From 33e6c423b8b6b86a67fab16d156cfc4e5dedefd4 Mon Sep 17 00:00:00 2001 From: Dustin Frisch Date: Mon, 18 Nov 2024 10:30:22 +0100 Subject: [PATCH] Installer works --- TODO.md | 6 +- client/default.nix | 16 +++-- client/hardware.nix | 4 +- flake.nix | 5 +- installer/default.nix | 86 ++++++++++++++++++++++++ installer/installer.nix | 19 ++++++ machines/installer/default.nix | 28 -------- machines/installer/hardware.nix | 65 ------------------ machines/installer/installer/default.nix | 59 ---------------- machines/installer/netinstall.nix | 38 ----------- machines/installer/secrets/cache.crt | 1 - machines/installer/secrets/cache.key | 24 ------- machines/ldap/default.nix | 3 - machines/{installer => nfs}/cache.nix | 2 +- machines/nfs/default.nix | 2 + machines/nfs/dhcp.nix | 27 +------- machines/nfs/netinstaller.nix | 85 +++++++++++++++++++++++ machines/nfs/secrets/cache.key | 24 +++++++ machines/nfs/secrets/cache.pub | 1 + shared/cache.nix | 13 ++++ shared/default.nix | 5 +- shared/network.nix | 3 +- shared/users.nix | 4 +- sops-config.nix | 1 - 24 files changed, 260 insertions(+), 261 deletions(-) create mode 100644 installer/default.nix create mode 100644 installer/installer.nix delete mode 100644 machines/installer/default.nix delete mode 100644 machines/installer/hardware.nix delete mode 100644 machines/installer/installer/default.nix delete mode 100644 machines/installer/netinstall.nix delete mode 100644 machines/installer/secrets/cache.crt delete mode 100644 machines/installer/secrets/cache.key rename machines/{installer => nfs}/cache.nix (88%) create mode 100644 machines/nfs/netinstaller.nix create mode 100644 machines/nfs/secrets/cache.key create mode 100644 machines/nfs/secrets/cache.pub create mode 100644 shared/cache.nix diff --git a/TODO.md b/TODO.md index 6e1227a..71cb5a0 100644 --- a/TODO.md +++ b/TODO.md @@ -1,6 +1,5 @@ # Tasks - Configure user env on client (using envfs?) -- Configure docker on client - Make installer work - Move ldap to subdomain - Check external SSH access @@ -8,6 +7,11 @@ - Quota per user on homedir - Exim recovery - A fancy background image? +- Client Requirements: + - docker + docker-compose [name=könig] + - rstudio [name=james] + - quarto [name=james] + - miniconda [name=james] # Issuse - Cleartext password in sssd/ldap config diff --git a/client/default.nix b/client/default.nix index b67194b..aa70351 100644 --- a/client/default.nix +++ b/client/default.nix @@ -5,7 +5,11 @@ id: with lib; let - client = (import ../clients.nix).${id}; + client = + if id != null + then (import ../clients.nix).${id} + else null; + in { imports = [ @@ -17,8 +21,9 @@ in ./programs.nix ]; - deployment = { - targetHost = "10.32.45.150"; + deployment = optionalAttrs (client != null) { + inherit (client) targetHost; + tags = [ "client" ]; }; @@ -27,7 +32,10 @@ in }; networking = { - hostName = mkForce "client-${id}"; + hostName = mkForce (if id != null + then "client-${id}" + else "client"); + useDHCP = mkForce true; }; diff --git a/client/hardware.nix b/client/hardware.nix index f6a6ed4..e427176 100644 --- a/client/hardware.nix +++ b/client/hardware.nix @@ -1,4 +1,4 @@ -{ modulesPath, ... }: +{ modulesPath, ... }: { imports = [ @@ -48,7 +48,7 @@ disk = { root = { type = "disk"; - device = "/dev/sda"; + device = "/dev/disk/by-path/pci-0000:04:00.0-nvme-1"; imageSize = "32G"; content = { type = "gpt"; diff --git a/flake.nix b/flake.nix index 0ca887a..4e2baf9 100644 --- a/flake.nix +++ b/flake.nix @@ -53,6 +53,7 @@ # List of all machine names as defined in the machines directory machines = builtins.attrNames (builtins.readDir ./machines); + # List of all client names clients = builtins.attrNames (import ./clients.nix); in @@ -78,6 +79,8 @@ deployment.replaceUnknownProfiles = false; }; + + "client" = (import ./client) null; } # Machines @@ -92,7 +95,7 @@ // (builtins.listToAttrs (builtins.map (id: { name = "client-${id}"; - value = (import ./client) id; + value = ./client; }) clients)) ; diff --git a/installer/default.nix b/installer/default.nix new file mode 100644 index 0000000..3be9e1e --- /dev/null +++ b/installer/default.nix @@ -0,0 +1,86 @@ +{ pkgs, lib, modulesPath, config, target, ... }: + +with lib; + +let + installer = pkgs.callPackage ./installer.nix { inherit target; }; + + auto-installer = + let + # This removes the direct dependency from the installer to the target image. + # The install script is realized later during runtime using the cache. + # To make this work, the cache must provide the real installer script. + installer-path = builtins.unsafeDiscardStringContext (toString installer); + + in + pkgs.writers.writeBash "auto-installer" '' + set -o errexit + set -o nounset + set -o pipefail + + set -x + + ${pkgs.retry}/bin/retry \ + --times 10 \ + --delay 15 \ + -- ${pkgs.nix}/bin/nix-store \ + --realize \ + --add-root /tmp/installer \ + "${installer-path}" + + /tmp/installer + + reboot + ''; + +in +{ + imports = [ + "${modulesPath}/installer/netboot/netboot-minimal.nix" + + ../shared/users.nix + ../shared/network.nix + ../shared/cache.nix + ]; + + _module.args = { + name = "installer"; + }; + + networking.useDHCP = mkForce true; + + services.getty.autologinUser = lib.mkForce "root"; + + systemd.services."auto-install" = { + description = "Automated NixOS installer"; + + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + conflicts = [ "getty@tty1.service" ]; + + wantedBy = [ "multi-user.target" ]; + + path = with pkgs; [ bash nix ]; + + unitConfig = { + FailureAction = "force-reboot"; + }; + + serviceConfig = { + Type = "oneshot"; + + ExecStart = auto-installer; + + StandardInput = "none"; + StandardOutput = "journal+console"; + StandardError = "journal+console"; + }; + }; + + # Expose the installer script + system.build.installer = installer; + + system.stateVersion = config.system.nixos.release; +} + diff --git a/installer/installer.nix b/installer/installer.nix new file mode 100644 index 0000000..c4fea4c --- /dev/null +++ b/installer/installer.nix @@ -0,0 +1,19 @@ +{ writers, target, ... }: + +writers.writeBash "installer" '' + set -o errexit + set -o nounset + set -o pipefail + + set -x + + "${target.config.system.build.diskoScript}" + + "${target.config.system.build.nixos-install}/bin/nixos-install" \ + --root /mnt \ + --system "${target.config.system.build.toplevel}" \ + --no-channel-copy \ + --no-root-password \ + --verbose +'' + diff --git a/machines/installer/default.nix b/machines/installer/default.nix deleted file mode 100644 index c937ab7..0000000 --- a/machines/installer/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - imports = [ - ./hardware.nix - # TODO: ./cache.nix - # ./netinstall.nix - ]; - - deployment = { - targetHost = "10.33.64.21"; - }; - - networking = { - interfaces."eth0" = { - ipv4.addresses = [{ - address = "10.33.64.21"; - prefixLength = 20; - }]; - }; - - defaultGateway = { - interface = "eth0"; - address = "10.33.64.1"; - }; - }; - - system.stateVersion = "24.05"; -} - diff --git a/machines/installer/hardware.nix b/machines/installer/hardware.nix deleted file mode 100644 index cfb872a..0000000 --- a/machines/installer/hardware.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ modulesPath, ... }: - -{ - imports = [ - "${modulesPath}/installer/scan/not-detected.nix" - ]; - - nixpkgs.hostPlatform = "x86_64-linux"; - - boot.initrd.availableKernelModules = [ - "uhci_hcd" - "ehci_pci" - "ata_piix" - "mptsas" - "usb_storage" - "usbhid" - "sd_mod" - "sr_mod" - ]; - - boot.loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - - hardware.enableRedistributableFirmware = true; - hardware.cpu.intel.updateMicrocode = true; - - disko.devices = { - disk = { - root = { - type = "disk"; - device = "/dev/disk/by-path/pci-0000:01:00.0-scsi-0:1:0:0"; - imageSize = "64G"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; - }; - ESP = { - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; - root = { - size = "100%"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - }; - }; - }; - }; - }; - }; - }; -} - diff --git a/machines/installer/installer/default.nix b/machines/installer/installer/default.nix deleted file mode 100644 index fc0c1f6..0000000 --- a/machines/installer/installer/default.nix +++ /dev/null @@ -1,59 +0,0 @@ -{ pkgs, lib, modulesPath, config, target, ... }: - -with lib; - -let - installer = pkgs.writers.writeBash "installer" '' - set -euo pipefail - - "${target.config.system.build.diskoScript}" - - "${target.config.system.build.nixos-install}" \ - --root /mnt \ - --system "${target.config.system.build.toplevel}" \ - --no-channel-copy \ - --no-root-password \ - --verbose - - reboot - ''; - -in { - imports = [ - "${modulesPath}/installer/netboot/netboot-minimal.nix" - ]; - - networking.hostName = "installer"; - - services.getty.autologinUser = lib.mkForce "root"; - - systemd.services."auto-install" = { - description = "Automated NixOS installer"; - - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; - - conflicts = [ "getty@tty1.service" ]; - - wantedBy = [ "multi-user.target" ]; - - path = with pkgs; [ bash nix ]; - - unitConfig = { - FailureAction = "force-reboot"; - }; - - serviceConfig = { - Type = "oneshot"; - - ExecStart = installer; - - StandardInput = "none"; - StandardOutput = "journal+console"; - StandardError = "journal+console"; - }; - }; - - system.stateVersion = config.system.nixos.release; -} - diff --git a/machines/installer/netinstall.nix b/machines/installer/netinstall.nix deleted file mode 100644 index bc3e890..0000000 --- a/machines/installer/netinstall.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ pkgs, lib, nodes, ... }: - -with lib; - -let - installer = pkgs.nixos [ - ./installer - - { - _module.args = { - target = nodes."client"; - }; - } - ]; - -in -{ - services.pixiecore = { - enable = true; - - dhcpNoBind = true; - - port = 5080; - - mode = "boot"; - kernel = "file://${installer.config.system.build.kernel}/bzImage"; - initrd = "file://${installer.config.system.build.netbootRamdisk}/initrd"; - cmdLine = concatStringsSep " " [ - "init=${installer.config.system.build.toplevel}/init" - "loglevel=4" - "console=tty0" - "console=ttyS1,57600n8" - ]; - - openFirewall = true; - }; -} - diff --git a/machines/installer/secrets/cache.crt b/machines/installer/secrets/cache.crt deleted file mode 100644 index ef137af..0000000 --- a/machines/installer/secrets/cache.crt +++ /dev/null @@ -1 +0,0 @@ -cache.linuxlab.informatik.hs-fulda.de:jrTFzlS3uRzOOteHmynLmSIvFMWgb4+YH+ShcrczdEY= \ No newline at end of file diff --git a/machines/installer/secrets/cache.key b/machines/installer/secrets/cache.key deleted file mode 100644 index e4a0235..0000000 --- a/machines/installer/secrets/cache.key +++ /dev/null @@ -1,24 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:u2f84L2XIPqNBPKtkAU7LAwUj0wwxemsOuUB/qk/SSjutA8RLi5TmBQHnnBY/5l3u154JN9RzHsHQyMp7NHiT1gsmvrmNhdWRzLTxG7MfIJW0SVpjD7X6GLmH5vnVSLJZScRfHgdRcYl9sFO7HlT/vRAtb57ZYM+QZS5b1ZB,iv:yzwOKZA5iwrn/CkhtwF7tUytsy0lseJcBqm4UqVAsqA=,tag:WhxIH/K314fvOm81lfK6EQ==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLVDhNSjF0amNnSWJ2ZEhq\ndnRoOXZpYk5oN09abFozK1Y0WVhDSVJ2U0RzCkw0OXhScjQwRGlDcDdnUHh2cDd3\nclBDd2RwQzRIMy9CVjZXbGFNSUdjU2cKLS0tIHBzSXdCMElkclJMU2I0WWtHbTJP\nWW5TQ2syRk9Obm5qYUtZVGZYbmtzTkEKkMiRInW2OuY6FhXTfueqokehWNxwO905\ntk5jVzyS0kVDt2Mi29Ny+HUhTpLWn2mJii8HMz698ElAxvXrHBZurQ==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age14lgxmyw860py9yyjz3cxkr6u0x30qra2e27c9my0sycqyfankf2sjrsse6", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSHBOUUhqcHlPeTNXOE8z\nWDlNZkhSbnY5SEV5MFplWmhNVXpTaXlycHd3Ck9hY1F6LzNpWjhFdWN0SnpaT0M0\nR2R5TmRNek0wYTJUREp4YklTaVJzdXMKLS0tIDdOTWN6b2kwR1R3bzNTT2s1UFMr\nUm0yWHNkSXg5ZFR1dWhUdHRmSm13eG8Kcprh4nvmUDgI6/nntD+FTY4SsqpEAs3U\n44tvzXSNjEMp9dHIkVu45+NyKOGjZoNUAA7dEvFYAAgZqHPbLMJ0aw==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-11-11T21:50:59Z", - "mac": "ENC[AES256_GCM,data:n6TfbZmYcV2ER7n4fXanVJ9ekbytU07NdHVDO/VoTkERvstb1NuTeo7LjA+KVVKxM3ZUvAtMfjpAXvgP1exL4WkOzQHk5RV3odfZhGsvMOUaHp7cfww6/JrO8I+EzJWhDh2tO+xFpuD2sprvNiWT60PFG6kDQKn7XYy63+ECCyo=,iv:7ytrvXtk3Mz3ioeuv0hc80y2FLSyUWdtFyVEhidUeAI=,tag:BS8am9kxloRP+AbavEmfPA==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.8.1" - } -} \ No newline at end of file diff --git a/machines/ldap/default.nix b/machines/ldap/default.nix index 1650687..07333be 100644 --- a/machines/ldap/default.nix +++ b/machines/ldap/default.nix @@ -2,9 +2,6 @@ imports = [ ./hardware.nix ./ldap.nix - - # TODO: - # ../installer/netinstall.nix ]; deployment = { diff --git a/machines/installer/cache.nix b/machines/nfs/cache.nix similarity index 88% rename from machines/installer/cache.nix rename to machines/nfs/cache.nix index 5edeebc..681b3c5 100644 --- a/machines/installer/cache.nix +++ b/machines/nfs/cache.nix @@ -10,7 +10,7 @@ enable = true; virtualHosts."cache.${config.networking.domain}" = { locations."/".proxyPass = with config.services.nix-serve; - "http://${bindAddress}:${port}"; + "http://${bindAddress}:${toString port}"; }; }; diff --git a/machines/nfs/default.nix b/machines/nfs/default.nix index c2097df..078c631 100644 --- a/machines/nfs/default.nix +++ b/machines/nfs/default.nix @@ -3,6 +3,8 @@ ./hardware.nix ./dhcp.nix ./nfs.nix + ./cache.nix + ./netinstaller.nix ]; deployment = { diff --git a/machines/nfs/dhcp.nix b/machines/nfs/dhcp.nix index 39dee87..98e83ce 100644 --- a/machines/nfs/dhcp.nix +++ b/machines/nfs/dhcp.nix @@ -24,7 +24,7 @@ subnet4 = [ { subnet = "10.33.64.0/20"; - interface = "enp4s0f1"; + interface = "enp4s0f0"; pools = [ { @@ -96,30 +96,5 @@ 67 68 # DHCP ]; - - services.pixiecore = - let - script = pkgs.writeText "boot-local.ipxe" '' - #!ipxe - - sleep 2 - - sanboot -n -d 0x80 - - shell - ''; - in - { - enable = true; - - dhcpNoBind = true; - - port = 5080; - - mode = "boot"; - kernel = toString script; - - openFirewall = true; - }; } diff --git a/machines/nfs/netinstaller.nix b/machines/nfs/netinstaller.nix new file mode 100644 index 0000000..6e9ddd4 --- /dev/null +++ b/machines/nfs/netinstaller.nix @@ -0,0 +1,85 @@ +{ pkgs, lib, config, nodes, ... }: + +with lib; + +let + installer = pkgs.nixos [ + ../../installer + + { + _module.args = { + target = nodes."client"; + }; + } + ]; + + ipxe-script = pkgs.writeText "boot-local.ipxe" '' + #!ipxe + + sleep 2 + + prompt --key 0x18 --timeout 5000 Press Ctrl-X to re-deploy system... || goto local + + echo "Starting installer..." + sleep 2 + + kernel --name kernel http://''${next-server:ipv4}/bzImage || goto err + initrd --name initrd http://''${next-server:ipv4}/initrd || goto err + + boot kernel initrd=initrd init=${installer.config.system.build.toplevel}/init loglevel=4 || goto err + + :err + shell + + :local + echo "Booting local disk..." + sleep 2 + + sanboot -n -d 0x80 + ''; + +in +{ + services.nginx = { + enable = true; + + virtualHosts."boot.${config.networking.domain}" = { + locations."/" = { + root = pkgs.linkFarm "root" { + "bzImage" = installer.config.system.build.kernel + "/bzImage"; + "initrd" = installer.config.system.build.netbootRamdisk + "/initrd"; + }; + }; + }; + }; + + services.pixiecore = + { + enable = true; + debug = true; + + dhcpNoBind = true; + + port = 5080; + + mode = "boot"; + kernel = toString ipxe-script; + + openFirewall = true; + }; + + # Ensure the intaller script and therefore the client system is part of the + # store so it can be fetched by the installer. + boot.postBootCommands = '' + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/installer --set "${installer.installer}" + ''; + + networking.extraHosts = '' + 127.0.0.1 boot.${config.networking.domain} + ''; + + networking.firewall.allowedTCPPorts = [ + 80 # HTTP + ]; +} + diff --git a/machines/nfs/secrets/cache.key b/machines/nfs/secrets/cache.key new file mode 100644 index 0000000..076b0de --- /dev/null +++ b/machines/nfs/secrets/cache.key @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:BNxKj72aiPMNMsiZf8GjGG1L1TLMHoENAfnaic1LqyYZa2zZq7eWm7BNps2Iz9sP4voQbp9GB7/kvZ1iS3g8B8xb6r4QrylAgPHGcb/nXQb7xvUVM5glRCtC0mgyPSqbnzWz3bObgVR+fTlDGX5Ckt3lt4WWK6Pg90TG1FUK,iv:LFL8p6vAzgS8KyAu0LVX+op72UdhXyLMbU98PZ+fSus=,tag:5LWxdkS9d0kCFXJfZJ5tRw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2NUNFQWc3Z1NON3hRaW5B\nYlhkbllSTVlRUi9jS1lGTDZmVkRsYjJqMXpBCjZYak1OQ3ltT1hVMWp2Tis4Rklv\nK2E1MVN2OU9wUFp4c2RpdkZsMjVybUEKLS0tIFdidWp0TUE0RzBXd2l1L1lQYTVw\nWEJES29mRk1aSmtqeHJEWWNDV0d4L00K4nW0rBP4Rl+uDj+E0bq7MyuyDzKSsGRB\n0dtzqaEu+HHbRqne6MOU0+oh0bpln5vJhkSKdlD7bBIEOX3/AWwHdg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1kjjve9m33a5fads6ttc0kznmv0mn0cxladrk7nv8huhp8u2pw4vqyzuf2p", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZi9maENnTjFhU2k1S3RJ\nUGFpbkc1d3BNNFEyQWlPdW9SK0VjR1ZYaG4wCnJvamNZL3p2MWFQOGlqVTgvbXRw\nMHdGU3V0SmE5NkQydGVaYzVEMmxyUGcKLS0tIGkyTWVpd2xFYmJKVGRzNk1KV3BU\ndVFza01xTnBXYnF2dnhUekN4QWpZaWcKcuBiZAZPXjxUgnRGGWz9FMhODMaNwlV+\nwVP5j7gL8VX1HvTLUU0lGyNA/st+KoAnugMKabW5TYRiyQyACIlO/w==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-11-14T18:01:59Z", + "mac": "ENC[AES256_GCM,data:TanGp5W9pmtO0x7yjKiyqPPIetoxrEldVSi0h/0JD6liZ/9G1gTU0miDYhOn0j2C8n/QoXVxjWWFfX/JNVC+Lt4rUrGCJDCo1gpMRHxym4VyCYiiEGgCh0D5IiNYSKLkIs/3JPYDAm+CrOcX4XjbcLMYiZkvWVcV+gh2s8vtXcE=,iv:XO8/adw+hQ3Z/8icJTvv4ct78qPsxS0mJQC2veLtDvk=,tag:e2DS3nieE+BsUUTx9C3Xmw==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/machines/nfs/secrets/cache.pub b/machines/nfs/secrets/cache.pub new file mode 100644 index 0000000..89a3f35 --- /dev/null +++ b/machines/nfs/secrets/cache.pub @@ -0,0 +1 @@ +cache.linuxlab.informatik.hs-fulda.de:ugWyeMyNqHvSEXDVgcPZ5NCniqq0wqKQCb3rjqXb/jU= \ No newline at end of file diff --git a/shared/cache.nix b/shared/cache.nix new file mode 100644 index 0000000..1355a1d --- /dev/null +++ b/shared/cache.nix @@ -0,0 +1,13 @@ +{ config, ... }: + +{ + nix.settings = { + substituters = [ + "http://cache.${config.networking.domain}" + ]; + + trusted-public-keys = [ + "cache.${config.networking.domain}:ugWyeMyNqHvSEXDVgcPZ5NCniqq0wqKQCb3rjqXb/jU=" + ]; + }; +} diff --git a/shared/default.nix b/shared/default.nix index 72b16d6..6276acb 100644 --- a/shared/default.nix +++ b/shared/default.nix @@ -1,4 +1,4 @@ -{ name, ...}: +{ name, ... }: { imports = [ @@ -6,6 +6,7 @@ ./network.nix ./users.nix ./system.nix + ./cache.nix ]; time.timeZone = "Europe/Berlin"; @@ -15,7 +16,5 @@ _module.args = { machinePath = ../machines/${name}; }; - - disko.imageBuilder.imageFormat = "qcow2"; } diff --git a/shared/network.nix b/shared/network.nix index 058ae0b..c46e65d 100644 --- a/shared/network.nix +++ b/shared/network.nix @@ -16,9 +16,8 @@ useDHCP = false; extraHosts = '' - 10.33.64.20 nfs.${config.networking.domain} + 10.33.64.20 nfs.${config.networking.domain} cache.${config.networking.domain} 10.33.64.19 ldap.${config.networking.domain} - 10.33.64.19 install.${config.networking.domain} 10.33.64.19 ldap-linuxlab.informatik.hs-fulda.de ''; diff --git a/shared/users.nix b/shared/users.nix index 3018342..9d4db6c 100644 --- a/shared/users.nix +++ b/shared/users.nix @@ -1,10 +1,10 @@ -{ pkgs, config, ...}: +{ pkgs, ... }: { users.mutableUsers = false; users.users."root" = { - #hashedPassword = "$y$j9T$5ZEv2RROIXAqdFjFEXEst0$5HA63fmwjGXw1id4n94TRgY1gTuXsQGKXmzlcWXyE07"; + #TODO: hashedPassword = "$y$j9T$5ZEv2RROIXAqdFjFEXEst0$5HA63fmwjGXw1id4n94TRgY1gTuXsQGKXmzlcWXyE07"; hashedPassword = "$y$j9T$IqOVsS6/ACfhDXzA3LqsZ1$J/16UDhw44bHWJqIoCdjms6IEwT4tk4ghq2WpThOlMA"; openssh.authorizedKeys.keys = [ diff --git a/sops-config.nix b/sops-config.nix index 9f920c6..305baed 100644 --- a/sops-config.nix +++ b/sops-config.nix @@ -16,7 +16,6 @@ let hosts = { "nfs" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMA+Q4wLe0AuZ8OC5BKJLrvmpKcy+6a8Iez9hCSVgtX8"; "ldap" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFhkh5L4jYl/i4E+lBVDppHcoiohR/gDricyV2wY/3Np"; - "installer" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrc58WlxYKaPNO1J8j8KQxOLJooc9fIxp6gZZoB4Y7o"; }; sshToAge = ssh-key: