tywin: enable clevis/tang for boot
All checks were successful
flake / flake (push) Successful in 1m13s
All checks were successful
flake / flake (push) Successful in 1m13s
This commit is contained in:
parent
bd5efa3648
commit
cde6bdd498
@ -2,6 +2,6 @@
|
|||||||
|
|
||||||
Additional installation step for Clevis/Tang:
|
Additional installation step for Clevis/Tang:
|
||||||
|
|
||||||
$ echo $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe
|
$ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe
|
||||||
$ sudo chown root:root /mnt/data/disk_encryption.jwe
|
$ sudo chown root:root /mnt/data/disk_encryption.jwe
|
||||||
$ sudo chmod 0400 /mnt/data/disk_encryption.jwe
|
$ sudo chmod 0400 /mnt/data/disk_encryption.jwe
|
||||||
|
@ -205,6 +205,7 @@
|
|||||||
{ hostname = "theon"; hw-address = "00:1e:06:49:06:1e"; }
|
{ hostname = "theon"; hw-address = "00:1e:06:49:06:1e"; }
|
||||||
{ hostname = "server-switch"; hw-address = "84:d8:1b:9d:0d:85"; }
|
{ hostname = "server-switch"; hw-address = "84:d8:1b:9d:0d:85"; }
|
||||||
{ hostname = "apc-ap7921"; hw-address = "00:c0:b7:6b:f4:34"; }
|
{ hostname = "apc-ap7921"; hw-address = "00:c0:b7:6b:f4:34"; }
|
||||||
|
{ hostname = "sodium"; hw-address = "d8:3a:dd:c3:d6:2b"; }
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
|
@ -64,6 +64,7 @@
|
|||||||
interfaces = {
|
interfaces = {
|
||||||
eth0 = {
|
eth0 = {
|
||||||
allowedTCPPorts = lib.mkForce [
|
allowedTCPPorts = lib.mkForce [
|
||||||
|
7654 # Tang
|
||||||
];
|
];
|
||||||
allowedUDPPorts = lib.mkForce [
|
allowedUDPPorts = lib.mkForce [
|
||||||
];
|
];
|
||||||
|
7
hosts/tywin.storage.ts.hillion.co.uk/README.md
Normal file
7
hosts/tywin.storage.ts.hillion.co.uk/README.md
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
# tywin.storage.ts.hillion.co.uk
|
||||||
|
|
||||||
|
Additional installation step for Clevis/Tang:
|
||||||
|
|
||||||
|
$ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json)" >/mnt/disk_encryption.jwe
|
||||||
|
$ sudo chown root:root /mnt/disk_encryption.jwe
|
||||||
|
$ sudo chmod 0400 /mnt/disk_encryption.jwe
|
14
hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json
Normal file
14
hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
{
|
||||||
|
"t": 1,
|
||||||
|
"pins": {
|
||||||
|
"tang": [
|
||||||
|
{
|
||||||
|
"url": "http://10.64.50.21:7654"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"url": "http://10.64.50.25:7654"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -15,6 +15,20 @@
|
|||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
boot.kernelParams = [
|
||||||
|
"ip=dhcp"
|
||||||
|
"zfs.zfs_arc_max=25769803776"
|
||||||
|
];
|
||||||
|
boot.initrd = {
|
||||||
|
availableKernelModules = [ "r8169" ];
|
||||||
|
network.enable = true;
|
||||||
|
clevis = {
|
||||||
|
enable = true;
|
||||||
|
useTang = true;
|
||||||
|
devices."root".secretFile = "/disk_encryption.jwe";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
custom.locations.autoServe = true;
|
custom.locations.autoServe = true;
|
||||||
custom.defaults = true;
|
custom.defaults = true;
|
||||||
|
|
||||||
@ -40,7 +54,6 @@
|
|||||||
forceImportRoot = false;
|
forceImportRoot = false;
|
||||||
extraPools = [ "data" ];
|
extraPools = [ "data" ];
|
||||||
};
|
};
|
||||||
boot.kernelParams = [ "zfs.zfs_arc_max=25769803776" ];
|
|
||||||
|
|
||||||
services.btrfs.autoScrub = {
|
services.btrfs.autoScrub = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -50,7 +50,8 @@ in
|
|||||||
(listIf config.services.postgresql.enable [ config.services.postgresql.dataDir ]) ++
|
(listIf config.services.postgresql.enable [ config.services.postgresql.dataDir ]) ++
|
||||||
(listIf config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]) ++
|
(listIf config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]) ++
|
||||||
(listIf config.custom.services.unifi.enable [ "/var/lib/unifi" ]) ++
|
(listIf config.custom.services.unifi.enable [ "/var/lib/unifi" ]) ++
|
||||||
(listIf (config.virtualisation.oci-containers.containers != { }) [ "/var/lib/containers" ]);
|
(listIf (config.virtualisation.oci-containers.containers != { }) [ "/var/lib/containers" ]) ++
|
||||||
|
(listIf config.services.tang.enable [ "/var/lib/private/tang" ]);
|
||||||
};
|
};
|
||||||
|
|
||||||
home-manager.users =
|
home-manager.users =
|
||||||
|
@ -28,6 +28,7 @@ in
|
|||||||
tang = [
|
tang = [
|
||||||
"li.pop.ts.hillion.co.uk"
|
"li.pop.ts.hillion.co.uk"
|
||||||
"microserver.home.ts.hillion.co.uk"
|
"microserver.home.ts.hillion.co.uk"
|
||||||
|
"sodium.pop.ts.hillion.co.uk"
|
||||||
];
|
];
|
||||||
unifi = "boron.cx.ts.hillion.co.uk";
|
unifi = "boron.cx.ts.hillion.co.uk";
|
||||||
version_tracker = [ "boron.cx.ts.hillion.co.uk" ];
|
version_tracker = [ "boron.cx.ts.hillion.co.uk" ];
|
||||||
|
@ -13,6 +13,7 @@ in
|
|||||||
enable = true;
|
enable = true;
|
||||||
ipAddressAllow = [
|
ipAddressAllow = [
|
||||||
"138.201.252.214/32"
|
"138.201.252.214/32"
|
||||||
|
"10.64.50.20/32"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user