FnlgKD8Q= +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn +NhAAAAAwEAAQAAAYEAqdE8nUiWzBjffn4LrImDiOGVfYa7iFUfXVHu+ca1JVLiusuJJsMO +FvErIK9xNjq5Das/Nta6TeKSiPrr3zEsO8cbcLbxQO/E2K+spaiTN1y/LwNBBv0fy22vo9 +nsoHFu5IUCdVp2KnpmeAW4xE4IBuEap751XjcLhvN8o6l8xTinuCJJ6MLEPTyaVxM+8Sy2 +eeC093aKeitCQmJxCc+mZ1V1m7fDu3siT4YA1RWQcG9YliDAwghdJ5dkdqmiOFOCxDtLYR +sx5trWM1XLL0PKIf5Br8z49tYb+tBI9u+Ben6KJUjQoyB711KSaRv+1O4qK1E6lpgjXB/7 +86yWGQZsxK9ZoYzx3ep4o7Ic5cdGAQ6gkgHELEPKbV3zNd+t4ZH0ClQziHdTindFky7kt3 +LgtasfvPfPDBnN9Kz2hKhdRyNpIyseYLM7Olvy4QW/lxT0M5oqeccm38hIivQaVczsyd2t +fCj/TnebAb6yP280y4P9rSWoHwlscczNW/cN5L51AAAFiEMU7Z1DFO2dAAAAB3NzaC1yc2 +EAAAGBAKnRPJ1IlswY335+C6yJg4jhlX2Gu4hVH11R7vnGtSVS4rrLiSbDDhbxKyCvcTY6 +uQ2rPzbWuk3ikoj6698xLDvHG3C28UDvxNivrKWokzdcvy8DQQb9H8ttr6PZ7KBxbuSFAn +Vadip6ZngFuMROCAbhGqe+dV43C4bzfKOpfMU4p7giSejCxD08mlcTPvEstnngtPd2inor +QkJicQnPpmdVdZu3w7t7Ik+GANUVkHBvWJYgwMIIXSeXZHapojhTgsQ7S2EbMeba1jNVyy +9DyiH+Qa/M+PbWG/rQSPbvgXp+iiVI0KMge9dSkmkb/tTuKitROpaYI1wf+/OslhkGbMSv +WaGM8d3qeKOyHOXHRgEOoJIBxCxDym1d8zXfreGR9ApUM4h3U4p3RZMu5Ldy4LWrH7z3zw +wZzfSs9oSoXUcjaSMrHmCzOzpb8uEFv5cU9DOaKnnHJt/ISIr0GlXM7MndrXwo/053mwG+ +sj9vNMuD/a0lqB8JbHHMzVv3DeS+dQAAAAMBAAEAAAGADcPEM4WI6kXmhmobcnf6XZ6CD6 +4w8OXhcx7V4uYh6cK/AQrIH7MLfH2TlC8psI5wUIoochP+qZsrazICQNGgtxRhBjELUMr+ +kYfP0+UG+yOn6tzLKRCxwpCt/iHccHbcA7w/okPbtH6+Y+J8LbabfPSYb1oHSRnnc8q0Ys +8KqjEjmyUgXjRnVAVfsfOBPxWePDZ5b15ARD3RvZrIHyuh3oS1UegX0/sGTBwzC2fs5h2I +YzGIHlIvkYAlKF8rTdXVmjz17Y48eIIlWEhSglfyPBUshaPzcINT54uBwje7Eg7KOqKQNe +/ww0dmqZZ7yyeRo147OubPkkBeycMLRzeX96oEBXhJUnOvUkfrR6coOzES0b07lCaT321o +Cas83ryQ4FQCk8gbpyjRmStOAQdSWTQWJ+j0EBdY4TPwWawO1Nw5muBa1C5un3cznehOG1 +NmEMmb1LQ0qG4+exypcOEv9TT6V6kyUY1dJdHvbVJqA1IJOBthDQfaicadxSNY1NujAAAA +wQCHOI+I5PI8OuhlGjj25XZ6JieJh8kwSl9d8W/4NCBlV9tFc9ncnGqlf5b/TpW8VSWha5 +22+iBtLsyvVYstFo/yhaw/kRnh6t0vh0L3fM0AE4gnHV/YSpr84fOMvlABpXTKv/re2Es+ +r+GqpC9QY3MlSHaNLG00eQoKGNwj4Z968FPo2nMR7wL/NyHl1XPPnfxvpm/HgDFpRQWdQQ +3XO+fWO2j7BavNEz6L8pWLgwxXSWOJuftyEHZGyAr6nOnjJ6oAAADBAOKTj9F8a1lm+Ea1 +3sy7j5piiLY5ynhl1slxSGLJWRCUCNcMNoBqz6qQ1OL3FznMLo6+6KaF8x4TSsHMSQqAj3 +7YKqJZSH+YUzfsVPPNgb/sOhy7gF7zRB5aPOFexelGLsygfPpFj9lpQvG25PWGci4EZ42A +Bp4V8016hz23HJfSfLBvT3WIJgRutztLUMYicrH/85S2pbX/dFCZHROzxSKHPlCjn4VMH/ +cHjMBAXCOvuNJJcIc6ldOQ5SOS2WNkowAAAMEAv96+NfPU90yQ4tFYdC4p1ozLVjEZu7V6 +FsH7AoP9CSWMtuj9WnOd5k8xSbiqMhUaCAc+TzsSbt7BhnnaPIswSTDPdVoYm0ImSkKRwj +qrdZNsnIw/UVvtxFrT4DBN63TCfb7hyPZ1z0ew2cr9+4MyLVocNOBJd7zrAOv8Cdcd5Qni +I23G2Efi9crmmcGpL4GddMyZyMQzSaCoZ6oVrFBLJMIr5XcP9gj/iOygef54YdplN2xA03 +MBr9MMet+oEOoHAAAADmFzdHJpZEBjaHVuZ3VzAQIDBA== -----END OPENSSH PRIVATE KEY----- diff --git a/machines/boop/initrd/ssh_host_rsa_key.pub b/machines/boop/initrd/ssh_host_rsa_key.pub index a975c920..d8c6955f 100644 --- a/machines/boop/initrd/ssh_host_rsa_key.pub +++ b/machines/boop/initrd/ssh_host_rsa_key.pub @@ -1 +1 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCQmmjQlsrm8RTETENBLzSfJfcxdeTATowvNSbmnHrEot0QX89KrbmfdeKTSP1ppp5CgSHU0ASNLYla23xz0HsszZFC3c8JJIH3/BS34f/FLIvfsT2Rn4x2OyWr0xw24n8fqBEca7nt3eyeKfj3oiq+pJ6xSMyuiGmywlYubGrFJJe6L/Yey1qgAlGXEOtbe9x3fO1tb1/6cOlYqSM8LeVbO+oWAxiWsH68f8HsUo/equ6qk59LgiO5MegYZBHH+IyowW2cgQxe4RA5Hm+hdW7ibxvBAH0uu0NHUw3yi020jZaAKHNWLnapgRM2uaBHFtoGVVPsHALdZ0FVuzLWQOJIN2uE6PRdnwaZtnTxU33IRdcos/bbZbTuq+5sFNhF3rZdwjd3ndAg/BdsDzXVGjppEHWdEd5cZ7zfbr7p7zmK7pO0lRRHg6FtSkWqCIakG3gQ+SAGdlVoRQIAmZ3AzwtJCUrQRMLE+dg/oLgI16XtQWOlbOXEgCoUNj84iz1CMVE= +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCp0TydSJbMGN9+fgusiYOI4ZV9hruIVR9dUe75xrUlUuK6y4kmww4W8Ssgr3E2OrkNqz821rpN4pKI+uvfMSw7xxtwtvFA78TYr6ylqJM3XL8vA0EG/R/Lba+j2eygcW7khQJ1WnYqemZ4BbjETggG4RqnvnVeNwuG83yjqXzFOKe4IknowsQ9PJpXEz7xLLZ54LT3dop6K0JCYnEJz6ZnVXWbt8O7eyJPhgDVFZBwb1iWIMDCCF0nl2R2qaI4U4LEO0thGzHm2tYzVcsvQ8oh/kGvzPj21hv60Ej274F6foolSNCjIHvXUpJpG/7U7iorUTqWmCNcH/vzrJYZBmzEr1mhjPHd6nijshzlx0YBDqCSAcQsQ8ptXfM1363hkfQKVDOId1OKd0WTLuS3cuC1qx+8988MGc30rPaEqF1HI2kjKx5gszs6W/LhBb+XFPQzmip5xybfyEiK9BpVzOzJ3a18KP9Od5sBvrI/bzTLg/2tJagfCWxxzM1b9w3kvnU= diff --git a/nix/nixos-modules/roles/server.nix b/nix/nixos-modules/roles/server.nix index e2e038fa..f8041b34 100644 --- a/nix/nixos-modules/roles/server.nix +++ b/nix/nixos-modules/roles/server.nix @@ -16,10 +16,10 @@ with lib; { boot.kernelPackages = pkgs.linuxKernel.packages.linux_hardened; # Enable SSH in initrd for debugging - boot.initrd.network.ssh = { - enable = true; - authorizedKeys = [ inputs.self.lib.sshKeyDatabase.users.astrid ]; - }; + # boot.initrd.network.ssh = { + # enable = true; + # authorizedKeys = [ inputs.self.lib.sshKeyDatabase.users.astrid ]; + # }; astral = { acme.enable = true;