diff options
author | Alex Auvolat <alex@adnab.me> | 2022-12-24 22:59:37 +0100 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2022-12-24 22:59:37 +0100 |
commit | 8d17a07c9be5cd9d400644c34ea50177535d15f6 (patch) | |
tree | cac734f62d4c04c898d4e70d1e2ba65f933317ca /doc | |
parent | 4b527c4db8060679d21e5bb596bde91ce39df393 (diff) | |
download | nixcfg-8d17a07c9be5cd9d400644c34ea50177535d15f6.tar.gz nixcfg-8d17a07c9be5cd9d400644c34ea50177535d15f6.zip |
reorganize some things
Diffstat (limited to 'doc')
-rw-r--r-- | doc/example-hardware-configuration.nix | 38 | ||||
-rw-r--r-- | doc/nixos-install-luks.md | 182 |
2 files changed, 0 insertions, 220 deletions
diff --git a/doc/example-hardware-configuration.nix b/doc/example-hardware-configuration.nix deleted file mode 100644 index 0a72bd1..0000000 --- a/doc/example-hardware-configuration.nix +++ /dev/null @@ -1,38 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - boot.initrd.luks.devices."cryptlvm" = { - device = "/dev/disk/by-uuid/5d4fcef7-433d-43a9-be26-be940ce291c0"; - allowDiscards = true; - }; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/5bad79e1-fdbf-48f3-861f-6810adc76195"; - fsType = "ext4"; - options = [ "relatime" "discard" ]; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/07E8-5958"; - fsType = "vfat"; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/a3e0bae8-8b07-4e66-a4a7-6955639f2155"; } - ]; - - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} - diff --git a/doc/nixos-install-luks.md b/doc/nixos-install-luks.md deleted file mode 100644 index 3f0feca..0000000 --- a/doc/nixos-install-luks.md +++ /dev/null @@ -1,182 +0,0 @@ -## Preparation - -Download NixOS 21.11 ISO. Burn to USB. - -## Booting into install environment - -Boot the ISO on PC to install. - -Become root with `sudo su` - -```bash -loadkeys fr -setfont sun12x22 -``` - -Do network config if necessary, see [install guide](https://nixos.org/manual/nixos/stable/index.html#sec-installation-booting-networking) - -## Make partitions - -```bash -cgdisk /dev/sda -``` - -Recommended layout: - -``` -/dev/sda1 512M ef00 EFI System partition -/dev/sda2 100% 8309 Linux LUKS -``` - -## Setup cryptography - -```bash -cryptsetup luksFormat /dev/sda2 -cryptsetup open /dev/sda2 cryptlvm -``` - -## Create PV, VG and LVs - -```bash -pvcreate /dev/mapper/cryptlvm -vgcreate NixosVG /dev/mapper/cryptlvm -lvcreate -L 8G NixosVG -n swap -lvcreate -l 100%FREE NixosVG -n root -``` - -## Format partitions - -```bash -mkfs.fat -F 32 -n boot /dev/sda1 -mkswap /dev/NixosVG/swap -mkfs.ext4 /dev/NixosVG/root -``` - -## Mount partitions - -```bash -swapon /dev/NixosVG/swap -mount /dev/NixosVG/root /mnt -mkdir /mnt/boot -mount /dev/sda1 /mnt/boot -``` - -## Generate base NixOS configuration - -```bash -nixos-generate-config --root /mnt -``` - -## Update `hardware-configuration.nix` - -This section is needed: - -```nix - boot.initrd.luks.devices."cryptlvm" = { - device = "/dev/disk/by-uuid/<uuid of sda2>"; - allowDiscards = true; - }; -``` - -And for the root filesystem, remember to add the `relatime` and `discard` options so that it looks like this: - -```nix - fileSystems."/" = - { device = "/dev/disk/by-uuid/<...>"; - fsType = "ext4"; - options = [ "relatime" "discard" ]; - }; -``` - -## Update `configuration.nix` - -Just enough so that basic tasks can be done from keyboard and remotely: - -- timezone -- keyboard layout -- font `sun12x22` -- vim -- non-root user -- ssh -- tcp port 22 in firewall - -## Do the installation - -```bash -nixos-install -``` - -## First boot - -Reboot machine. Login as `root` - -```bash -passwd <nonroot user> -``` - -If necessary, assign static IP. E.g. `ip addr add 192.168.1.40/24 dev eno1` or sth (replace ip and device appropriately) - -Remotely: `ssh-copy-id <user>@<ip>`. Check SSH access is good. - -## Deploy from this repo - -See [this documentation](quick-start.md). - -## Old guide - -It's time! - -**Files in this repo to create/change:** - -- create node `.nix` file and symlink for node `.site.nix` (create site and - cluster `.nix` files if necessary; use existing files of e.g. the staging - cluster as examples/templates) -- make sure values are filled in correctly -- add node to `ssh_config` with it's LAN IP, we don't have VPN at this stage - -**Configuration steps on the node:** - -```bash -# On node being installed -mkdir -p /var/lib/deuxfleurs/remote-unlock -cd /var/lib/deuxfleurs/remote-unlock -ssh-keygen -t ed25519 -N "" -f ./ssh_host_ed25519_key -``` - -**Try to deploy:** - -```bash -# In nixcfg repository from your PC -./deploy.sh <cluster> <nodename> -``` - -Reboot. - -Check remote unlocking works: `ssh -p 222 root@<ip>` - -## Configure wireguard - -```bash -# On node being installed -mkdir -p /var/lib/deuxfleurs/wireguard-keys -cd /var/lib/deuxfleurs/wireguard-keys -wg genkey | tee private | wg pubkey > public -``` - -Get the public key, make sure it is in `cluster.nix` so that nodes know one -another. Also put it anywhere else like in your local wireguard config for -instance so that you can access the node from your PC by its wireguard address -and not only its LAN address. - -Redo a deploy (`./deploy.sh <cluster> <nodename>`) - -Check VPN works. Change IP in `ssh_config` to use VPN IP instead of LAN IP (required for deploy when away from home). - -## Commit changes to `nixcfg` repo - -This is a good point to commit your new/modified `.nix` files. - -## Configure Nomad and Consul TLS - -If you are bootstraping a new cluster, you need to `./genpki.sh <cluster>` to -make a TLS PKI for the Nomad+Consul cluster to work. Then redo a deploy. |