diff options
author | Alex Auvolat <alex@adnab.me> | 2022-12-24 22:59:37 +0100 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2022-12-24 22:59:37 +0100 |
commit | 8d17a07c9be5cd9d400644c34ea50177535d15f6 (patch) | |
tree | cac734f62d4c04c898d4e70d1e2ba65f933317ca /experimental/luks-fde/nixos-install-luks.md | |
parent | 4b527c4db8060679d21e5bb596bde91ce39df393 (diff) | |
download | nixcfg-8d17a07c9be5cd9d400644c34ea50177535d15f6.tar.gz nixcfg-8d17a07c9be5cd9d400644c34ea50177535d15f6.zip |
reorganize some things
Diffstat (limited to 'experimental/luks-fde/nixos-install-luks.md')
-rw-r--r-- | experimental/luks-fde/nixos-install-luks.md | 182 |
1 files changed, 182 insertions, 0 deletions
diff --git a/experimental/luks-fde/nixos-install-luks.md b/experimental/luks-fde/nixos-install-luks.md new file mode 100644 index 0000000..9e173f7 --- /dev/null +++ b/experimental/luks-fde/nixos-install-luks.md @@ -0,0 +1,182 @@ +## Preparation + +Download NixOS. Burn to USB. + +## Booting into install environment + +Boot the ISO on PC to install. + +Become root with `sudo su` + +```bash +loadkeys fr +setfont sun12x22 +``` + +Do network config if necessary, see [install guide](https://nixos.org/manual/nixos/stable/index.html#sec-installation-booting-networking) + +## Make partitions + +```bash +cgdisk /dev/sda +``` + +Recommended layout: + +``` +/dev/sda1 512M ef00 EFI System partition +/dev/sda2 100% 8309 Linux LUKS +``` + +## Setup cryptography + +```bash +cryptsetup luksFormat /dev/sda2 +cryptsetup open /dev/sda2 cryptlvm +``` + +## Create PV, VG and LVs + +```bash +pvcreate /dev/mapper/cryptlvm +vgcreate NixosVG /dev/mapper/cryptlvm +lvcreate -L 8G NixosVG -n swap +lvcreate -l 100%FREE NixosVG -n root +``` + +## Format partitions + +```bash +mkfs.fat -F 32 -n boot /dev/sda1 +mkswap /dev/NixosVG/swap +mkfs.ext4 /dev/NixosVG/root +``` + +## Mount partitions + +```bash +swapon /dev/NixosVG/swap +mount /dev/NixosVG/root /mnt +mkdir /mnt/boot +mount /dev/sda1 /mnt/boot +``` + +## Generate base NixOS configuration + +```bash +nixos-generate-config --root /mnt +``` + +## Update `hardware-configuration.nix` + +This section is needed: + +```nix + boot.initrd.luks.devices."cryptlvm" = { + device = "/dev/disk/by-uuid/<uuid of sda2>"; + allowDiscards = true; + }; +``` + +And for the root filesystem, remember to add the `relatime` and `discard` options so that it looks like this: + +```nix + fileSystems."/" = + { device = "/dev/disk/by-uuid/<...>"; + fsType = "ext4"; + options = [ "relatime" "discard" ]; + }; +``` + +## Update `configuration.nix` + +Just enough so that basic tasks can be done from keyboard and remotely: + +- timezone +- keyboard layout +- font `sun12x22` +- vim +- non-root user +- ssh +- tcp port 22 in firewall + +## Do the installation + +```bash +nixos-install +``` + +## First boot + +Reboot machine. Login as `root` + +```bash +passwd <nonroot user> +``` + +If necessary, assign static IP. E.g. `ip addr add 192.168.1.40/24 dev eno1` or sth (replace ip and device appropriately) + +Remotely: `ssh-copy-id <user>@<ip>`. Check SSH access is good. + +## Deploy from this repo + +See the documentation in `/doc` in this repo. The old procedure described here is partly obsolete. + +## Old guide + +It's time! + +**Files in this repo to create/change:** + +- create node `.nix` file and symlink for node `.site.nix` (create site and + cluster `.nix` files if necessary; use existing files of e.g. the staging + cluster as examples/templates) +- make sure values are filled in correctly +- add node to `ssh_config` with it's LAN IP, we don't have VPN at this stage + +**Configuration steps on the node:** + +```bash +# On node being installed +mkdir -p /var/lib/deuxfleurs/remote-unlock +cd /var/lib/deuxfleurs/remote-unlock +ssh-keygen -t ed25519 -N "" -f ./ssh_host_ed25519_key +``` + +**Try to deploy:** + +```bash +# In nixcfg repository from your PC +./deploy.sh <cluster> <nodename> +``` + +Reboot. + +Check remote unlocking works: `ssh -p 222 root@<ip>` + +### Configure wireguard + +```bash +# On node being installed +mkdir -p /var/lib/deuxfleurs/wireguard-keys +cd /var/lib/deuxfleurs/wireguard-keys +wg genkey | tee private | wg pubkey > public +``` + +Get the public key, make sure it is in `cluster.nix` so that nodes know one +another. Also put it anywhere else like in your local wireguard config for +instance so that you can access the node from your PC by its wireguard address +and not only its LAN address. + +Redo a deploy (`./deploy.sh <cluster> <nodename>`) + +Check VPN works. Change IP in `ssh_config` to use VPN IP instead of LAN IP (required for deploy when away from home). + +### Commit changes to `nixcfg` repo + +This is a good point to commit your new/modified `.nix` files. + +### Configure Nomad and Consul TLS + +If you are bootstraping a new cluster, you need to `./genpki.sh <cluster>` to +make a TLS PKI for the Nomad+Consul cluster to work. Then redo a deploy. |