diff --git a/docs/site/getting-started/disk-encryption.md b/docs/site/getting-started/disk-encryption.md index 2e8abc5bf..215f89ed3 100644 --- a/docs/site/getting-started/disk-encryption.md +++ b/docs/site/getting-started/disk-encryption.md @@ -49,7 +49,8 @@ Replace `kernelModules` with the ethernet module loaded one on your target machi port = 7172; authorizedKeys = [ "" ]; hostKeys = [ - "/var/lib/initrd-ssh-key" + "/var/lib/initrd_host_ed25519_key" + "/var/lib/initrd_host_rsa_key" ]; }; }; @@ -73,7 +74,7 @@ Before starting the installation process, ensure that the SSH public key is copi ssh-copy-id -o PreferredAuthentications=password -o PubkeyAuthentication=no root@nixos-installer.local ``` -### Step 1.5: Prepare Secret Key and Clear Disk Data +### Step 1.5: Prepare Secret Key and Partition Disks 1. Access the installer using SSH: @@ -90,13 +91,13 @@ nano /tmp/secret.key 3. Discard the old disk partition data: ```bash -blkdiscard /dev/disk/by-id/nvme-eui.002538b931b59865 +blkdiscard /dev/disk/by-id/ ``` -4. Run the `clan` machine installation with the following command: +4. Run `clan` machines install, only running kexec and disko, with the following command: ```bash -clan machines install gchq-local --target-host root@nixos-installer --yes --no-reboot +clan machines install gchq-local --target-host root@nixos-installer --phases kexec,disko ``` ### Step 2: ZFS Pool Import and System Installation @@ -107,14 +108,10 @@ clan machines install gchq-local --target-host root@nixos-installer --yes --no-r ssh root@nixos-installer.local ``` -2. Perform the following commands on the remote installation environment: +2. Run the following command on the remote installation environment: ```bash -zpool import zroot zfs set keylocation=prompt zroot/root -zfs load-key zroot/root -zfs set mountpoint=/mnt zroot/root/nixos -mount /dev/nvme0n1p2 /mnt/boot ``` 3. Disconnect from the SSH session: @@ -123,43 +120,36 @@ mount /dev/nvme0n1p2 /mnt/boot CTRL+D ``` -4. Securely copy your local `initrd_rsa_key` to the installer's `/mnt` directory: +4. Locally generate ssh host keys. You only need to generate ones for the algorithms you're using in `authorizedKeys`. ```bash -scp ~/.ssh/initrd_rsa_key root@nixos-installer.local:/mnt/var/lib/initrd-ssh-key +ssh-keygen -q -N "" -t ed25519 -f ./initrd_host_ed25519_key +ssh-keygen -q -N "" -t rsa -b 4096 -f ./initrd_host_rsa_key ``` -5. SSH back into the installer: +5. Securely copy your local initrd ssh host keys to the installer's `/mnt` directory: ```bash -ssh root@nixos-installer.local +scp ./initrd_host* root@nixos-installer.local:/mnt/var/lib/ ``` -6. Navigate to the `/mnt` directory, enter the `nixos-enter` environment, and then exit: - +6. Install nixos to the mounted partitions ```bash -cd /mnt -nixos-enter -realpath /run/current-system -exit +clan machines install gchq-local --target-host root@nixos-installer --phases install ``` -7. Run the `nixos-install` command with the appropriate system path ``: - -```bash -nixos-install --no-root-passwd --no-channel-copy --root /mnt --system -``` - -8. After the installation process, unmount `/mnt/boot`, change the ZFS mountpoint, and reboot the system: +7. After the installation process, unmount `/mnt/boot`, change the ZFS mountpoints and unmount all the ZFS volumes by exporting the zpool: ```bash umount /mnt/boot cd / -zfs set mountpoint=/ zroot/root/nixos -reboot +zfs set -u mountpoint=/ zroot/root/nixos +zfs set -u mountpoint=/tmp zroot/root/tmp +zfs set -u mountpoint=/home zroot/root/home +zpool export zroot ``` -9. Perform a hard reboot of the machine and remove the USB stick. +8. Perform a reboot of the machine and remove the USB installer. ### Step 3: Accessing the Initial Ramdisk (initrd) Environment diff --git a/pkgs/clan-cli/clan_cli/machines/install.py b/pkgs/clan-cli/clan_cli/machines/install.py index 1f525e8c1..aeed53774 100644 --- a/pkgs/clan-cli/clan_cli/machines/install.py +++ b/pkgs/clan-cli/clan_cli/machines/install.py @@ -32,6 +32,7 @@ class InstallOptions: kexec: str | None = None debug: bool = False no_reboot: bool = False + phases: str | None = None build_on_remote: bool = False nix_options: list[str] = field(default_factory=list) update_hardware_config: HardwareConfig = HardwareConfig.NONE @@ -95,6 +96,9 @@ def install_machine(opts: InstallOptions) -> None: if opts.no_reboot: cmd.append("--no-reboot") + if opts.phases: + cmd += ["--phases", str(opts.phases)] + if opts.update_hardware_config is not HardwareConfig.NONE: cmd.extend( [ @@ -185,6 +189,7 @@ def install_command(args: argparse.Namespace) -> None: machine=machine, target_host=target_host, kexec=args.kexec, + phases=args.phases, debug=args.debug, no_reboot=args.no_reboot, nix_options=args.option, @@ -208,7 +213,7 @@ def register_install_parser(parser: argparse.ArgumentParser) -> None: parser.add_argument( "--no-reboot", action="store_true", - help="do not reboot after installation", + help="do not reboot after installation (deprecated)", default=False, ) parser.add_argument( @@ -237,6 +242,12 @@ def register_install_parser(parser: argparse.ArgumentParser) -> None: choices=[x.value for x in HardwareConfig], ) + parser.add_argument( + "--phases", + type=str, + help="comma separated list of phases to run. Default is: kexec,disko,install,reboot", + ) + machines_parser = parser.add_argument( "machine", type=str,