aboutsummaryrefslogtreecommitdiff
path: root/experimental/luks-fde/nixos-install-luks.md
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2022-12-24 22:59:37 +0100
committerAlex Auvolat <alex@adnab.me>2022-12-24 22:59:37 +0100
commit8d17a07c9be5cd9d400644c34ea50177535d15f6 (patch)
treecac734f62d4c04c898d4e70d1e2ba65f933317ca /experimental/luks-fde/nixos-install-luks.md
parent4b527c4db8060679d21e5bb596bde91ce39df393 (diff)
downloadnixcfg-8d17a07c9be5cd9d400644c34ea50177535d15f6.tar.gz
nixcfg-8d17a07c9be5cd9d400644c34ea50177535d15f6.zip
reorganize some things
Diffstat (limited to 'experimental/luks-fde/nixos-install-luks.md')
-rw-r--r--experimental/luks-fde/nixos-install-luks.md182
1 files changed, 182 insertions, 0 deletions
diff --git a/experimental/luks-fde/nixos-install-luks.md b/experimental/luks-fde/nixos-install-luks.md
new file mode 100644
index 0000000..9e173f7
--- /dev/null
+++ b/experimental/luks-fde/nixos-install-luks.md
@@ -0,0 +1,182 @@
+## Preparation
+
+Download NixOS. Burn to USB.
+
+## Booting into install environment
+
+Boot the ISO on PC to install.
+
+Become root with `sudo su`
+
+```bash
+loadkeys fr
+setfont sun12x22
+```
+
+Do network config if necessary, see [install guide](https://nixos.org/manual/nixos/stable/index.html#sec-installation-booting-networking)
+
+## Make partitions
+
+```bash
+cgdisk /dev/sda
+```
+
+Recommended layout:
+
+```
+/dev/sda1 512M ef00 EFI System partition
+/dev/sda2 100% 8309 Linux LUKS
+```
+
+## Setup cryptography
+
+```bash
+cryptsetup luksFormat /dev/sda2
+cryptsetup open /dev/sda2 cryptlvm
+```
+
+## Create PV, VG and LVs
+
+```bash
+pvcreate /dev/mapper/cryptlvm
+vgcreate NixosVG /dev/mapper/cryptlvm
+lvcreate -L 8G NixosVG -n swap
+lvcreate -l 100%FREE NixosVG -n root
+```
+
+## Format partitions
+
+```bash
+mkfs.fat -F 32 -n boot /dev/sda1
+mkswap /dev/NixosVG/swap
+mkfs.ext4 /dev/NixosVG/root
+```
+
+## Mount partitions
+
+```bash
+swapon /dev/NixosVG/swap
+mount /dev/NixosVG/root /mnt
+mkdir /mnt/boot
+mount /dev/sda1 /mnt/boot
+```
+
+## Generate base NixOS configuration
+
+```bash
+nixos-generate-config --root /mnt
+```
+
+## Update `hardware-configuration.nix`
+
+This section is needed:
+
+```nix
+ boot.initrd.luks.devices."cryptlvm" = {
+ device = "/dev/disk/by-uuid/<uuid of sda2>";
+ allowDiscards = true;
+ };
+```
+
+And for the root filesystem, remember to add the `relatime` and `discard` options so that it looks like this:
+
+```nix
+ fileSystems."/" =
+ { device = "/dev/disk/by-uuid/<...>";
+ fsType = "ext4";
+ options = [ "relatime" "discard" ];
+ };
+```
+
+## Update `configuration.nix`
+
+Just enough so that basic tasks can be done from keyboard and remotely:
+
+- timezone
+- keyboard layout
+- font `sun12x22`
+- vim
+- non-root user
+- ssh
+- tcp port 22 in firewall
+
+## Do the installation
+
+```bash
+nixos-install
+```
+
+## First boot
+
+Reboot machine. Login as `root`
+
+```bash
+passwd <nonroot user>
+```
+
+If necessary, assign static IP. E.g. `ip addr add 192.168.1.40/24 dev eno1` or sth (replace ip and device appropriately)
+
+Remotely: `ssh-copy-id <user>@<ip>`. Check SSH access is good.
+
+## Deploy from this repo
+
+See the documentation in `/doc` in this repo. The old procedure described here is partly obsolete.
+
+## Old guide
+
+It's time!
+
+**Files in this repo to create/change:**
+
+- create node `.nix` file and symlink for node `.site.nix` (create site and
+ cluster `.nix` files if necessary; use existing files of e.g. the staging
+ cluster as examples/templates)
+- make sure values are filled in correctly
+- add node to `ssh_config` with it's LAN IP, we don't have VPN at this stage
+
+**Configuration steps on the node:**
+
+```bash
+# On node being installed
+mkdir -p /var/lib/deuxfleurs/remote-unlock
+cd /var/lib/deuxfleurs/remote-unlock
+ssh-keygen -t ed25519 -N "" -f ./ssh_host_ed25519_key
+```
+
+**Try to deploy:**
+
+```bash
+# In nixcfg repository from your PC
+./deploy.sh <cluster> <nodename>
+```
+
+Reboot.
+
+Check remote unlocking works: `ssh -p 222 root@<ip>`
+
+### Configure wireguard
+
+```bash
+# On node being installed
+mkdir -p /var/lib/deuxfleurs/wireguard-keys
+cd /var/lib/deuxfleurs/wireguard-keys
+wg genkey | tee private | wg pubkey > public
+```
+
+Get the public key, make sure it is in `cluster.nix` so that nodes know one
+another. Also put it anywhere else like in your local wireguard config for
+instance so that you can access the node from your PC by its wireguard address
+and not only its LAN address.
+
+Redo a deploy (`./deploy.sh <cluster> <nodename>`)
+
+Check VPN works. Change IP in `ssh_config` to use VPN IP instead of LAN IP (required for deploy when away from home).
+
+### Commit changes to `nixcfg` repo
+
+This is a good point to commit your new/modified `.nix` files.
+
+### Configure Nomad and Consul TLS
+
+If you are bootstraping a new cluster, you need to `./genpki.sh <cluster>` to
+make a TLS PKI for the Nomad+Consul cluster to work. Then redo a deploy.