feat: idols-ai - add new data disk via disko (#250)

feat: luks automatic unlock via tpm2 chip for all physical hosts
feat: enable login manager
fix: Rename network interface config back following hardware change

hosts/k8s/disko-config/README.md

@@ -1,37 +1,6 @@
 # Disko Config
 
-Generate LUKS keyfile to encrypt the root partition, it's used by disko.
-
-```bash
-# partition the usb stick
-DEV=/dev/sdX
-parted $DEV -- mklabel gpt
-parted $DEV -- mkpart primary 2M 512MB
-parted $DEV -- mkpart primary 512MB 1024MB
-mkfs.fat -F 32 -n NIXOS_DSC ${DEV}1
-mkfs.fat -F 32 -n NIXOS_K3S ${DEV}2
-
-# Generate a keyfile from the true random number generator
-KEYFILE=./kubevirt-luks-keyfile
-dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
-
-# generate token for k3s
-K3S_TOKEN_FILE=./kubevirt-k3s-token
-K3S_TOKEN=$(grep -ao '[A-Za-z0-9]' < /dev/random | head -64 | tr -d '\n' ; echo "")
-echo $K3S_TOKEN > $K3S_TOKEN_FILE
-
-# copy the keyfile and token to the usb stick
-KEYFILE=./kubevirt-luks-keyfile
-DEVICE=/dev/disk/by-label/NIXOS_DSC
-# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
-dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
-
-K3S_TOKEN_FILE=./kubevirt-k3s-token
-USB_PATH=/run/media/ryan/NIXOS_K3S
-cp $K3S_TOKEN_FILE $USB_PATH
-```
-
-### 2. Partition the SSD & install NixOS via disko
+## Partition the SSD & install NixOS via disko
 
 ```bash
 # enter an shell with git/vim/ssh-agent/gnumake available
@@ -41,15 +10,13 @@ git clone https://github.com/ryan4yin/nix-config.git
 
 cd nix-config
 
-# one line
-sudo nix run --experimental-features "nix-command flakes" 'github:nix-community/disko#disko-install' -- \
-  --write-efi-boot-entries --disk main /dev/nvme0n1 --flake .#kubevirt-shoryu
-
-
-# or step by step
 ## 1. partition & format the disk via disko
-sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko hosts/k8s/disko-config/kukubevirt-disko-fs.nix
-## 2. install nixos
+# encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
+sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode destroy,format,mount hosts/k8s/disko-config/kubevirt-disko-fs.nix
+## 2. setup the automatic unlock via the tpm2 chip
+systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/<encrypted-disk-part-path>
+
+## 3. install nixos
 sudo nixos-install --root /mnt --no-root-password --show-trace --verbose --flake .#kubevirt-shoryu
 
 # enter into the installed system, check password & users
@@ -66,4 +33,6 @@ mv /etc/machine-id /persistent/etc/
 mv /etc/ssh /persistent/etc/
 mkdir -p /persistent/home/ryan
 chown -R ryan:ryan /persistent/home/ryan
+
+# add your k3s token at /persistent/kubevirt-k3s-token
 ```

hosts/k8s/disko-config/kubevirt-disko-fs.nix

@@ -2,13 +2,6 @@
   # required by preservation
   fileSystems."/persistent".neededForBoot = true;
 
-  # contains the k3s's token
-  fileSystems."/run/media/nixos_k3s" = {
-    device = "/dev/disk/by-label/NIXOS_K3S";
-    fsType = "vfat";
-    options = [ "ro" ];
-  };
-
   disko.devices = {
     nodev."/" = {
       fsType = "tmpfs";
@@ -50,11 +43,6 @@
               type = "luks";
               name = "encrypted";
               settings = {
-                keyFile = "/dev/disk/by-label/NIXOS_DSC"; # The keyfile is stored on a USB stick
-                # The maximum size of the keyfile is 8192 KiB
-                # type `cryptsetup --help` to see the compiled-in key and passphrase maximum sizes
-                keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
-                keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
                 # fallbackToPassword = true;
                 allowDiscards = true;
               };

hosts/k8s/kubevirt-shoryu/default.nix

@@ -17,7 +17,7 @@ let
   k3sModule = mylib.genK3sServerModule {
     inherit pkgs;
     kubeconfigFile = "/home/${myvars.username}/.kube/config";
-    tokenFile = "/run/media/nixos_k3s/kubevirt-k3s-token";
+    tokenFile = "/persistent/kubevirt-k3s-token";
     # the first node in the cluster should be the one to initialize the cluster
     clusterInit = true;
     # use my own domain & kube-vip's virtual IP for the API server

hosts/k8s/kubevirt-shushou/default.nix

@@ -16,7 +16,7 @@ let
   k3sModule = mylib.genK3sServerModule {
     inherit pkgs;
     kubeconfigFile = "/home/${myvars.username}/.kube/config";
-    tokenFile = "/run/media/nixos_k3s/kubevirt-k3s-token";
+    tokenFile = "/persistent/kubevirt-k3s-token";
     # use my own domain & kube-vip's virtual IP for the API server
     # so that the API server can always be accessed even if some nodes are down
     masterHost = "kubevirt-cluster-1.writefor.fun";

hosts/k8s/kubevirt-youko/default.nix

@@ -16,7 +16,7 @@ let
   k3sModule = mylib.genK3sServerModule {
     inherit pkgs;
     kubeconfigFile = "/home/${myvars.username}/.kube/config";
-    tokenFile = "/run/media/nixos_k3s/kubevirt-k3s-token";
+    tokenFile = "/persistent/kubevirt-k3s-token";
     # use my own domain & kube-vip's virtual IP for the API server
     # so that the API server can always be accessed even if some nodes are down
     masterHost = "kubevirt-cluster-1.writefor.fun";