From b554b2fbf05af0950cdc2cc3517721d54c48a2f8 Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Thu, 12 Oct 2023 22:21:14 +0800 Subject: [PATCH] 81fw-nixos: setup disko, impermanence --- flake.nix | 29 +++++++++++-- flakes/nixos/disko.nix | 78 +++++++++++++++++++++++++++++++++++ flakes/nixos/impermanence.nix | 23 +++++++++++ users/guanranwang/nixos.nix | 3 +- 4 files changed, 129 insertions(+), 4 deletions(-) create mode 100644 flakes/nixos/disko.nix create mode 100644 flakes/nixos/impermanence.nix diff --git a/flake.nix b/flake.nix index 51c0b5c..64abd0a 100755 --- a/flake.nix +++ b/flake.nix @@ -37,9 +37,27 @@ url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + impermanence = { + url = "github:nix-community/impermanence"; + }; }; - outputs = { self, nixpkgs, berberman, home-manager, hosts, hyprland, lanzaboote, nix-darwin, sops-nix, ... } @ inputs: { + outputs = { self, + nixpkgs, + berberman, + home-manager, + hosts, + hyprland, + lanzaboote, + nix-darwin, + sops-nix, + disko, + impermanence, + ... } @ inputs: { # nix-darwin (macOS) darwinConfigurations = { @@ -67,15 +85,20 @@ modules = [ ./nixos # Entrypoint ./machines/nixos/81fw-lenovo-legion-y7000 # Hardware-specific configurations - ./machines/nixos/81fw-lenovo-legion-y7000/machine-1 # Machine-specific configurations + #./machines/nixos/81fw-lenovo-legion-y7000/machine-1 # Machine-specific configurations ./users/guanranwang/nixos.nix # User-specific configurations ./flakes/nixos/berberman.nix # Flakes ./flakes/nixos/home-manager.nix ./flakes/nixos/hosts.nix ./flakes/nixos/lanzaboote.nix ./flakes/nixos/sops-nix.nix + ./flakes/nixos/impermanence.nix + ./flakes/nixos/disko.nix - { networking.hostName = "81fw-nixos"; } + { + _module.args.disks = [ "/dev/nvme0n1" ]; # Disko + networking.hostName = "81fw-nixos"; + } ]; }; diff --git a/flakes/nixos/disko.nix b/flakes/nixos/disko.nix new file mode 100644 index 0000000..452c8af --- /dev/null +++ b/flakes/nixos/disko.nix @@ -0,0 +1,78 @@ +{ disks ? [ "/dev/vdb" ], inputs, ... }: + +{ + imports = [ inputs.disko.nixosModules.disko ]; + + disko.devices = { + disk = { + "one" = { + type = "disk"; + device = builtins.elemAt disks 0; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "2G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + }; + luks = { + #size = "100%"; + end = "-16G"; + content = { + type = "luks"; + name = "crypted"; + extraOpenArgs = [ "--allow-discards" ]; + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + passwordFile = "/tmp/secret.key"; # Interactive + #settings.keyFile = "/tmp/secret.key"; + #additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + mountpoint = "/btrfs"; + subvolumes = { + "/@home" = { + mountpoint = "/home"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/@nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + }; + }; + }; + }; + swap = { + size = "100%"; + content = { + type = "swap"; + randomEncryption = true; + resumeDevice = true; # resume from hiberation from this device + }; + }; + }; + }; + }; + }; + nodev = { + "/" = { + fsType = "tmpfs"; + mountOptions = [ + "size=2G" + "defaults" + "mode=755" + ]; + }; + }; + }; +} diff --git a/flakes/nixos/impermanence.nix b/flakes/nixos/impermanence.nix new file mode 100644 index 0000000..56b85ba --- /dev/null +++ b/flakes/nixos/impermanence.nix @@ -0,0 +1,23 @@ +{ inputs, ... }: + +{ + imports = [ inputs.impermanence.nixosModules.impermanence ]; + + # this folder is where the files will be stored (don't put it in tmpfs) + environment.persistence."/nix/persist/system" = { + directories = [ + # bind mounted from /nix/persist/system/etc/nixos to /etc/nixos + #"/etc/NetworkManager/system-connections" + "/etc/clash-meta" # clash-meta + "/etc/secureboot" # sbctl, lanzaboote, etc + ]; + files = [ + # NOTE: if you persist /var/log directory, you should persist /etc/machine-id as well + # otherwise it will affect disk usage of log service + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + }; +} \ No newline at end of file diff --git a/users/guanranwang/nixos.nix b/users/guanranwang/nixos.nix index 89c545c..1671cf8 100644 --- a/users/guanranwang/nixos.nix +++ b/users/guanranwang/nixos.nix @@ -17,7 +17,8 @@ sops = { defaultSopsFile = ./secrets/secrets.yaml; - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + age.sshKeyPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ]; + gnupg.sshKeyPaths = []; secrets = { "clash-config" = { #mode = "0444"; # readable