add initrd-ssh for debugging boot issues

2024-07-11 23:15:55 +02:00 · 2024-07-11 23:15:55 +02:00 · 50d5ccf733
commit 50d5ccf733
parent 8f4c02bed9
5 changed files with 33 additions and 3 deletions
--- a/devdoc/hosts.md
+++ b/devdoc/hosts.md
@ -98,6 +98,12 @@ $ curl -L https://github.com/nix-community/nixos-images/releases/download/nixos-
 $ /root/kexec/run
 ```

+## Fix up broken installations with disko-install
+
+```
+nix run github:nix-community/disko#disko-install -- --mode mount --flake github:nix-community/infra/initrd-ssh#build02 --disk nvme0n1 /dev/nvme1n1 --disk nvme1n1 /dev/nvme0n1
+```
+
 ### Debug VM

 You can start a vm from the rescue system in order to debug the boot:
--- a/flake.nix
+++ b/flake.nix
@ -161,6 +161,7 @@
          github-org-backup = ./modules/nixos/github-org-backup.nix;
          hercules-ci = ./modules/nixos/hercules-ci.nix;
          hydra = ./modules/nixos/hydra.nix;
+          initrd-ssh = ./modules/nixos/initrd-ssh.nix;
          monitoring = ./modules/nixos/monitoring;
          nur-update = ./modules/nixos/nur-update.nix;
          remote-builder = ./modules/nixos/remote-builder.nix;
--- a/hosts/build02/configuration.nix
+++ b/hosts/build02/configuration.nix
@ -9,6 +9,7 @@
    inputs.self.nixosModules.common
    inputs.self.nixosModules.builder
    inputs.self.nixosModules.disko-zfs
+    inputs.self.nixosModules.initrd-ssh
  ];

  nixCommunity.gc.gbFree = 500;
--- a/modules/nixos/initrd-ssh.nix
+++ b/modules/nixos/initrd-ssh.nix
@ -0,0 +1,21 @@
+{ config, ... }:
+let
+  admins = builtins.filter (user: builtins.elem "wheel" user.extraGroups) (builtins.attrValues config.users.users);
+in
+{
+  boot.initrd.systemd.network.networks."10-uplink" = config.systemd.network.networks."10-uplink";
+
+  boot.initrd.network = {
+    enable = true;
+    ssh = {
+      enable = true;
+      port = 2222;
+      # fixme, how can we provide this file on the first installation?
+      hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    };
+  };
+  boot.initrd.kernelModules = [ "igb" ]; # fixme, this depends on the kernel version
+  boot.initrd.network.ssh.authorizedKeyFiles = builtins.concatMap (user: user.openssh.authorizedKeys.keyFiles) admins;
+
+  boot.initrd.systemd.emergencyAccess = "$6$he2fblfl/H7I.kvz$WbSCMXu8ztmqfj5jG4czqvu/rkMHxufxqHgy1urzXFSN.jZB4QiW5lOjR08vk8pZTyim3TT1wFkMaNE9zZ3sc1";
+}
--- a/secrets.yaml
+++ b/secrets.yaml
@ -7,6 +7,7 @@ accounts:
      totpsecret: ENC[AES256_GCM,data:75Til5U49fkBCYxzqDa33w==,iv:rataIY24/u0ldHid4PnfJyh1E6P8U9OUYszsk/tfMw4=,tag:dWeqIxcO7ASnAZiVbKLiLw==,type:str]
    - name: ENC[AES256_GCM,data:BGA/HMgie64=,iv:c+utmChiZA73GRS4uzZDyfdU+DZaDpB3WljC2uye8o0=,tag:lr1w5TWr05lpfBNLK0Swxw==,type:str]
      totpsecret: ENC[AES256_GCM,data:Q5aJq9sLmW/0oMIgy4FErA==,iv:cFhVj/QV4tMjvB/Y8ExOSSLArvjxCV8+39YtMaADK04=,tag:aPJFH7WhaBYAW7eYsGzGYg==,type:str]
+emergency_access_password: ENC[AES256_GCM,data:ELpkrEQjFQwDicz3WeJoivrZBAWeAKkfFg==,iv:rzbKvnS5IBjUCCT2NAHINZs60F0jrRPJvZ1wnBa6xkI=,tag:hWax9+gTRhuhtIikP/jO/Q==,type:str]
 ssh_host_ed25519_key:
    build01: ENC[AES256_GCM,data:5rG0+Iw8uVKXTrT5A/uvbz9MJZHPyTBPKIxSbMIgvwEVHDsCENDihxL5C00PisZ4dgMIW1WQIvD3zLtJ5RxedY832K9dwO36lWH2uHZW96qlObnTqMpi0vtsZQ1FQVUtNWPj146uz7QyasisFu6CFFMBBbx6y5ZAipfJ+bsth7YliCMPL+1bM84b8a40m3k9gI4xpYH9txrq1+yvTLau25rNsmAq4oHDGKEZqRoN2WflBZLP0DL3zQ/8uPODUjOmyFpKnbDeKsDQ3RuFcPaLZOGEBruayYldxiv215pdFgw72TbvtLXc726y7bUTOvsOiLfVMdfiXZCRPzVbjGB+NLtiyz9hlCa5WdJrQmLceqC/v5zy1TbV0azlZCDNopw1yznLn8fPA8KIYJUGw+PkdKPDFKRn+F78+5QG4wpYFK9qZ/vaukvpuZrUdboFIU/qFdjplrGhniYfbh7enIGhnd2Y+qLC92IG0SQPVpI2fQNx7h3MD2V9w2spk8hZ4QGWsA4JU0fJ9mKY4w6eElGLggzT15vuCrrJx4zbThSfyVYHmlE=,iv:ksSPKFNHdy646BU2x0fr6ey+kif1jpPhlsQ5Kmxjqd4=,tag:2SL/1x4/9LoNqfHPMk8H8Q==,type:str]
    build02: ENC[AES256_GCM,data:kwc1rs7xbKod7+vV9yDNqAZMmTqencDe6LTMqxihNLuvGny1atjJ/4cf2vnWEyPar4AvqLtawbIexowbpgyzIiJBKskw0voUgUan0TMH7dsjeZtcdnBSsGWDlcBSjq8bK+yfNMWxwaq7FB9eTJkhN41UhQwqXIVpitEJg0LQcz7+BeQnYhCMnMOc+AG78zIZK+lbzAikejFJUV1A0/kmEl9VirBTpGqxhsiPUSCpAq9c3mE16f31YF9bUn9Dr/4gLW42xxbt/+6psDstKlKgfldzC+izCCCfL1qKcKz7RtyLX37O1MkQqLWvC5I5XRt81tKPOgmtjtGSM0iYmx9zy6FKGJlWqHGNb5K+g1NugWuKMzkBQNoWIypS/yHUY9R3eLa6JJM+tfE/Hvw4Q6/4HGBePMauULd/sgTC8D6o+6023a9ZdC6vdwAWzgWzhbG8uN8vjRR9JKy8/tzgzWJsR4PvPFw9ka0HbRMjigmMxZ817Z6iB2BcO2xmJvD5hP2YpPKCNLQzUznq0vh1s91C,iv:cQERNZJUQ0TJW0pbEzJF6O+1Idkt2e+I06+Kjygr4lk=,tag:2X4KhuEd/0153sCT7qeyqQ==,type:str]
@ -112,8 +113,8 @@ sops:
            MkcvL1JyVFBJV0Y5RFFCMGN1OUFXdU0Kdx1wy6ZOOTg1a6VKaq52SMBvC26lMsW/
            oMP+hmXc2WtoqZp+jZ9rrXz6cZW6/dO7CPqxl3aUEKg6BkXIwgyKeg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-30T03:24:53Z"
-    mac: ENC[AES256_GCM,data:xgdZ5C8rKGs8pzZu/JTAb7retiWaPC5+TSGSHC3VoJGjyaZWXYZOScRMmWTuhWcHvQzpOIWXCvj2v9bgVMNBzCc6aevIzvksKwgp+r6LAU0WW6gJEeJfl7+7jyEE/0WJA3pN9vKJqoUSsgHI/tgjn2pvTL9wPZgl5t1cf2KU3/g=,iv:RGluZNlFItQGlz1p0Fout1qnU9ZIVOdNtMkREftLQUw=,tag:KJ4jCJCEtb2eho+83dfIbA==,type:str]
+    lastmodified: "2024-07-11T21:42:16Z"
+    mac: ENC[AES256_GCM,data:CU9X65g+Zv35lHOGBLKheTtHgcV90w2T3m5a+ReStIpe/nmc6QUa3rMnqb1ES0jq6Il9WW8zdmRZk4Dg5vAKs1QfI1xrJKw2gkEH7uo5yQlagbPZBh8+yXcbNjwWkUaPy8Xp2N/ptujq1sAQuAJvicegIbGxyO1BpjapxSZ+o4w=,iv:xa+YQlRZzH2U3Im0c460ZneO7+SW/8iu5VZgGyswXY8=,tag:4lvMdHYojeGxEx3h8HRimQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0