boop is boopstrapped

machines/boop/README.md

@@ -1,3 +1,3 @@
-# `xn--vp9h` (pronounced 🤓)
+# boop
 
 another server for applications and compute and stuff

machines/boop/boot.nix

@@ -1,16 +1,18 @@
 inputs:
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 with lib;
 let constants = import ./constants.nix;
 in {
   boot.loader = {
-    efi.canTouchEfiVariables = true;
+    efi = {
+      efiSysMountPoint = "/boot";
+      canTouchEfiVariables = true;
+    };
 
     grub = {
       enable = true;
       devices = [ "nodev" ];
       efiSupport = true;
-      useOSProber = true;
       # splashImage = ./nerd-emoji.jpg;
     };
   };
@@ -23,17 +25,17 @@ in {
 
   # because we want to be able to decrypt host keys over SSH
   boot.initrd.network = {
-    udhcpc = {
-      enable = true;
-      extraArgs = [ "-i" constants.mgmt_if ];
-    };
+    enable = true;
+    udhcpc.enable = true;
     postCommands = ''
       ip addr
     '';
     ssh = {
       enable = true;
-      port = 2222;
-      hostKeys = [ ./initrd/ssh_host_rsa_key ./initrd/ssh_host_ed25519_key ];
+      hostKeys = [
+        (pkgs.writeText "ssh_host_rsa_key" (builtins.readFile ./initrd/ssh_host_rsa_key))
+        (pkgs.writeText "ssh_host_ed25519_key" (builtins.readFile ./initrd/ssh_host_ed25519_key))
+      ];
       authorizedKeys = inputs.self.lib.sshKeyDatabase.users.astrid;
     };
   };

machines/boop/bootstrap.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+mkdisks() {
+  zpool create rpool mirror /dev/disk/by-id/nvme-eui.6479a7869ad03b89 /dev/disk/by-id/nvme-eui.6479a7869ad04a16
+  zfs create -o encryption=on -o keylocation=prompt -o keyformat=passphrase rpool/enc
+  zfs set mountpoint=none rpool
+  zfs set compression=on rpool
+  for pool in rpool/enc/var rpool/enc/etc rpool/enc/tmp rpool/enc/home rpool/nix; do
+    zfs create -o mountpoint=legacy $pool
+  done
+  zfs list
+}
+
+mountdisks() {
+  mount -t tmpfs -o size=256M,mode=755 rootfs /mnt
+  mount -t zfs -o x-mount.mkdir rpool/enc/tmp /mnt/tmp
+  mount -t zfs -o x-mount.mkdir rpool/nix /mnt/nix
+  mount -t zfs -o x-mount.mkdir rpool/enc/var /mnt/var
+  mount -t zfs -o x-mount.mkdir rpool/enc/etc /mnt/etc
+  mount -t zfs -o x-mount.mkdir rpool/enc/home /mnt/home
+  mount -o x-mount.mkdir /dev/disk/by-uuid/D30E-26C7 /mnt/boot
+}
+
+runinstall() {
+  nixos-install --no-channel-copy --option substituters "" $@
+}

machines/boop/configuration.nix

@@ -17,6 +17,7 @@ with lib; {
 
   astral = {
     users.alia.enable = true;
+    users.astrid.enable = true;
     virt = {
       docker.enable = true;
       libvirt.enable = true;
@@ -44,4 +45,33 @@ with lib; {
     recommendedOptimisation = true;
     recommendedGzipSettings = true;
   };
+
+  # tmp for debug
+  services.getty.autologinUser = "root";
+
+  virtualisation.vmVariant = {
+    # Autologin as root because we testin here
+    services.getty.autologinUser = "root";
+
+    networking.interfaces.eth0.useDHCP = true;
+    networking.interfaces.eno0.useDHCP = mkForce false;
+
+    virtualisation = {
+      graphics = false;
+      diskSize = 8192;
+
+      forwardPorts = [
+        {
+          from = "host";
+          host.port = 2222;
+          guest.port = 22;
+        }
+        {
+          from = "host";
+          guest.port = 80;
+          host.port = 8080;
+        }
+      ];
+    };
+  };
 }

machines/boop/fs.nix

@@ -4,6 +4,7 @@
   fileSystems."/" = {
     device = "rootfs";
     fsType = "tmpfs";
+    options = [ "defaults" "size=256M" "mode=755" ];
   };
 
   fileSystems."/tmp" = {

machines/boop/initrd/ssh_host_ed25519_key

@@ -1,8 +1,7 @@
 -----BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDTxRDob4
-4LmmUE//yPbisVAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIGAtSF+Kx47/zdUe
-5/3L06RbULmoEFnJi9Jmd9q2ia5NAAAAoGCPHycy7g8DVslaHrXmhhfwotFW6VnSUn7/pE
-3UQAt5KMxNfWLWXsDNpxQBVJ6sYPesrirlWg2hcAPvt2fFGPLe4tbICKqje2F8cS5enTfr
-S/GcusyaC4/xmD0udZEpFLqx1dvP3VxickCuml28NItZqspwny25htcahpOaE/RZeHLHXZ
-CKzEGBnBHBdwgQUwIwXA67m2IyvjxO3ZmHLoo=
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBC8L/jKIgAm/NtHruBIuj9ByVY0++i31NhVKwVpbKwAAAAAJhKZyfpSmcn
+6QAAAAtzc2gtZWQyNTUxOQAAACBC8L/jKIgAm/NtHruBIuj9ByVY0++i31NhVKwVpbKwAA
+AAAECfEM7PiuGMsWCwdnUVINnm5C5dhmpt6XtjD1d7OJKIqkLwv+MoiACb820eu4Ei6P0H
+JVjT76LfU2FUrBWlsrAAAAAADmFzdHJpZEBjaHVuZ3VzAQIDBAUGBw==
 -----END OPENSSH PRIVATE KEY-----

machines/boop/initrd/ssh_host_ed25519_key.pub

@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGAtSF+Kx47/zdUe5/3L06RbULmoEFnJi9Jmd9q2ia5N
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIELwv+MoiACb820eu4Ei6P0HJVjT76LfU2FUrBWlsrAA

machines/boop/initrd/ssh_host_rsa_key

@@ -1,39 +1,38 @@
 -----BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAZK3ycH/
-YLIrOsQZ4ioVYWAAAAGAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCQmmjQlsrm
-8RTETENBLzSfJfcxdeTATowvNSbmnHrEot0QX89KrbmfdeKTSP1ppp5CgSHU0ASNLYla23
-xz0HsszZFC3c8JJIH3/BS34f/FLIvfsT2Rn4x2OyWr0xw24n8fqBEca7nt3eyeKfj3oiq+
-pJ6xSMyuiGmywlYubGrFJJe6L/Yey1qgAlGXEOtbe9x3fO1tb1/6cOlYqSM8LeVbO+oWAx
-iWsH68f8HsUo/equ6qk59LgiO5MegYZBHH+IyowW2cgQxe4RA5Hm+hdW7ibxvBAH0uu0NH
-Uw3yi020jZaAKHNWLnapgRM2uaBHFtoGVVPsHALdZ0FVuzLWQOJIN2uE6PRdnwaZtnTxU3
-3IRdcos/bbZbTuq+5sFNhF3rZdwjd3ndAg/BdsDzXVGjppEHWdEd5cZ7zfbr7p7zmK7pO0
-lRRHg6FtSkWqCIakG3gQ+SAGdlVoRQIAmZ3AzwtJCUrQRMLE+dg/oLgI16XtQWOlbOXEgC
-oUNj84iz1CMVEAAAWQ7vCnrJLZ18bXwU57mSx0rEPSap/k27YJGZnw0Es3XainxkuT1VuV
-0INxPuzQ2i/KZRTljrjfx3I+BLMjhNmI1eJ3+rhLv3qJfD7NYRdmtCKSJE97iu4gxAoO4m
-rn3Tmjjqw9FUJV7U7fWMZ5/WCb1kU6ofYVQiqXocOaz421uDRJ32TAzT3NncuqY2r6YYMm
-/HWYbVExM1oluK+O28yrXwO6a1YZIp7NbvxTl+4NdO3JERmPJRt09u1I7+PAgB6HK/E3yF
-kdSOMKL5LAOb02Fpa0Oo8FAbGkRCFKZy7hw/zvdBej2oxF0GvEEAPHrxbhLDu7gSpN4kBg
-EcaOyINDjAhnV1iCSAFIRe9Vf+56Q0geXzusAXnRQpem+Hgr5wv8kr/GFeY2fJ/nn1Yfde
-3RIWAy+fMXEbJ7+RUiwdWNeCXwP3eYdWCOuoD2Vkb2DtZNzwKtatZyZd2rm9O2JUrP4JUg
-tLcw3AAQb9+NskDCB3dq5/dKCZjJobhleigIouy+o6OgQCCQu+Kc7uoNyGoccTDlZFJU0W
-BuPao1JVaEZLq+Pr7IrLp+kir6lqu+LSQZ1bQsfqet6jatS7t5xLkk4ho+uBfp1dkM/gP8
-NLr3dSn5sL2M3JjybgXfPsUULu6Gtc8pUPqhvrG70DcfZv/Qrs7IrKLrazAfQZ6YFVGTCK
-8z6RqQGOVUsuwbz4JbAxAGJAfmNSBIZsXsL/dOofybaiLfvf2OHzNBGGgNr2F8aplKgkbB
-duu21OF6ikymyl4ozVatDwjZ71PNiZbx+qz02RPlj5Bo9lwEQ5YrxAoi8niPIYmV0h7R38
-ch8kTeyJYvuYRpI/H5rutP3PIv1JlLerRRPr3N1tPB3ifvtkM0tTaN6d+4/CNw+hcsfQd1
-aEpKrfkQCjGzzrcnVHItpTscrBUj0MsMKtupOoWbToOmKHulQDiGeY5BIHeIN0DEbeI/z7
-TmLv9PfXUsSqnSp2MB8IkGzizWhPcxG49PlIbvkWaoNcNrqKZgOc5bNJuHtcYtylayZ2yh
-iT4rv5ymlpxFsW6cik39Posfssom6fmF8XDHZ2PdmskPCU6XoAST7ugvES0DIBWb9Te9fU
-EUC2Ds59zrXWQrhYu8Q8KH3F9tRcHbbhFJzJ5VhrR+t2nbADx+wcJw0zT1CXh0DyDFAsCb
-y/WseVeyUn/uOyKNXvaeBysSF3S6o2A5MCjjf5nl0/MY50pjyu5mwyNk0sCKl+yMWTaLFy
-t1l1pK9FZhqFzor8ZIF0RwvA2A1GXV5dk0FAf0W/Io2qPNPU/rz/phYus4kLwjheU7AWAt
-z7b32GLaBB622SZclFX3pWdtD0/NtQD0q9VWVpxDctmani6RAYrSn0S23hk6fEiJ1AblZ7
-FBQC5GwDYBvxycTJyHESQTfMa7N8LLISFDy5JFmbM37orCOAOi4IxWHqtw2RZyDBFIiCBf
-UcyChP2w/8f6o9YgqmsSXvsaXebq4WsSqC7dfWKLZdKA093G4QTtDXNavMWGYwWxpzhZdO
-SFc3AiU6aRNPvJDaQTVkVIcTySwV3cESU+ppEeqcMr6HOajaq8rcZRsyt3HSBUwGgJw7Kx
-avbL5OpGi2lbmkHVgAEjh1mZLLFDqiNi4DmBIOg5ZsEMdclU+FUDPL9F3FrfQsy/MIQXOX
-s1mfXUAZIuGW/PjcGty0JpAhqb9/Wh+F+9VdMXuOxNeLdYc1vheQio8MdjZO9rgUVYFhY4
-0UeRCjAIeb9fR3AXiGTlMvvSyDt/89Tqq5XVEpPpzuHfQLpZRUhsiOCUVaokobIP6n2Caq
-F9NW7QrC35J9NO5j3o4rgcxSdMfX5EBKg+BddIM294jJD1FoWgUXnRsYy9UtRRbtBZeqL1
-ZTCXSCUR9OjKJy1rZW4FnlgKD8Q=
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEAqdE8nUiWzBjffn4LrImDiOGVfYa7iFUfXVHu+ca1JVLiusuJJsMO
+FvErIK9xNjq5Das/Nta6TeKSiPrr3zEsO8cbcLbxQO/E2K+spaiTN1y/LwNBBv0fy22vo9
+nsoHFu5IUCdVp2KnpmeAW4xE4IBuEap751XjcLhvN8o6l8xTinuCJJ6MLEPTyaVxM+8Sy2
+eeC093aKeitCQmJxCc+mZ1V1m7fDu3siT4YA1RWQcG9YliDAwghdJ5dkdqmiOFOCxDtLYR
+sx5trWM1XLL0PKIf5Br8z49tYb+tBI9u+Ben6KJUjQoyB711KSaRv+1O4qK1E6lpgjXB/7
+86yWGQZsxK9ZoYzx3ep4o7Ic5cdGAQ6gkgHELEPKbV3zNd+t4ZH0ClQziHdTindFky7kt3
+LgtasfvPfPDBnN9Kz2hKhdRyNpIyseYLM7Olvy4QW/lxT0M5oqeccm38hIivQaVczsyd2t
+fCj/TnebAb6yP280y4P9rSWoHwlscczNW/cN5L51AAAFiEMU7Z1DFO2dAAAAB3NzaC1yc2
+EAAAGBAKnRPJ1IlswY335+C6yJg4jhlX2Gu4hVH11R7vnGtSVS4rrLiSbDDhbxKyCvcTY6
+uQ2rPzbWuk3ikoj6698xLDvHG3C28UDvxNivrKWokzdcvy8DQQb9H8ttr6PZ7KBxbuSFAn
+Vadip6ZngFuMROCAbhGqe+dV43C4bzfKOpfMU4p7giSejCxD08mlcTPvEstnngtPd2inor
+QkJicQnPpmdVdZu3w7t7Ik+GANUVkHBvWJYgwMIIXSeXZHapojhTgsQ7S2EbMeba1jNVyy
+9DyiH+Qa/M+PbWG/rQSPbvgXp+iiVI0KMge9dSkmkb/tTuKitROpaYI1wf+/OslhkGbMSv
+WaGM8d3qeKOyHOXHRgEOoJIBxCxDym1d8zXfreGR9ApUM4h3U4p3RZMu5Ldy4LWrH7z3zw
+wZzfSs9oSoXUcjaSMrHmCzOzpb8uEFv5cU9DOaKnnHJt/ISIr0GlXM7MndrXwo/053mwG+
+sj9vNMuD/a0lqB8JbHHMzVv3DeS+dQAAAAMBAAEAAAGADcPEM4WI6kXmhmobcnf6XZ6CD6
+4w8OXhcx7V4uYh6cK/AQrIH7MLfH2TlC8psI5wUIoochP+qZsrazICQNGgtxRhBjELUMr+
+kYfP0+UG+yOn6tzLKRCxwpCt/iHccHbcA7w/okPbtH6+Y+J8LbabfPSYb1oHSRnnc8q0Ys
+8KqjEjmyUgXjRnVAVfsfOBPxWePDZ5b15ARD3RvZrIHyuh3oS1UegX0/sGTBwzC2fs5h2I
+YzGIHlIvkYAlKF8rTdXVmjz17Y48eIIlWEhSglfyPBUshaPzcINT54uBwje7Eg7KOqKQNe
+/ww0dmqZZ7yyeRo147OubPkkBeycMLRzeX96oEBXhJUnOvUkfrR6coOzES0b07lCaT321o
+Cas83ryQ4FQCk8gbpyjRmStOAQdSWTQWJ+j0EBdY4TPwWawO1Nw5muBa1C5un3cznehOG1
+NmEMmb1LQ0qG4+exypcOEv9TT6V6kyUY1dJdHvbVJqA1IJOBthDQfaicadxSNY1NujAAAA
+wQCHOI+I5PI8OuhlGjj25XZ6JieJh8kwSl9d8W/4NCBlV9tFc9ncnGqlf5b/TpW8VSWha5
+22+iBtLsyvVYstFo/yhaw/kRnh6t0vh0L3fM0AE4gnHV/YSpr84fOMvlABpXTKv/re2Es+
+r+GqpC9QY3MlSHaNLG00eQoKGNwj4Z968FPo2nMR7wL/NyHl1XPPnfxvpm/HgDFpRQWdQQ
+3XO+fWO2j7BavNEz6L8pWLgwxXSWOJuftyEHZGyAr6nOnjJ6oAAADBAOKTj9F8a1lm+Ea1
+3sy7j5piiLY5ynhl1slxSGLJWRCUCNcMNoBqz6qQ1OL3FznMLo6+6KaF8x4TSsHMSQqAj3
+7YKqJZSH+YUzfsVPPNgb/sOhy7gF7zRB5aPOFexelGLsygfPpFj9lpQvG25PWGci4EZ42A
+Bp4V8016hz23HJfSfLBvT3WIJgRutztLUMYicrH/85S2pbX/dFCZHROzxSKHPlCjn4VMH/
+cHjMBAXCOvuNJJcIc6ldOQ5SOS2WNkowAAAMEAv96+NfPU90yQ4tFYdC4p1ozLVjEZu7V6
+FsH7AoP9CSWMtuj9WnOd5k8xSbiqMhUaCAc+TzsSbt7BhnnaPIswSTDPdVoYm0ImSkKRwj
+qrdZNsnIw/UVvtxFrT4DBN63TCfb7hyPZ1z0ew2cr9+4MyLVocNOBJd7zrAOv8Cdcd5Qni
+I23G2Efi9crmmcGpL4GddMyZyMQzSaCoZ6oVrFBLJMIr5XcP9gj/iOygef54YdplN2xA03
+MBr9MMet+oEOoHAAAADmFzdHJpZEBjaHVuZ3VzAQIDBA==
 -----END OPENSSH PRIVATE KEY-----

machines/boop/initrd/ssh_host_rsa_key.pub

@@ -1 +1 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCQmmjQlsrm8RTETENBLzSfJfcxdeTATowvNSbmnHrEot0QX89KrbmfdeKTSP1ppp5CgSHU0ASNLYla23xz0HsszZFC3c8JJIH3/BS34f/FLIvfsT2Rn4x2OyWr0xw24n8fqBEca7nt3eyeKfj3oiq+pJ6xSMyuiGmywlYubGrFJJe6L/Yey1qgAlGXEOtbe9x3fO1tb1/6cOlYqSM8LeVbO+oWAxiWsH68f8HsUo/equ6qk59LgiO5MegYZBHH+IyowW2cgQxe4RA5Hm+hdW7ibxvBAH0uu0NHUw3yi020jZaAKHNWLnapgRM2uaBHFtoGVVPsHALdZ0FVuzLWQOJIN2uE6PRdnwaZtnTxU33IRdcos/bbZbTuq+5sFNhF3rZdwjd3ndAg/BdsDzXVGjppEHWdEd5cZ7zfbr7p7zmK7pO0lRRHg6FtSkWqCIakG3gQ+SAGdlVoRQIAmZ3AzwtJCUrQRMLE+dg/oLgI16XtQWOlbOXEgCoUNj84iz1CMVE=
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCp0TydSJbMGN9+fgusiYOI4ZV9hruIVR9dUe75xrUlUuK6y4kmww4W8Ssgr3E2OrkNqz821rpN4pKI+uvfMSw7xxtwtvFA78TYr6ylqJM3XL8vA0EG/R/Lba+j2eygcW7khQJ1WnYqemZ4BbjETggG4RqnvnVeNwuG83yjqXzFOKe4IknowsQ9PJpXEz7xLLZ54LT3dop6K0JCYnEJz6ZnVXWbt8O7eyJPhgDVFZBwb1iWIMDCCF0nl2R2qaI4U4LEO0thGzHm2tYzVcsvQ8oh/kGvzPj21hv60Ej274F6foolSNCjIHvXUpJpG/7U7iorUTqWmCNcH/vzrJYZBmzEr1mhjPHd6nijshzlx0YBDqCSAcQsQ8ptXfM1363hkfQKVDOId1OKd0WTLuS3cuC1qx+8988MGc30rPaEqF1HI2kjKx5gszs6W/LhBb+XFPQzmip5xybfyEiK9BpVzOzJ3a18KP9Od5sBvrI/bzTLg/2tJagfCWxxzM1b9w3kvnU=

nix/nixos-modules/roles/server.nix

@@ -16,10 +16,10 @@ with lib; {
   boot.kernelPackages = pkgs.linuxKernel.packages.linux_hardened;
 
   # Enable SSH in initrd for debugging
-  boot.initrd.network.ssh = {
-    enable = true;
-    authorizedKeys = [ inputs.self.lib.sshKeyDatabase.users.astrid ];
-  };
+  # boot.initrd.network.ssh = {
+  #   enable = true;
+  #   authorizedKeys = [ inputs.self.lib.sshKeyDatabase.users.astrid ];
+  # };
 
   astral = {
     acme.enable = true;