12 Oct 2024 |
ElvishJerricco | hexa: So, I will say, when things get inexplicably confusing, my first guess is usually that there's a problem with unit ordering. What does your impermanence service look like? | 19:51:32 |
hexa | ok, funny. the machine I posted last doesn't have impermanence 🙂 | 21:31:16 |
hexa | { config, ... }:
{
boot.loader.systemd-boot.enable = false;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelParams = [ "console=ttyS0,115200n8" ];
boot.loader.grub = {
enable = true;
efiSupport = true;
devices = [ ];
mirroredBoots = [
{
devices = [ "nodev" ];
path = "/boot/a";
}
{
devices = [ "nodev" ];
path = "/boot/b";
}
];
extraConfig = "
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input serial
terminal_output serial
";
};
age.secrets."initrd-ssh-hostkey".file = ../../agenix/${config.networking.hostName}-initrd-ssh-hostkey.age;
boot.initrd = {
kernelModules = [
"ipv6"
"8021q"
];
systemd = {
enable = true;
network = {
enable = true;
netdevs = {
"20-vlan100" = {
netdevConfig = {
Kind = "vlan";
Name = "vlan100";
Description = "LAN Access";
};
vlanConfig.Id = 100;
};
};
networks = {
"30-eno2" = {
matchConfig.Name = "enp38s0";
networkConfig.LinkLocalAddressing = "no";
vlan = [
"vlan100"
];
};
"40-vlan100" = {
matchConfig.Name = "vlan100";
networkConfig = {
DHCP = "no";
IPv6AcceptRA = false;
};
address = [
"fd42:23:42:b864::72:2/64"
];
gateway = [
"fe80::1"
];
};
};
};
};
network = {
ssh = {
enable = true;
hostKeys = [
config.age.secrets."initrd-ssh-hostkey".path
];
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
};
};
};
}
| 21:32:14 |
hexa | this is all the boot.* config for that machine | 21:32:33 |
hexa | except for like hardware-configuration and boot.initrd.luks.devices | 21:32:56 |
hexa | the machine boots from a btrfs root, i think sigh | 21:33:36 |
ElvishJerricco | Yea I can't see anything wrong with that (well, except I'm not sure that agenix thing works exactly how you want but that's clearly unrelated) | 21:35:56 |
ElvishJerricco | (basically agenix decryption has to be happening before the install-bootloader step for you to be getting the secret properly, and I'm not sure whether that happens in that order) | 21:36:42 |
ElvishJerricco | (I'm pretty sure it doesn't because I'm pretty sure the boot loader stuff and therefore the append-initrd-secrets script happens before activation, and activation is when agenix takes effect) | 21:39:13 |
hexa | the agenix secret is decrypted to a volatile location on the host after before activation | 21:49:08 |
hexa | but whatever, it gives me a stable ssh hostkey in the initrd, so it must be working | 21:49:40 |
ElvishJerricco | In reply to @hexa:lossy.network the agenix secret is decrypted to a volatile location on the host after before activation "after before"? Not sure you could have made that more confusing :P | 21:51:05 |
hexa | lol 😄 | 21:51:14 |
ElvishJerricco | I thought it was during activation | 21:51:15 |
hexa | yeah, before activation finishes | 21:51:22 |
hexa | so before services that need it are started/restarted | 21:51:40 |
ElvishJerricco | yea so probably the reason it works is because you've already got the secret from the previous configuration when you run nixos-rebuild or your equivalent | 21:51:44 |
ElvishJerricco | which basically means your initrds are getting last gen's secret | 21:52:04 |
ElvishJerricco | which is bad in the event of rotation | 21:52:09 |
hexa | possibly | 21:52:18 |
hexa | but very much a sidequest right now 😛 | 21:52:32 |
ElvishJerricco | Indeed! | 21:52:43 |
ElvishJerricco | yea I'm at a loss as for what's causing those confusions on your system | 21:52:56 |
ElvishJerricco | Does the system completely fail to boot? | 21:53:02 |
hexa | no, it boots just fine | 21:53:09 |
ElvishJerricco | or are you able to mess with it to get it to boot? | 21:53:12 |
ElvishJerricco | oh | 21:53:17 |
hexa | it just spews those messages | 21:53:17 |
hexa | which is completely non-sense 😄 | 21:53:24 |
ElvishJerricco | right that's extremely confusing | 21:53:31 |