use host key with agenix

README.md

@@ -9,6 +9,10 @@ a flaky example of NixOS configuration with full-disk encryption, home-manager,
 
    `nix build .#nixosConfigurations.iso.config.system.build.isoImage --impure`
 
+   or
+
+   `nix build github:bluesquall/tabula-rasa/ragenix#nixosConfigurations.iso.config.system.build.isoImage` --impure
+
 1. boot into the [NixOS] live system
 
    - connect to your WiFi network:
@@ -48,11 +52,11 @@ you can install it on a non-NixOS sytstem (e.g., Ubuntu with nix & flakes).
 
   - [x] implement a simple secure example using out-of-band storage
 
-  - [ ] provide an example using `agenix`
+  - [x] provide an example using `agenix`
 
-    - [ ] and a derivative example using `ragenix`
+    - [x] and a derivative example using `ragenix`
 
-  - [ ] provide an example using `nix-sops`
+  - [x] provide an example using `nix-sops`
 
 ### shell
 

mknix

@@ -0,0 +1,107 @@
+#!/usr/bin/env bash
+set -e
+
+# remote:
+url="github:bluesquall/tabula-rasa/ragenix#encom"
+# local:
+url=".#encom"
+
+usage() {
+  echo "please specify the drive to prepare for NixOS (e.g., /dev/nvme0n1)";
+}
+
+while [[ $# -gt 1 ]]; do
+  case "$1" in
+    -u | --url )
+      shift
+      url="$1"
+      host=$(echo ${url} | cut -d "#" -f 2)
+      ;;
+    *)
+      usage;
+      exit 1;
+  esac
+  shift
+done
+
+if [[ $# == 1 ]]; then
+  drive="$1";
+else
+  usage;
+  exit 1;
+fi
+
+if [[ -f "/tmp/ssh_host_ed25519_key" ]]; then
+  echo "ragenix will use ed25519 host private key from /tmp"
+else
+  echo "please put a ed25519 host private key in /tmp"
+  echo "and make sure secrets.yaml has been encoded for the"
+  echo "corresponding public key"
+  exit 1;
+fi
+
+echo "preparing drive ${drive} for NixOS"
+echo ""
+echo "WARNING!"
+echo "this script will overwrite everything on ${drive}"
+echo "the current partition table on ${drive} is:"
+sgdisk --print ${drive}
+read -r -p "type ${drive} to confirm and overwrite partitions ~> " confirm
+if [[ ! ${confirm} == ${drive} ]]; then exit 1; fi
+
+sgdisk --clear ${drive}
+sgdisk --new 1:4096:1024000 --typecode 1:ef00 --change-name 1:EFI ${drive}
+sgdisk --new 2:1024001: --typecode 2:8309 --change-name 2:ZED ${drive}
+sgdisk --print ${drive}
+partprobe ${drive}; sleep 2
+
+mkfs.vfat -n EFI /dev/disk/by-partlabel/EFI
+
+zpool create -f -O atime=off -O snapdir=visible -O xattr=sa -O acltype=posixacl -O compression=lz4 -O encryption=aes-256-gcm -O keylocation=prompt -O keyformat=passphrase -o ashift=12 -o altroot=/mnt rpool /dev/disk/by-partlabel/ZED
+zfs create -p -o reservation=1G -o mountpoint=none rpool/reserved # ZFS is copy-on-write
+zfs create -p -o mountpoint=legacy rpool/transient/root
+zfs snapshot rpool/transient/root@blank
+
+mount -t zfs rpool/transient/root /mnt
+echo "generating ssh RSA host keys"
+mkdir -p /mnt/etc/ssh
+ssh-keygen -q -t rsa -b 4096 -C "${hostname}" -N "" -f /mnt/etc/ssh/ssh_host_rsa_key
+echo "moving ssh ed25519 host secret key from /tmp to /etc/ssh"
+echo "  so ragenix can find and use it"
+mv /tmp/ssh_host_ed25519_key /mnt/etc/ssh
+ssh-keygen -yf /mnt/etc/ssh/ssh_host_ed25519_key > /mnt/etc/ssh/ssh_host_ed25519_key.pub
+echo "ssh ed25519 host public key in /etc/ssh:"
+cat /mnt/etc/ssh/ssh_host_ed25519_key.pub
+echo "taking a snapshot of root ready to bootstrap"
+zfs snapshot rpool/transient/root@strap
+zfs diff rpool/transient/root@blank rpool/transient/root@strap
+
+mkdir -p /mnt/boot
+mount /dev/disk/by-partlabel/EFI /mnt/boot
+
+zfs create -p -o mountpoint=legacy rpool/transient/nix
+zfs snapshot rpool/transient/nix@blank
+mkdir -p /mnt/nix
+mount -t zfs rpool/transient/nix /mnt/nix
+
+zfs create -p -o copies=2 -o mountpoint=legacy rpool/persistent/home
+zfs snapshot rpool/persistent/home@blank
+mkdir -p /mnt/home
+mount -t zfs rpool/persistent/home /mnt/home
+
+# zfs create -o compression=off -V 4G rpool/swap
+# mkswap -L SWAP /dev/zvol/rpool/swap
+
+zpool set bootfs=rpool/transient/root rpool # < set boot fs:
+
+#TODO add auto-snapshots of /home
+
+echo "running nixos-install"
+time nixos-install --flake ${url} --no-root-password
+
+zpool export rpool
+
+umount -R /mnt
+
+echo ""
+echo "IFF you did not see any errors, reboot and enjoy!"

os/encom/default.nix

@@ -10,6 +10,21 @@ in
     (modulesPath + "/installer/scan/not-detected.nix")
   ];
 
+  services.openssh = {
+    enable = true;
+    hostKeys = [
+      {
+        path = "/etc/ssh/ssh_host_rsa_key";
+        type = "rsa";
+        bits = 4096;
+      }
+      {
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+    ];
+  };
+
   hardware = {
     # enableAllFirmware = true;
     cpu.intel.updateMicrocode = true;
@@ -22,8 +37,7 @@ in
 
   boot = {
     kernelModules = [ "kvm-intel" ];
-    kernelPackages = pkgs.linuxPackages_latest;
-    supportedFilesystems = [ "btrfs" ];
+    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
     loader = {
       systemd-boot.enable = true;
       efi.canTouchEfiVariables = true;
@@ -32,6 +46,7 @@ in
 
   networking = {
     hostName = HOSTNAME;
+    hostId = "DEADBEEF";
     useDHCP = false;
     networkmanager.enable = true;
     firewall.enable = false;
@@ -42,7 +57,6 @@ in
   i18n.defaultLocale = "en_US.UTF-8";
 
   services = {
-    openssh.enable = true;
     xserver = {
       enable = true;
       dpi = 180;
@@ -67,6 +81,6 @@ in
     mutableUsers = false;
     users.root.hashedPassword= "!"; # < disable password login for root
   };
-  
+
   system.stateVersion = "22.05";
 }

os/filesystems.nix

@@ -1,19 +1,24 @@
 #filesystems.nix
 
-# { config, lib, pkgs, modulesPath, ... }:
+{ config, lib, pkgs, modulesPath, ... }:
 
 {
 
+  boot.kernelParams = [ "nohibernate" ];
   boot.initrd = {
     availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
-    luks.devices."crypt".device = "/dev/disk/by-partlabel/luks";
+    postDeviceCommands = lib.mkAfter ''
+      zfs rollback -r rpool/transient/root@strap
+    '';
+    supportedFilesystems = [ "zfs" ];
   };
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.zfs.enableUnstable = true;
 
   fileSystems = {
     "/" = { 
-      device = "/dev/disk/by-id/dm-name-crypt";
-      fsType = "btrfs";
-      options = [ "subvol=root" "compress=zstd" "noatime" ];
+      device = "rpool/transient/root";
+      fsType = "zfs";
       neededForBoot = true;
     };
     "/boot" = {
@@ -22,26 +27,12 @@
       neededForBoot = true;
     };
     "/home" = {
-      device = "/dev/disk/by-id/dm-name-crypt";
-      fsType = "btrfs";
-      options = [ "subvol=home" "compress=zstd" "noatime" ];
-      neededForBoot = true;
+      device = "rpool/persistent/home";
+      fsType = "zfs";
     };
     "/nix" = {
-      device = "/dev/disk/by-id/dm-name-crypt";
-      fsType = "btrfs";
-      options = [ "subvol=nix" "compress=zstd" "noatime" ];
-    };
-    "/persist" = {
-      device = "/dev/disk/by-id/dm-name-crypt";
-      fsType = "btrfs";
-      options = [ "subvol=persist" "compress=zstd" "noatime" ];
-    };
-    "/var/log" = {
-      device = "/dev/disk/by-id/dm-name-crypt";
-      fsType = "btrfs";
-      options = [ "subvol=log" "compress=zstd" "noatime" ];
-      neededForBoot = true;
+      device = "rpool/transient/nix";
+      fsType = "zfs";
     };
   };
 

user/flynn/secrets/hashedPassword.age

@@ -1,10 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 RZrFHQ yaMoC26yl+gZCU+m2tKbm31n1vmj7Yor8xFoNKz3vkw
-rABFvg4MJFVjNX+eWoO5/xP4iN6t0OQJt+VEYmQuOdI
--> ssh-ed25519 KTl/eg yc94cu1SVG0nE/CcNyLCvD05dWrtTijXdbVFOVBxjgc
-T08FwdXPRB3x4MuDTPOZZ/YLhAl3Yv2Ns1S3DWDmrXg
--> 2]?W{-grease xnY B%_
-93SfOkNxSZCHhhQqDzEq0fg99yGITTU
---- RTyE83K6oFJts9FISlftPz2j7DmZIqE7i0Uv7d5fhTA
-���Z��p�gB�/�b�e�3-�aԌ�{v��X�H@-]wx?+ӊ���
-����ٿ�Y�	�Q�/$|!7|�x��g�-��8C��-���'z`�2x��6�Jh�佪��#=�������ž�&�܅��2JՉ�Z0��
+-> ssh-ed25519 7wpMmQ WT0DMmEl8YsJuFynFiLrGWhy7/oc3dguNdZ3j4c0lkY
+/5t/UgeeXNyvQJBA4/wG7DIUwlTm5xoVaEm2hs2V3Os
+-> ssh-ed25519 KTl/eg MLEwD/7aMuExBa3cJdYGIqhXxXX75TJFTKZN4Dmdb2I
+0AVjT22mr+XdFxsOhPlqA5SY5Q6anCbatyZklF0QKog
+-> *-grease z4aAeXn F[NX$
+8HYd5dsaH1Fix8N6GKryWqBP31CkCS6BANDoQNv8BTciJ9QH7GnOyIR8L1oU/P+9
+wL9YHnBTt+E1AJ4KEuuBOCLTGWIu88Q
+--- XqWNy1pvVsgaJwlj45hEalWrSg5JXyS4lBfH8rk4ouU
+Om9�s�{�a
+}𸳍���R�u�)Y���4�	�%��E�)���q]e�q�I>�r�Vpf�! ��k�)/�Fcٶ�FV9`kܟv�6yu�`�"��~e��Jƴ��Iq���|�&�$�ݙE@��M�PF<g

user/flynn/secrets/secrets.nix

@@ -1,7 +1,7 @@
 let
   flynn = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ6tWsF5rxxYMnfa1fBSAB5NCTpPSfsvyarRFUGpTwU";
 
-  encom = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzqvmMHoKedc6xW6cUwAeSaIy5+JXpKJxOR4AjqD7Fy";
+  encom = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOLYEOcd1afO/HzRNoxYFQQlDYCTesQhtt01DyMq9l32";
   systems = [ encom ];
 in
 {