dadada/nix-config
dadada/nix-config
1
0
Fork 0
Code Issues 2 Pull requests 5 Projects Releases Packages Wiki Activity Actions

fix(surgat): initrd networking
Some checks failed
Continuous Integration / Checks (push) Has been cancelled
Details

Browse source
This commit is contained in:
Tim Schubert 2025-05-17 15:02:31 +02:00
parent 33bc06ee10
commit 0c12c8de35
No known key found for this signature in database
4 changed files with 20 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

17
nixos/modules/profiles/cloud.nix
View file

@ -1,10 +1,18 @@
{ config, lib, ... }: { config, lib, ... }:
let let
secretsPath = config.dadada.secrets.path; secretsPath = config.dadada.secrets.path;
initrdHostKey = "${config.networking.hostName}-initrd-ssh_host_ed25519_key"; initrdHostKey = "${config.networking.hostName}-ssh_host_ed25519_key";
in in
{ {
boot.initrd.availableKernelModules = [ "virtio-pci" ]; boot.initrd.availableKernelModules = [ "virtio-pci" ];
boot.kernelParams = [
# Wait forever for the filesystem root to show up
"rootflags=x-systemd.device-timeout=0"
# Wait forever to enter the LUKS passphrase via SSH
"rd.luks.options=timeout=0"
];
boot.initrd.network = { boot.initrd.network = {
enable = true; enable = true;
ssh = { ssh = {
@ -27,8 +35,13 @@ in
''; '';
}; };
assertions = lib.singleton {
assertion = (config.boot.initrd.network.ssh.hostKeys != [ ]) -> config.boot.loader.supportsInitrdSecrets == true;
message = "Refusing to store private keys in store";
};
age.secrets."${initrdHostKey}" = { age.secrets."${initrdHostKey}" = {
file = "${secretsPath}/${initrdHostKey}.age"; file = "${secretsPath}/initrd-${initrdHostKey}.age";
mode = "600"; mode = "600";
path = "/etc/initrd/${initrdHostKey}"; path = "/etc/initrd/${initrdHostKey}";
symlink = false; symlink = false;

4
nixos/surgat/configuration.nix
View file

@ -137,6 +137,10 @@ in
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
boot.kernelParams = [
"ip=49.12.3.98::172.31.1.1:255.255.255.255:surgat::dhcp"
];
services.resolved = { services.resolved = {
enable = true; enable = true;
fallbackDns = [ "9.9.9.9" "2620:fe::fe" ]; fallbackDns = [ "9.9.9.9" "2620:fe::fe" ];

0
secrets/surgat-initrd-ssh_host_ed25519_key.age → secrets/initrd-surgat-ssh_host_ed25519_key.age
View file

2
secrets/secrets.nix
View file

@ -21,7 +21,7 @@ in
"miniflux-admin-credentials.age".publicKeys = [ systems.surgat dadada ]; "miniflux-admin-credentials.age".publicKeys = [ systems.surgat dadada ];
"gorgon-backup-passphrase-gs.age".publicKeys = [ systems.gorgon dadada ]; "gorgon-backup-passphrase-gs.age".publicKeys = [ systems.gorgon dadada ];
"paperless.age".publicKeys = [ systems.gorgon dadada ]; "paperless.age".publicKeys = [ systems.gorgon dadada ];
"surgat-initrd-ssh_host_ed25519_key.age".publicKeys = [ systems.surgat dadada ]; "initrd-surgat-ssh_host_ed25519_key.age".publicKeys = [ systems.surgat dadada ];
"surgat-ssh_host_ed25519_key.age".publicKeys = [ systems.surgat dadada ]; "surgat-ssh_host_ed25519_key.age".publicKeys = [ systems.surgat dadada ];
"ninurta-initrd-ssh-key.age".publicKeys = [ systems.ninurta dadada ]; "ninurta-initrd-ssh-key.age".publicKeys = [ systems.ninurta dadada ];
"ddns-credentials.age".publicKeys = [ systems.agares systems.ninurta dadada ]; "ddns-credentials.age".publicKeys = [ systems.agares systems.ninurta dadada ];