| 11 Feb 2024 |
 eyJhb | Would it make sense to have a check, that tries to check if there is a key in zpool that is the pool name :) | 12:08:23 |
| eyJhb | * Would it make sense to have a check, that tries to check if there is a key in zpool that is the pool name? | 12:08:25 |
 matthewcroughan | Well it really should check with regexp and throw a trace if it's anything other than rpool | 12:08:59 |
| eyJhb | In reply to @matthewcroughan:defenestrate.it
Hopefully zfs goes away and we get all the features in bcachefs Yeah, I think that's the hope. I haven't tried bcachefs at all. I've just heard k900 talking about it a lot. Or generally been spoken a lot about. | 12:09:02 |
| matthewcroughan | There are probably a lot of cases that need to be caught manually with Nix code, this is one of them | 12:09:24 |
| eyJhb | [root@nixos:~]# zfs list
NAME USED AVAIL REFER MOUNTPOINT
rpool 889M 35.5G 25K /rpool
rpool/local 888M 35.5G 24K /rpool/local
rpool/local/nix 888M 35.5G 888M legacy
rpool/local/stash 24K 35.5G 24K legacy
rpool/root 322K 35.5G 300K legacy
rpool/safe 72K 35.5G 24K /rpool/safe
rpool/safe/home 24K 35.5G 24K legacy
rpool/safe/persistent 24K 35.5G 24K legacy
[root@nixos:~]# df H
df: H: No such file or directory
[root@nixos:~]# df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 192M 0 192M 0% /dev
tmpfs 1.9G 0 1.9G 0% /dev/shm
tmpfs 959M 2.8M 957M 1% /run
tmpfs 1.9G 320K 1.9G 1% /run/wrappers
rpool/root 36G 384K 36G 1% /
rpool/local/nix 37G 889M 36G 3% /nix
rpool 36G 128K 36G 1% /rpool
rpool/safe 36G 128K 36G 1% /rpool/safe
rpool/local 36G 128K 36G 1% /rpool/local
rpool/local/stash 36G 128K 36G 1% /state/stash
rpool/safe/home 36G 128K 36G 1% /state/home
/dev/sda2 500M 42M 458M 9% /boot
rpool/safe/persistent 36G 128K 36G 1% /state/root
tmpfs 384M 0 384M 0% /run/user/0
| 12:09:40 |
| eyJhb | Works! Awesome :) | 12:09:43 |
| eyJhb | I should make an issue for it. | 12:10:04 |
| eyJhb | OR even better, a PR for it. | 12:10:11 |
| matthewcroughan | this is equivalent to a typo, it should be possible to express a type in lib that catches this, hard though, I can see why there's no code written to catch this failure | 12:14:21 |
| eyJhb | Wondering, is there any option for copying over the keyFile to the remote host? E.g. using ssh :) | 12:58:56 |
| eyJhb | In reply to @matthewcroughan:defenestrate.it
this is equivalent to a typo, it should be possible to express a type in lib that catches this, hard though, I can see why there's no code written to catch this failure Yeah, that's fair | 12:59:08 |
| matthewcroughan | In reply to @eyjhb:eyjhb.dk
Wondering, is there any option for copying over the keyFile to the remote host? E.g. using ssh :) Why do that when you could bake the secret into the image | 13:59:18 |
| matthewcroughan | In reply to @eyjhb:eyjhb.dk
Wondering, is there any option for copying over the keyFile to the remote host? E.g. using ssh :) * Why do that when you could bake the secret into the disk image | 13:59:29 |
| matthewcroughan | if you're referring to nixos-anywhere, I wonder if they have a postDeploy/preDeploy hook that could be used for this, would be a good idea if not yet implemented | 13:59:54 |
| eyJhb | In reply to @matthewcroughan:defenestrate.it
Why do that when you could bake the secret into the disk image Bake into the disk image? I might be misunderstanding that | 14:22:31 |
| eyJhb | In reply to @matthewcroughan:defenestrate.it
if you're referring to nixos-anywhere, I wonder if they have a postDeploy/preDeploy hook that could be used for this, would be a good idea if not yet implemented True, I need to look into if nixos-anywhere has that option :) Not disko thing yeah :) | 14:23:08 |
| matthewcroughan | Not 100% sure if it's in disko yet, but I remember some feature I was shown where you can put data into a disk image, without it being in the Nix store. | 14:23:08 |
| matthewcroughan | I have an implementation of this which is really simple, and almost equivalent, which just uses a VM to add secrets to an existing disk image by using loopbacks | 14:24:02 |
| matthewcroughan | packages.x86_64-linux.secretImage =
let
secretAdderVm = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
({ config, ... }:
let
stateDir = config.services.tor.settings.DataDirectory;
in
{
imports = [
"${nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix"
./tor-config.nix
];
virtualisation.graphics = false;
services.getty.autologinUser = "root";
programs.bash.interactiveShellInit = ''
if [ "$(tty)" = "/dev/ttyS0" ]; then
mkdir /mnt
unzstd ${self.images.pi}/sd-image/*.zst --output-dir-flat /tmp/shared
chmod 700 /tmp/shared/*.img
losetup -P /dev/loop0 /tmp/shared/*.img
mount /dev/loop0p2 /mnt
mkdir -p /mnt/${stateDir}
cp -r ${stateDir}/onion /mnt/${stateDir}/onion
chown -R ${toString config.ids.uids.tor}:${toString config.ids.gids.tor} /mnt/${stateDir}
chmod -R 700 /mnt/${stateDir}
umount /mnt
losetup -d /dev/loop0
for i in ${stateDir}/onion/*; do echo -e "\nOnion Service: $(basename $i) -> $(cat $i/hostname)" >> /tmp/shared/services; done
shutdown now
fi
'';
})
];
};
in
nixpkgs.legacyPackages.x86_64-linux.writeScriptBin "addSecrets"
''
rm nixos.qcow2
export SHARED_DIR=$(mktemp -d)
${secretAdderVm.config.system.build.vm}/bin/run-nixos-vm
cat $SHARED_DIR/services
mv $SHARED_DIR/*.img .
'';
| 14:24:04 |
| matthewcroughan | something like this, for example | 14:24:09 |
| matthewcroughan | this is unrelated to Disko, but it's similar in the concept | 14:24:22 |
| matthewcroughan | * I have an implementation of this which is really simple, and almost equivalent, which just uses a VM to add secrets to an existing disk image by using loopback mounts | 14:24:34 |
| matthewcroughan | TL;DR you make the installer/disk image you're going to boot, stateless in the Nix store, then you make a shell script which boots a VM, mounts this image as a loopback, adds the secret in the dir of your choosing, then shuts down | 14:25:10 |
| matthewcroughan | * TL;DR you make the installer/disk image you're going to boot, stateless in the Nix store, then you make a shell script which boots a VM, mounts this disk image as a loopback, adds the secret in the dir of your choosing, then shuts down | 14:25:17 |
| matthewcroughan | In my example it's nix run .#secretImage which would do all of that | 14:26:31 |
| matthewcroughan | * In my example it's nix run .#secretImage which would do all of that and produce a tarball that isn't in the /nix/store, which contains this secret | 14:26:40 |
| eyJhb | * --extra-files <file...>
files to copy into the new nixos installation
* --disk-encryption-keys <remote_path> <local_path>
copy the contents of the file or pipe in local_path to remote_path in the installer environment,
after kexec but before installation. Can be repeated.
| 18:53:07 |
| eyJhb | It's actually possible and "really" easy with nixos-anywhere it seems. | 18:53:21 |
| 12 Feb 2024 |
 @adam:robins.wtf | has anyone explored allowing for disko to only manage part of a disk? i'm thinking of a dual boot windows system and it would be nice to apply disko for the nixos bits while allowing for explicitly avoiding other partitions | 14:09:57 |
