Add remote LUKS unlocking configuration
This commit is contained in:
parent
20ab1f7b8a
commit
6dc9281299
15 changed files with 141 additions and 66 deletions
|
@ -28,7 +28,7 @@ job "garage-staging" {
|
|||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "dxflrs/amd64_garage:884e7f0f04fc04bdf453dade98f31a1511c9a214"
|
||||
image = "dxflrs/amd64_garage:5afab390d80c57a275a52752c10a0a3c29a3b233"
|
||||
command = "/garage"
|
||||
args = [ "server" ]
|
||||
network_mode = "host"
|
||||
|
|
|
@ -10,13 +10,9 @@
|
|||
|
||||
networking.hostName = "celeri";
|
||||
|
||||
networking.interfaces.eno1.useDHCP = false;
|
||||
networking.interfaces.eno1.ipv4.addresses = [
|
||||
{
|
||||
address = "192.168.1.33";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
deuxfleurs.network_interface = "eno1";
|
||||
deuxfleurs.lan_ip = "192.168.1.33";
|
||||
|
||||
networking.interfaces.eno1.ipv6.addresses = [
|
||||
{
|
||||
address = "2a01:e0a:c:a720::33";
|
||||
|
|
|
@ -10,13 +10,9 @@
|
|||
|
||||
networking.hostName = "concombre";
|
||||
|
||||
networking.interfaces.eno1.useDHCP = false;
|
||||
networking.interfaces.eno1.ipv4.addresses = [
|
||||
{
|
||||
address = "192.168.1.31";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
deuxfleurs.network_interface = "eno1";
|
||||
deuxfleurs.lan_ip = "192.168.1.31";
|
||||
|
||||
networking.interfaces.eno1.ipv6.addresses = [
|
||||
{
|
||||
address = "2a01:e0a:c:a720::31";
|
||||
|
|
|
@ -10,13 +10,9 @@
|
|||
|
||||
networking.hostName = "courgette";
|
||||
|
||||
networking.interfaces.eno1.useDHCP = false;
|
||||
networking.interfaces.eno1.ipv4.addresses = [
|
||||
{
|
||||
address = "192.168.1.32";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
deuxfleurs.network_interface = "eno1";
|
||||
deuxfleurs.lan_ip = "192.168.1.32";
|
||||
|
||||
networking.interfaces.eno1.ipv6.addresses = [
|
||||
{
|
||||
address = "2a01:e0a:c:a720::32";
|
||||
|
|
|
@ -1,11 +1,9 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.1.254";
|
||||
interface = "eno1";
|
||||
};
|
||||
networking.nameservers = [ "192.168.1.254" ];
|
||||
|
||||
deuxfleurs.site_name = "neptune";
|
||||
deuxfleurs.lan_default_gateway = "192.168.1.254";
|
||||
deuxfleurs.lan_ip_prefix_length = 24;
|
||||
|
||||
networking.nameservers = [ "192.168.1.254" ];
|
||||
}
|
||||
|
|
|
@ -10,13 +10,9 @@
|
|||
|
||||
networking.hostName = "carcajou";
|
||||
|
||||
networking.interfaces.eno1.useDHCP = false;
|
||||
networking.interfaces.eno1.ipv4.addresses = [
|
||||
{
|
||||
address = "192.168.1.22";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
deuxfleurs.network_interface = "eno1";
|
||||
deuxfleurs.lan_ip = "192.168.1.22";
|
||||
|
||||
networking.interfaces.eno1.ipv6.addresses = [
|
||||
{
|
||||
address = "2a01:e0a:c:a720::22";
|
||||
|
|
|
@ -10,13 +10,9 @@
|
|||
|
||||
networking.hostName = "cariacou";
|
||||
|
||||
networking.interfaces.eno1.useDHCP = false;
|
||||
networking.interfaces.eno1.ipv4.addresses = [
|
||||
{
|
||||
address = "192.168.1.21";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
deuxfleurs.network_interface = "eno1";
|
||||
deuxfleurs.lan_ip = "192.168.1.21";
|
||||
|
||||
networking.interfaces.eno1.ipv6.addresses = [
|
||||
{
|
||||
address = "2a01:e0a:c:a720::21";
|
||||
|
|
|
@ -3,6 +3,11 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
./remote-unlock.nix
|
||||
];
|
||||
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.timeout = 20;
|
||||
|
@ -10,13 +15,9 @@
|
|||
|
||||
networking.hostName = "caribou";
|
||||
|
||||
networking.interfaces.eno1.useDHCP = false;
|
||||
networking.interfaces.eno1.ipv4.addresses = [
|
||||
{
|
||||
address = "192.168.1.23";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
deuxfleurs.network_interface = "eno1";
|
||||
deuxfleurs.lan_ip = "192.168.1.23";
|
||||
|
||||
networking.interfaces.eno1.ipv6.addresses = [
|
||||
{
|
||||
address = "2a01:e0a:c:a720::23";
|
||||
|
|
|
@ -1,13 +1,11 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.1.254";
|
||||
interface = "eno1";
|
||||
};
|
||||
networking.nameservers = [ "192.168.1.254" ];
|
||||
|
||||
deuxfleurs.site_name = "neptune";
|
||||
deuxfleurs.lan_default_gateway = "192.168.1.254";
|
||||
deuxfleurs.lan_ip_prefix_length = 24;
|
||||
|
||||
networking.nameservers = [ "192.168.1.254" ];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
|
|
|
@ -40,6 +40,7 @@
|
|||
nmap
|
||||
bind
|
||||
inetutils
|
||||
pciutils
|
||||
vim
|
||||
tmux
|
||||
ncdu
|
||||
|
|
|
@ -40,6 +40,7 @@ for NIXHOST in $NIXHOSTLIST; do
|
|||
ssh -F $SSH_CONFIG $SSH_DEST mkdir -p $TMP_PATH $TMP_PATH/pki
|
||||
cat configuration.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/configuration.nix > /dev/null
|
||||
cat nix/deuxfleurs.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/deuxfleurs.nix > /dev/null
|
||||
cat nix/remote-unlock.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/remote-unlock.nix > /dev/null
|
||||
cat cluster/$CLUSTER/cluster.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/cluster.nix > /dev/null
|
||||
cat cluster/$CLUSTER/node/$NIXHOST.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/node.nix > /dev/null
|
||||
cat cluster/$CLUSTER/node/$NIXHOST.site.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/site.nix > /dev/null
|
||||
|
@ -57,7 +58,9 @@ for NIXHOST in $NIXHOSTLIST; do
|
|||
set -ex
|
||||
|
||||
cd $TMP_PATH
|
||||
mv deuxfleurs.nix configuration.nix cluster.nix node.nix site.nix /etc/nixos
|
||||
mv deuxfleurs.nix remote-unlock.nix configuration.nix cluster.nix node.nix site.nix /etc/nixos
|
||||
|
||||
nixos-rebuild switch
|
||||
|
||||
test -f rclone.conf && (mv rclone.conf /root; chmod 600 /root/rclone.conf)
|
||||
|
||||
|
@ -73,8 +76,6 @@ if [ -f pki/nomad-ca.crt ]; then
|
|||
mv pki/nomad* /var/lib/nomad/pki
|
||||
fi
|
||||
|
||||
nixos-rebuild switch
|
||||
|
||||
# Save up-to-date Consul client certificates in Consul itself
|
||||
export CONSUL_HTTP_ADDR=https://localhost:8501
|
||||
export CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt
|
||||
|
|
38
doc/example-hardware-configuration.nix
Normal file
38
doc/example-hardware-configuration.nix
Normal file
|
@ -0,0 +1,38 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
boot.initrd.luks.devices."cryptlvm" = {
|
||||
device = "/dev/disk/by-uuid/5d4fcef7-433d-43a9-be26-be940ce291c0";
|
||||
allowDiscards = true;
|
||||
};
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/5bad79e1-fdbf-48f3-861f-6810adc76195";
|
||||
fsType = "ext4";
|
||||
options = [ "relatime" "discard" ];
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/07E8-5958";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-uuid/a3e0bae8-8b07-4e66-a4a7-6955639f2155"; }
|
||||
];
|
||||
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
||||
|
|
@ -29,11 +29,20 @@ in
|
|||
};
|
||||
in
|
||||
{
|
||||
# Parameters that may vary between nodes
|
||||
site_name = mkOption {
|
||||
description = "Site (availability zone) on which this node is deployed";
|
||||
# Parameters for individual nodes
|
||||
network_interface = mkOption {
|
||||
description = "Network interface name to configure";
|
||||
type = types.str;
|
||||
};
|
||||
lan_ip = mkOption {
|
||||
description = "IP address of this node on the local network interface";
|
||||
type = types.str;
|
||||
};
|
||||
lan_ip_prefix_length = mkOption {
|
||||
description = "Prefix length associated with lan_ip";
|
||||
type = types.int;
|
||||
};
|
||||
|
||||
vpn_ip = mkOption {
|
||||
description = "IP address of this node on the Wireguard VPN";
|
||||
type = types.str;
|
||||
|
@ -48,6 +57,17 @@ in
|
|||
default = false;
|
||||
};
|
||||
|
||||
|
||||
# Parameters that generally vary between sites
|
||||
lan_default_gateway = mkOption {
|
||||
description = "IP address of the default route on the locak network interface";
|
||||
type = types.str;
|
||||
};
|
||||
site_name = mkOption {
|
||||
description = "Site (availability zone) on which this node is deployed";
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
# Parameters common to all nodes
|
||||
cluster_name = mkOption {
|
||||
description = "Name of this Deuxfleurs deployment";
|
||||
|
@ -75,6 +95,21 @@ in
|
|||
openssh.authorizedKeys.keys = publicKeys;
|
||||
}) cfg.admin_accounts;
|
||||
|
||||
# Configure network interfaces
|
||||
networking.interfaces = attrsets.setAttrByPath [ config.deuxfleurs.network_interface ] {
|
||||
useDHCP = false;
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = config.deuxfleurs.lan_ip;
|
||||
prefixLength = config.deuxfleurs.lan_ip_prefix_length;
|
||||
}
|
||||
];
|
||||
};
|
||||
networking.defaultGateway = {
|
||||
address = config.deuxfleurs.lan_default_gateway;
|
||||
interface = config.deuxfleurs.network_interface;
|
||||
};
|
||||
|
||||
# Configure Wireguard VPN between all nodes
|
||||
networking.wireguard.interfaces.wg0 = {
|
||||
ips = [ "${cfg.vpn_ip}/16" ];
|
||||
|
|
26
nix/remote-unlock.nix
Normal file
26
nix/remote-unlock.nix
Normal file
|
@ -0,0 +1,26 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
with builtins;
|
||||
with pkgs.lib;
|
||||
{
|
||||
config = {
|
||||
boot.initrd.availableKernelModules = [ "pps_core" "ptp" "e1000e" ];
|
||||
boot.initrd.network.enable = true;
|
||||
boot.initrd.network.ssh = {
|
||||
enable = true;
|
||||
port = 2222;
|
||||
authorizedKeys = concatLists (mapAttrsToList (name: user: user) config.deuxfleurs.admin_accounts);
|
||||
hostKeys = [ "/var/lib/deuxfleurs/remote-unlock/ssh_host_ed25519_key" ];
|
||||
};
|
||||
boot.initrd.network.postCommands = ''
|
||||
ip addr add ${config.deuxfleurs.lan_ip}/${toString config.deuxfleurs.lan_ip_prefix_length} dev ${config.deuxfleurs.network_interface}
|
||||
ip link set dev ${config.deuxfleurs.network_interface} up
|
||||
ip route add default via ${config.deuxfleurs.lan_default_gateway} dev ${config.deuxfleurs.network_interface}
|
||||
ip a
|
||||
ip route
|
||||
ping -c 4 ${config.deuxfleurs.lan_default_gateway}
|
||||
echo 'echo run cryptsetup-askpass to unlock drives' >> /root/.profile
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
@ -1,14 +1,11 @@
|
|||
10.42.0.22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXyY9yZdq/VYpg3K1plBzFvim41tWlu+Dmov3BNSm39
|
||||
10.42.0.21 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILYIRbHPU1w1xWRpm2+u3QsXOKfMjv1EXrpYbHT+epds
|
||||
10.42.0.23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICNRilSqrgqdZlLdhN2eOY5ZMbzqpeqAdIf6QuChhXU+
|
||||
10.42.0.2 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORTjNdFaDbhto8kuMPB3hYkfnzdnceZVIELApUe5PPL
|
||||
10.42.1.33 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOuY1CvhxBP9BtKkTlmOUu6Hhy8OQTB3R8OCFXbHA/RA
|
||||
10.42.1.31 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3N0QOFNGkCpVLuOHFdpnBaxIFH925KpdIHV/3F9+BR
|
||||
10.42.1.32 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPCXJeo6yeQeTN7D7OZwLd8zbyU1jWywlhQ29yyk7x+G
|
||||
192.168.1.22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXyY9yZdq/VYpg3K1plBzFvim41tWlu+Dmov3BNSm39
|
||||
192.168.1.21 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILYIRbHPU1w1xWRpm2+u3QsXOKfMjv1EXrpYbHT+epds
|
||||
192.168.1.23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICNRilSqrgqdZlLdhN2eOY5ZMbzqpeqAdIf6QuChhXU+
|
||||
10.42.2.2 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORTjNdFaDbhto8kuMPB3hYkfnzdnceZVIELApUe5PPL
|
||||
10.42.2.22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXyY9yZdq/VYpg3K1plBzFvim41tWlu+Dmov3BNSm39
|
||||
10.42.2.21 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILYIRbHPU1w1xWRpm2+u3QsXOKfMjv1EXrpYbHT+epds
|
||||
10.42.2.23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICNRilSqrgqdZlLdhN2eOY5ZMbzqpeqAdIf6QuChhXU+
|
||||
192.168.1.23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDsYD1gNmGyb6c9wjGR6tC69fHP6+FpPHTBT6laPTHeD
|
||||
10.42.2.23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDsYD1gNmGyb6c9wjGR6tC69fHP6+FpPHTBT6laPTHeD
|
||||
|
|
Loading…
Reference in a new issue