From cde6bdd498358ab2acb96999e9f19b1d475e6789 Mon Sep 17 00:00:00 2001 From: Jake Hillion Date: Mon, 10 Jun 2024 21:29:21 +0100 Subject: [PATCH] tywin: enable clevis/tang for boot --- hosts/boron.cx.ts.hillion.co.uk/README.md | 2 +- hosts/router.home.ts.hillion.co.uk/default.nix | 1 + hosts/sodium.pop.ts.hillion.co.uk/default.nix | 1 + hosts/tywin.storage.ts.hillion.co.uk/README.md | 7 +++++++ .../clevis_config.json | 14 ++++++++++++++ hosts/tywin.storage.ts.hillion.co.uk/default.nix | 15 ++++++++++++++- modules/impermanence.nix | 3 ++- modules/locations.nix | 1 + modules/services/tang.nix | 1 + 9 files changed, 42 insertions(+), 3 deletions(-) create mode 100644 hosts/tywin.storage.ts.hillion.co.uk/README.md create mode 100644 hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json diff --git a/hosts/boron.cx.ts.hillion.co.uk/README.md b/hosts/boron.cx.ts.hillion.co.uk/README.md index 9004d3f..4a34a7c 100644 --- a/hosts/boron.cx.ts.hillion.co.uk/README.md +++ b/hosts/boron.cx.ts.hillion.co.uk/README.md @@ -2,6 +2,6 @@ Additional installation step for Clevis/Tang: - $ echo $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe + $ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe $ sudo chown root:root /mnt/data/disk_encryption.jwe $ sudo chmod 0400 /mnt/data/disk_encryption.jwe diff --git a/hosts/router.home.ts.hillion.co.uk/default.nix b/hosts/router.home.ts.hillion.co.uk/default.nix index ed08f1e..5479e3d 100644 --- a/hosts/router.home.ts.hillion.co.uk/default.nix +++ b/hosts/router.home.ts.hillion.co.uk/default.nix @@ -205,6 +205,7 @@ { hostname = "theon"; hw-address = "00:1e:06:49:06:1e"; } { hostname = "server-switch"; hw-address = "84:d8:1b:9d:0d:85"; } { hostname = "apc-ap7921"; hw-address = "00:c0:b7:6b:f4:34"; } + { hostname = "sodium"; hw-address = "d8:3a:dd:c3:d6:2b"; } ]; } { diff --git a/hosts/sodium.pop.ts.hillion.co.uk/default.nix b/hosts/sodium.pop.ts.hillion.co.uk/default.nix index 9a2961e..7479fdc 100644 --- a/hosts/sodium.pop.ts.hillion.co.uk/default.nix +++ b/hosts/sodium.pop.ts.hillion.co.uk/default.nix @@ -64,6 +64,7 @@ interfaces = { eth0 = { allowedTCPPorts = lib.mkForce [ + 7654 # Tang ]; allowedUDPPorts = lib.mkForce [ ]; diff --git a/hosts/tywin.storage.ts.hillion.co.uk/README.md b/hosts/tywin.storage.ts.hillion.co.uk/README.md new file mode 100644 index 0000000..7e5d898 --- /dev/null +++ b/hosts/tywin.storage.ts.hillion.co.uk/README.md @@ -0,0 +1,7 @@ +# tywin.storage.ts.hillion.co.uk + +Additional installation step for Clevis/Tang: + + $ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json)" >/mnt/disk_encryption.jwe + $ sudo chown root:root /mnt/disk_encryption.jwe + $ sudo chmod 0400 /mnt/disk_encryption.jwe diff --git a/hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json b/hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json new file mode 100644 index 0000000..9cfa4b3 --- /dev/null +++ b/hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json @@ -0,0 +1,14 @@ +{ + "t": 1, + "pins": { + "tang": [ + { + "url": "http://10.64.50.21:7654" + }, + { + "url": "http://10.64.50.25:7654" + } + ] + } +} + diff --git a/hosts/tywin.storage.ts.hillion.co.uk/default.nix b/hosts/tywin.storage.ts.hillion.co.uk/default.nix index 7136ff0..cc3d9dd 100644 --- a/hosts/tywin.storage.ts.hillion.co.uk/default.nix +++ b/hosts/tywin.storage.ts.hillion.co.uk/default.nix @@ -15,6 +15,20 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + boot.kernelParams = [ + "ip=dhcp" + "zfs.zfs_arc_max=25769803776" + ]; + boot.initrd = { + availableKernelModules = [ "r8169" ]; + network.enable = true; + clevis = { + enable = true; + useTang = true; + devices."root".secretFile = "/disk_encryption.jwe"; + }; + }; + custom.locations.autoServe = true; custom.defaults = true; @@ -40,7 +54,6 @@ forceImportRoot = false; extraPools = [ "data" ]; }; - boot.kernelParams = [ "zfs.zfs_arc_max=25769803776" ]; services.btrfs.autoScrub = { enable = true; diff --git a/modules/impermanence.nix b/modules/impermanence.nix index 71844f5..b01c02f 100644 --- a/modules/impermanence.nix +++ b/modules/impermanence.nix @@ -50,7 +50,8 @@ in (listIf config.services.postgresql.enable [ config.services.postgresql.dataDir ]) ++ (listIf config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]) ++ (listIf config.custom.services.unifi.enable [ "/var/lib/unifi" ]) ++ - (listIf (config.virtualisation.oci-containers.containers != { }) [ "/var/lib/containers" ]); + (listIf (config.virtualisation.oci-containers.containers != { }) [ "/var/lib/containers" ]) ++ + (listIf config.services.tang.enable [ "/var/lib/private/tang" ]); }; home-manager.users = diff --git a/modules/locations.nix b/modules/locations.nix index e8f3927..3fe9db5 100644 --- a/modules/locations.nix +++ b/modules/locations.nix @@ -28,6 +28,7 @@ in tang = [ "li.pop.ts.hillion.co.uk" "microserver.home.ts.hillion.co.uk" + "sodium.pop.ts.hillion.co.uk" ]; unifi = "boron.cx.ts.hillion.co.uk"; version_tracker = [ "boron.cx.ts.hillion.co.uk" ]; diff --git a/modules/services/tang.nix b/modules/services/tang.nix index 53e0350..5f18826 100644 --- a/modules/services/tang.nix +++ b/modules/services/tang.nix @@ -13,6 +13,7 @@ in enable = true; ipAddressAllow = [ "138.201.252.214/32" + "10.64.50.20/32" ]; }; };