81fw-nixos: setup disko, impermanence
This commit is contained in:
parent
48fbc3b8f0
commit
b554b2fbf0
4 changed files with 129 additions and 4 deletions
29
flake.nix
29
flake.nix
|
@ -37,9 +37,27 @@
|
|||
url = "github:Mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
disko = {
|
||||
url = "github:nix-community/disko";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
impermanence = {
|
||||
url = "github:nix-community/impermanence";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, berberman, home-manager, hosts, hyprland, lanzaboote, nix-darwin, sops-nix, ... } @ inputs: {
|
||||
outputs = { self,
|
||||
nixpkgs,
|
||||
berberman,
|
||||
home-manager,
|
||||
hosts,
|
||||
hyprland,
|
||||
lanzaboote,
|
||||
nix-darwin,
|
||||
sops-nix,
|
||||
disko,
|
||||
impermanence,
|
||||
... } @ inputs: {
|
||||
|
||||
# nix-darwin (macOS)
|
||||
darwinConfigurations = {
|
||||
|
@ -67,15 +85,20 @@
|
|||
modules = [
|
||||
./nixos # Entrypoint
|
||||
./machines/nixos/81fw-lenovo-legion-y7000 # Hardware-specific configurations
|
||||
./machines/nixos/81fw-lenovo-legion-y7000/machine-1 # Machine-specific configurations
|
||||
#./machines/nixos/81fw-lenovo-legion-y7000/machine-1 # Machine-specific configurations
|
||||
./users/guanranwang/nixos.nix # User-specific configurations
|
||||
./flakes/nixos/berberman.nix # Flakes
|
||||
./flakes/nixos/home-manager.nix
|
||||
./flakes/nixos/hosts.nix
|
||||
./flakes/nixos/lanzaboote.nix
|
||||
./flakes/nixos/sops-nix.nix
|
||||
./flakes/nixos/impermanence.nix
|
||||
./flakes/nixos/disko.nix
|
||||
|
||||
{ networking.hostName = "81fw-nixos"; }
|
||||
{
|
||||
_module.args.disks = [ "/dev/nvme0n1" ]; # Disko
|
||||
networking.hostName = "81fw-nixos";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
|
|
78
flakes/nixos/disko.nix
Normal file
78
flakes/nixos/disko.nix
Normal file
|
@ -0,0 +1,78 @@
|
|||
{ disks ? [ "/dev/vdb" ], inputs, ... }:
|
||||
|
||||
{
|
||||
imports = [ inputs.disko.nixosModules.disko ];
|
||||
|
||||
disko.devices = {
|
||||
disk = {
|
||||
"one" = {
|
||||
type = "disk";
|
||||
device = builtins.elemAt disks 0;
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
ESP = {
|
||||
size = "2G";
|
||||
type = "EF00";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
mountOptions = [
|
||||
"defaults"
|
||||
];
|
||||
};
|
||||
};
|
||||
luks = {
|
||||
#size = "100%";
|
||||
end = "-16G";
|
||||
content = {
|
||||
type = "luks";
|
||||
name = "crypted";
|
||||
extraOpenArgs = [ "--allow-discards" ];
|
||||
# if you want to use the key for interactive login be sure there is no trailing newline
|
||||
# for example use `echo -n "password" > /tmp/secret.key`
|
||||
passwordFile = "/tmp/secret.key"; # Interactive
|
||||
#settings.keyFile = "/tmp/secret.key";
|
||||
#additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
|
||||
content = {
|
||||
type = "btrfs";
|
||||
extraArgs = [ "-f" ];
|
||||
mountpoint = "/btrfs";
|
||||
subvolumes = {
|
||||
"/@home" = {
|
||||
mountpoint = "/home";
|
||||
mountOptions = [ "compress=zstd" "noatime" ];
|
||||
};
|
||||
"/@nix" = {
|
||||
mountpoint = "/nix";
|
||||
mountOptions = [ "compress=zstd" "noatime" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
swap = {
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "swap";
|
||||
randomEncryption = true;
|
||||
resumeDevice = true; # resume from hiberation from this device
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
nodev = {
|
||||
"/" = {
|
||||
fsType = "tmpfs";
|
||||
mountOptions = [
|
||||
"size=2G"
|
||||
"defaults"
|
||||
"mode=755"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
23
flakes/nixos/impermanence.nix
Normal file
23
flakes/nixos/impermanence.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{ inputs, ... }:
|
||||
|
||||
{
|
||||
imports = [ inputs.impermanence.nixosModules.impermanence ];
|
||||
|
||||
# this folder is where the files will be stored (don't put it in tmpfs)
|
||||
environment.persistence."/nix/persist/system" = {
|
||||
directories = [
|
||||
# bind mounted from /nix/persist/system/etc/nixos to /etc/nixos
|
||||
#"/etc/NetworkManager/system-connections"
|
||||
"/etc/clash-meta" # clash-meta
|
||||
"/etc/secureboot" # sbctl, lanzaboote, etc
|
||||
];
|
||||
files = [
|
||||
# NOTE: if you persist /var/log directory, you should persist /etc/machine-id as well
|
||||
# otherwise it will affect disk usage of log service
|
||||
"/etc/ssh/ssh_host_ed25519_key"
|
||||
"/etc/ssh/ssh_host_ed25519_key.pub"
|
||||
"/etc/ssh/ssh_host_rsa_key"
|
||||
"/etc/ssh/ssh_host_rsa_key.pub"
|
||||
];
|
||||
};
|
||||
}
|
|
@ -17,7 +17,8 @@
|
|||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets/secrets.yaml;
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
age.sshKeyPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
|
||||
gnupg.sshKeyPaths = [];
|
||||
secrets = {
|
||||
"clash-config" = {
|
||||
#mode = "0444"; # readable
|
||||
|
|
Loading…
Reference in a new issue