81fw-nixos: setup disko, impermanence

flake.nix

@@ -37,9 +37,27 @@
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    impermanence = {
+      url = "github:nix-community/impermanence";
+    };
   };
 
-  outputs = { self, nixpkgs, berberman, home-manager, hosts, hyprland, lanzaboote, nix-darwin, sops-nix, ... } @ inputs: {
+  outputs = { self,
+              nixpkgs,
+              berberman,
+              home-manager,
+              hosts,
+              hyprland,
+              lanzaboote,
+              nix-darwin,
+              sops-nix,
+              disko,
+              impermanence,
+              ... } @ inputs: {
 
     # nix-darwin (macOS)
     darwinConfigurations = {
@@ -67,15 +85,20 @@
         modules = [
           ./nixos                                             # Entrypoint
           ./machines/nixos/81fw-lenovo-legion-y7000           # Hardware-specific configurations
-          ./machines/nixos/81fw-lenovo-legion-y7000/machine-1 # Machine-specific configurations
+          #./machines/nixos/81fw-lenovo-legion-y7000/machine-1 # Machine-specific configurations
           ./users/guanranwang/nixos.nix                       # User-specific configurations
           ./flakes/nixos/berberman.nix                        # Flakes
           ./flakes/nixos/home-manager.nix
           ./flakes/nixos/hosts.nix
           ./flakes/nixos/lanzaboote.nix
           ./flakes/nixos/sops-nix.nix
+          ./flakes/nixos/impermanence.nix
+          ./flakes/nixos/disko.nix
 
-          { networking.hostName = "81fw-nixos"; }
+          {
+            _module.args.disks = [ "/dev/nvme0n1" ]; # Disko
+            networking.hostName = "81fw-nixos";
+          }
         ];
       };
 

flakes/nixos/disko.nix

@@ -0,0 +1,78 @@
+{ disks ? [ "/dev/vdb" ], inputs, ... }:
+
+{
+  imports = [ inputs.disko.nixosModules.disko ];
+
+  disko.devices = {
+    disk = {
+      "one" = {
+        type = "disk";
+        device = builtins.elemAt disks 0;
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "2G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "defaults"
+                ];
+              };
+            };
+            luks = {
+              #size = "100%";
+              end = "-16G";
+              content = {
+                type = "luks";
+                name = "crypted";
+                extraOpenArgs = [ "--allow-discards" ];
+                # if you want to use the key for interactive login be sure there is no trailing newline
+                # for example use `echo -n "password" > /tmp/secret.key`
+                passwordFile = "/tmp/secret.key"; # Interactive
+                #settings.keyFile = "/tmp/secret.key";
+                #additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
+                content = {
+                  type = "btrfs";
+                  extraArgs = [ "-f" ];
+                  mountpoint = "/btrfs";
+                  subvolumes = {
+                    "/@home" = {
+                      mountpoint = "/home";
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                    };
+                    "/@nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                    };
+                  };
+                };
+              };
+            };
+            swap = {
+              size = "100%";
+              content = {
+                type = "swap";
+                randomEncryption = true;
+                resumeDevice = true; # resume from hiberation from this device
+              };
+            };
+          };
+        };
+      };
+    };
+    nodev = {
+      "/" = {
+        fsType = "tmpfs";
+        mountOptions = [
+          "size=2G"
+          "defaults"
+          "mode=755"
+        ];
+      };
+    };
+  };
+}

flakes/nixos/impermanence.nix

@@ -0,0 +1,23 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.impermanence.nixosModules.impermanence ];
+
+  # this folder is where the files will be stored (don't put it in tmpfs)
+  environment.persistence."/nix/persist/system" = {
+    directories = [
+      # bind mounted from /nix/persist/system/etc/nixos to /etc/nixos
+      #"/etc/NetworkManager/system-connections"
+      "/etc/clash-meta" # clash-meta
+      "/etc/secureboot" # sbctl, lanzaboote, etc
+    ];
+    files = [
+      # NOTE: if you persist /var/log directory, you should persist /etc/machine-id as well
+      # otherwise it will affect disk usage of log service
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+    ];
+  };
+}

users/guanranwang/nixos.nix

@@ -17,7 +17,8 @@
 
   sops = {
     defaultSopsFile = ./secrets/secrets.yaml;
-    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    age.sshKeyPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
+    gnupg.sshKeyPaths = [];
     secrets = {
       "clash-config" = {
         #mode = "0444"; # readable