hetzner-dedicated/zfs: Full disk encryption, also change mounts a little

2023-10-13 16:02:35 +02:00 · 2023-10-13 16:02:35 +02:00 · 70acd87eff
parent 108d957923
commit 70acd87eff
1 changed files with 29 additions and 13 deletions
--- a/hosters/hetzner-dedicated/zfs-uefi-nvme-nixos.sh
+++ b/hosters/hetzner-dedicated/zfs-uefi-nvme-nixos.sh
@ -190,32 +190,33 @@ zpool create -O mountpoint=none \
    -f \
    root_pool mirror $DISK1-part3 $DISK2-part3

-# Create the filesystems. This layout is designed so that /home is separate from the root
-# filesystem, as you'll likely want to snapshot it differently for backup purposes. It also
-# makes a "nixos" filesystem underneath the root, to support installing multiple OSes if
-# that's something you choose to do in future.
-zfs create -o mountpoint=legacy root_pool/root
-zfs create -o mountpoint=legacy root_pool/root/nixos
-zfs create -o mountpoint=legacy root_pool/home
+zfs create -o mountpoint=legacy \
+    -o encryption=on \
+    -o keyformat=passphrase \
+    root_pool/encrypted
+zfs create -o mountpoint=legacy root_pool/encrypted/root
 # add 1G of reseved space in case the disk gets full
 # zfs needs space to delete files
 zfs create -o refreservation=1G -o mountpoint=none root_pool/reserved
+
+# all application data goes here. Only backups from this dataset and its
+# children are important
+zfs create -o mountpoint=legacy root_pool/encrypted/data
+
 # this creates a special volume for db data see https://wiki.archlinux.org/index.php/ZFS#Databases
 zfs create -o mountpoint=legacy \
    -o recordsize=8K \
    -o primarycache=metadata \
    -o logbias=throughput \
-    root_pool/postgres
+    root_pool/encrypted/data/postgresql

 # NixOS pre-installation mounts
 #
 # Mount the filesystems manually. The nixos installer will detect these mountpoints
 # and save them to /mnt/nixos/hardware-configuration.nix during the install process.
-mount -t zfs root_pool/root/nixos /mnt
-mkdir /mnt/home
-mount -t zfs root_pool/home /mnt/home
-mkdir -p /mnt/var/lib/postgres
-mount -t zfs root_pool/postgres /mnt/var/lib/postgres
+mount -t zfs root_pool/root /mnt
+mkdir -p /mnt/var/lib/postgresql
+mount -t zfs root_pool/postgresql /mnt/var/lib/postgresql

 # Create a raid mirror for the efi boot
 # see https://docs.hetzner.com/robot/dedicated-server/operating-systems/efi-system-partition/
@ -337,6 +338,21 @@ cat > /mnt/etc/nixos/configuration.nix <<EOF
  };
  boot.supportedFilesystems = [ "zfs" ];

+  # From https://nixos.wiki/wiki/ZFS#Unlock_encrypted_zfs_via_ssh_on_boot
+  boot.initrd.network = {
+    enable = true;
+    ssh = {
+      enable = true;
+      # To prevent ssh clients from freaking out because a different host key is used,
+      # a different port for ssh is useful (assuming the same host has also a regular sshd running)
+      port = 2222;
+      hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
+      authorizedKeys = [ "$SSH_PUB_KEY" ];
+    };
+  };
+
+  boot.initrd.availableKernelModules = [ "igb" ];
+
  networking.hostName = "$MY_HOSTNAME";
  networking.hostId = "$MY_HOSTID";