axeman/nixos-install-scripts
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

hetzner-dedicated/zfs: Full disk encryption, also change mounts a little

Browse source
This commit is contained in:
Akshay Mankar 2023-10-13 16:02:35 +02:00
parent 108d957923
commit 70acd87eff
Signed by: axeman
GPG key ID: CA08F3AB62369B89
1 changed files with 29 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
hosters/hetzner-dedicated/zfs-uefi-nvme-nixos.sh
View file

@ -190,32 +190,33 @@ zpool create -O mountpoint=none \
-f \ -f \
root_pool mirror $DISK1-part3 $DISK2-part3 root_pool mirror $DISK1-part3 $DISK2-part3
# Create the filesystems. This layout is designed so that /home is separate from the root zfs create -o mountpoint=legacy \
# filesystem, as you'll likely want to snapshot it differently for backup purposes. It also -o encryption=on \
# makes a "nixos" filesystem underneath the root, to support installing multiple OSes if -o keyformat=passphrase \
# that's something you choose to do in future. root_pool/encrypted
zfs create -o mountpoint=legacy root_pool/root zfs create -o mountpoint=legacy root_pool/encrypted/root
zfs create -o mountpoint=legacy root_pool/root/nixos
zfs create -o mountpoint=legacy root_pool/home
# add 1G of reseved space in case the disk gets full # add 1G of reseved space in case the disk gets full
# zfs needs space to delete files # zfs needs space to delete files
zfs create -o refreservation=1G -o mountpoint=none root_pool/reserved zfs create -o refreservation=1G -o mountpoint=none root_pool/reserved
# all application data goes here. Only backups from this dataset and its
# children are important
zfs create -o mountpoint=legacy root_pool/encrypted/data
# this creates a special volume for db data see https://wiki.archlinux.org/index.php/ZFS#Databases # this creates a special volume for db data see https://wiki.archlinux.org/index.php/ZFS#Databases
zfs create -o mountpoint=legacy \ zfs create -o mountpoint=legacy \
-o recordsize=8K \ -o recordsize=8K \
-o primarycache=metadata \ -o primarycache=metadata \
-o logbias=throughput \ -o logbias=throughput \
root_pool/postgres root_pool/encrypted/data/postgresql
# NixOS pre-installation mounts # NixOS pre-installation mounts
# #
# Mount the filesystems manually. The nixos installer will detect these mountpoints # Mount the filesystems manually. The nixos installer will detect these mountpoints
# and save them to /mnt/nixos/hardware-configuration.nix during the install process. # and save them to /mnt/nixos/hardware-configuration.nix during the install process.
mount -t zfs root_pool/root/nixos /mnt mount -t zfs root_pool/root /mnt
mkdir /mnt/home mkdir -p /mnt/var/lib/postgresql
mount -t zfs root_pool/home /mnt/home mount -t zfs root_pool/postgresql /mnt/var/lib/postgresql
mkdir -p /mnt/var/lib/postgres
mount -t zfs root_pool/postgres /mnt/var/lib/postgres
# Create a raid mirror for the efi boot # Create a raid mirror for the efi boot
# see https://docs.hetzner.com/robot/dedicated-server/operating-systems/efi-system-partition/ # see https://docs.hetzner.com/robot/dedicated-server/operating-systems/efi-system-partition/
@ -337,6 +338,21 @@ cat > /mnt/etc/nixos/configuration.nix <<EOF
}; };
boot.supportedFilesystems = [ "zfs" ]; boot.supportedFilesystems = [ "zfs" ];
# From https://nixos.wiki/wiki/ZFS#Unlock_encrypted_zfs_via_ssh_on_boot
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
# To prevent ssh clients from freaking out because a different host key is used,
# a different port for ssh is useful (assuming the same host has also a regular sshd running)
port = 2222;
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = [ "$SSH_PUB_KEY" ];
};
};
boot.initrd.availableKernelModules = [ "igb" ];
networking.hostName = "$MY_HOSTNAME"; networking.hostName = "$MY_HOSTNAME";
networking.hostId = "$MY_HOSTID"; networking.hostId = "$MY_HOSTID";