mirror of
https://github.com/ryan4yin/nix-config.git
synced 2026-05-28 02:19:33 +02:00
feat: add configs for kubevirt-lab-1
This commit is contained in:
Ryan Yin
@@ -4,15 +4,16 @@ Generate LUKS keyfile to encrypt the root partition, it's used by disko.
|
||||
|
||||
```bash
|
||||
# partition the usb stick
|
||||
parted /dev/sdb -- mklabel gpt
|
||||
parted /dev/sdb -- mkpart primary 2M 512MB
|
||||
parted /dev/sdb -- mkpart primary 512MB 1024MB
|
||||
mkfs.fat -F 32 -n NIXOS_DSC /dev/sdb1
|
||||
mkfs.fat -F 32 -n NIXOS_K3S /dev/sdb2
|
||||
DEV=/dev/sdX
|
||||
parted $DEV -- mklabel gpt
|
||||
parted $DEV -- mkpart primary 2M 512MB
|
||||
parted $DEV -- mkpart primary 512MB 1024MB
|
||||
mkfs.fat -F 32 -n NIXOS_DSC ${DEV}1
|
||||
mkfs.fat -F 32 -n NIXOS_K3S ${DEV}2
|
||||
|
||||
# Generate a keyfile from the true random number generator
|
||||
KEYFILE=./kubevirt-luks-keyfile
|
||||
dd bs=8192 count=4 iflag=fullblock if=/dev/random of=$KEYFILE
|
||||
dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
|
||||
|
||||
# generate token for k3s
|
||||
K3S_TOKEN_FILE=./kubevirt-k3s-token
|
||||
@@ -20,12 +21,25 @@ K3S_TOKEN=$(grep -ao '[A-Za-z0-9]' < /dev/random | head -64 | tr -d '\n' ; echo
|
||||
echo $K3S_TOKEN > $K3S_TOKEN_FILE
|
||||
|
||||
# copy the keyfile and token to the usb stick
|
||||
|
||||
KEYFILE=./kubevirt-luks-keyfile
|
||||
DEVICE=/dev/disk/by-label/NIXOS_DSC
|
||||
dd bs=8192 count=4 iflag=fullblock if=$KEYFILE of=$DEVICE
|
||||
# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
|
||||
dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
|
||||
|
||||
K3S_TOKEN_FILE=./kubevirt-k3s-token
|
||||
USB_PATH=/run/media/ryan/NIXOS_K3S
|
||||
cp $K3S_TOKEN_FILE $USB_PATH
|
||||
```
|
||||
|
||||
### 2. Partition the SSD & install NixOS via disko
|
||||
|
||||
```bash
|
||||
# enter an shell with git/vim/ssh-agent/gnumake available
|
||||
nix-shell -p git vim gnumake
|
||||
# clone this repository
|
||||
git clone https://github.com/ryan4yin/nix-config.git
|
||||
|
||||
cd nix-config
|
||||
sudo nix run --experimental-features "nix-command flakes" 'github:nix-community/disko#disko-install' -- \
|
||||
--write-efi-boot-entries --flake .#kubevirt-shoryu --disk main /dev/nvme0n1
|
||||
```
|
||||
|
||||
@@ -1,4 +1,7 @@
|
||||
{
|
||||
# required by impermanence
|
||||
fileSystems."/persistent".neededForBoot = true;
|
||||
|
||||
# contains the k3s's token
|
||||
fileSystems."/run/media/nixos_k3s" = {
|
||||
device = "/dev/disk/by-label/NIXOS_K3S";
|
||||
@@ -7,90 +10,92 @@
|
||||
};
|
||||
|
||||
disko.devices = {
|
||||
disk = {
|
||||
sda = {
|
||||
type = "disk";
|
||||
device = "/dev/nvme0n1";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
# The EFI & Boot partition
|
||||
ESP = {
|
||||
size = "630M";
|
||||
type = "EF00";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot/efi";
|
||||
mountOptions = [
|
||||
"defaults"
|
||||
];
|
||||
};
|
||||
nodev."/" = {
|
||||
fsType = "tmpfs";
|
||||
mountOptions = [
|
||||
"size=4G"
|
||||
"defaults"
|
||||
# set mode to 755, otherwise systemd will set it to 777, which cause problems.
|
||||
# relatime: Update inode access times relative to modify or change time.
|
||||
"mode=755"
|
||||
];
|
||||
};
|
||||
|
||||
disk.main = {
|
||||
type = "disk";
|
||||
# When using disko-install, we will overwrite this value from the commandline
|
||||
device = "/dev/nvme0n1"; # The device to partition
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
# The EFI & Boot partition
|
||||
ESP = {
|
||||
size = "630M";
|
||||
type = "EF00";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
mountOptions = [
|
||||
"defaults"
|
||||
];
|
||||
};
|
||||
# The root partition
|
||||
luks = {
|
||||
size = "100%";
|
||||
};
|
||||
# The root partition
|
||||
luks = {
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "luks";
|
||||
name = "encrypted";
|
||||
settings = {
|
||||
keyFile = "/dev/disk/by-label/NIXOS_DSC"; # The keyfile is stored on a USB stick
|
||||
# The maximum size of the keyfile is 8192 bytes
|
||||
keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
|
||||
keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
|
||||
fallbackToPassword = true;
|
||||
allowDiscards = true;
|
||||
};
|
||||
# Whether to add a boot.initrd.luks.devices entry for the specified disk.
|
||||
initrdUnlock = true;
|
||||
|
||||
# encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
|
||||
# cryptsetup luksFormat
|
||||
extraFormatArgs = [
|
||||
"--type luks2"
|
||||
"--cipher aes-xts-plain64"
|
||||
"--hash sha512"
|
||||
"--iter-time 5000"
|
||||
"--key-size 256"
|
||||
"--pbkdf argon2id"
|
||||
# use true random data from /dev/random, will block until enough entropy is available
|
||||
"--use-random"
|
||||
];
|
||||
extraOpenArgs = [
|
||||
"--timeout 10"
|
||||
];
|
||||
content = {
|
||||
type = "luks";
|
||||
name = "crypted";
|
||||
settings = {
|
||||
keyFile = "/dev/disk/by-label/NIXOS_DSC"; # The keyfile is stored on a USB stick
|
||||
keyFileSize = 8192 * 4; # The maxium size of the keyfile is 8192 bytes
|
||||
keyFileOffset = 0;
|
||||
fallbackToPassword = true;
|
||||
allowDiscards = true;
|
||||
};
|
||||
# Whether to add a boot.initrd.luks.devices entry for the specified disk.
|
||||
initrdUnlock = true;
|
||||
|
||||
# encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
|
||||
# cryptsetup luksFormat
|
||||
extraFormatArgs = [
|
||||
"--type luks2"
|
||||
"--cipher aes-xts-plain64"
|
||||
"--hash sha512"
|
||||
"--iter-time 5000"
|
||||
"--key-size 256"
|
||||
"--pbkdf argon2id"
|
||||
# use true random data from /dev/random, will block until enough entropy is available
|
||||
"--use-random"
|
||||
];
|
||||
extraOpenArgs = [
|
||||
"--timeout 10"
|
||||
];
|
||||
content = {
|
||||
type = "btrfs";
|
||||
extraArgs = ["-f"];
|
||||
subvolumes = {
|
||||
"@root" = {
|
||||
mountpoint = "/";
|
||||
mountOptions = ["compress-force=zstd:1" "noatime"];
|
||||
};
|
||||
"@home" = {
|
||||
mountpoint = "/home";
|
||||
mountOptions = ["compress-force=zstd:1"];
|
||||
};
|
||||
"@lib" = {
|
||||
mountpoint = "/var/lib";
|
||||
mountOptions = ["compress-force=zstd:1"];
|
||||
};
|
||||
|
||||
"@nix" = {
|
||||
mountpoint = "/nix";
|
||||
mountOptions = ["compress-force=zstd:1" "noatime"];
|
||||
};
|
||||
"@tmp" = {
|
||||
mountpoint = "/tmp";
|
||||
mountOptions = ["compress-force=zstd:1" "noatime"];
|
||||
};
|
||||
"@snapshots" = {
|
||||
mountpoint = "/snapshots";
|
||||
mountOptions = ["compress-force=zstd:1" "noatime"];
|
||||
};
|
||||
"@swap" = {
|
||||
mountpoint = "/swap";
|
||||
swap.swapfile.size = "8192M";
|
||||
};
|
||||
type = "btrfs";
|
||||
extraArgs = ["-f"];
|
||||
subvolumes = {
|
||||
"@nix" = {
|
||||
mountpoint = "/nix";
|
||||
mountOptions = ["compress-force=zstd:1" "noatime"];
|
||||
};
|
||||
"@persistent" = {
|
||||
mountpoint = "/persistent";
|
||||
mountOptions = ["compress-force=zstd:1" "noatime"];
|
||||
};
|
||||
"@tmp" = {
|
||||
mountpoint = "/tmp";
|
||||
mountOptions = ["compress-force=zstd:1" "noatime"];
|
||||
};
|
||||
"@snapshots" = {
|
||||
mountpoint = "/snapshots";
|
||||
mountOptions = ["compress-force=zstd:1" "noatime"];
|
||||
};
|
||||
"@swap" = {
|
||||
mountpoint = "/swap";
|
||||
swap.swapfile.size = "16384M";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user