81fw-nixos: setup disko, impermanence

2023-10-12 22:21:14 +08:00 · 2023-10-12 22:21:14 +08:00 · b554b2fbf0
commit b554b2fbf0
parent 48fbc3b8f0
4 changed files with 129 additions and 4 deletions
--- a/flake.nix
+++ b/flake.nix
@ -37,9 +37,27 @@
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    impermanence = {
+      url = "github:nix-community/impermanence";
+    };
  };

-  outputs = { self, nixpkgs, berberman, home-manager, hosts, hyprland, lanzaboote, nix-darwin, sops-nix, ... } @ inputs: {
+  outputs = { self,
+              nixpkgs,
+              berberman,
+              home-manager,
+              hosts,
+              hyprland,
+              lanzaboote,
+              nix-darwin,
+              sops-nix,
+              disko,
+              impermanence,
+              ... } @ inputs: {

    # nix-darwin (macOS)
    darwinConfigurations = {
@ -67,15 +85,20 @@
        modules = [
          ./nixos                                             # Entrypoint
          ./machines/nixos/81fw-lenovo-legion-y7000           # Hardware-specific configurations
-          ./machines/nixos/81fw-lenovo-legion-y7000/machine-1 # Machine-specific configurations
+          #./machines/nixos/81fw-lenovo-legion-y7000/machine-1 # Machine-specific configurations
          ./users/guanranwang/nixos.nix                       # User-specific configurations
          ./flakes/nixos/berberman.nix                        # Flakes
          ./flakes/nixos/home-manager.nix
          ./flakes/nixos/hosts.nix
          ./flakes/nixos/lanzaboote.nix
          ./flakes/nixos/sops-nix.nix
+          ./flakes/nixos/impermanence.nix
+          ./flakes/nixos/disko.nix

-          { networking.hostName = "81fw-nixos"; }
+          {
+            _module.args.disks = [ "/dev/nvme0n1" ]; # Disko
+            networking.hostName = "81fw-nixos";
+          }
        ];
      };

--- a/flakes/nixos/disko.nix
+++ b/flakes/nixos/disko.nix
@ -0,0 +1,78 @@
+{ disks ? [ "/dev/vdb" ], inputs, ... }:
+
+{
+  imports = [ inputs.disko.nixosModules.disko ];
+
+  disko.devices = {
+    disk = {
+      "one" = {
+        type = "disk";
+        device = builtins.elemAt disks 0;
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "2G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "defaults"
+                ];
+              };
+            };
+            luks = {
+              #size = "100%";
+              end = "-16G";
+              content = {
+                type = "luks";
+                name = "crypted";
+                extraOpenArgs = [ "--allow-discards" ];
+                # if you want to use the key for interactive login be sure there is no trailing newline
+                # for example use `echo -n "password" > /tmp/secret.key`
+                passwordFile = "/tmp/secret.key"; # Interactive
+                #settings.keyFile = "/tmp/secret.key";
+                #additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
+                content = {
+                  type = "btrfs";
+                  extraArgs = [ "-f" ];
+                  mountpoint = "/btrfs";
+                  subvolumes = {
+                    "/@home" = {
+                      mountpoint = "/home";
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                    };
+                    "/@nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                    };
+                  };
+                };
+              };
+            };
+            swap = {
+              size = "100%";
+              content = {
+                type = "swap";
+                randomEncryption = true;
+                resumeDevice = true; # resume from hiberation from this device
+              };
+            };
+          };
+        };
+      };
+    };
+    nodev = {
+      "/" = {
+        fsType = "tmpfs";
+        mountOptions = [
+          "size=2G"
+          "defaults"
+          "mode=755"
+        ];
+      };
+    };
+  };
+}
--- a/flakes/nixos/impermanence.nix
+++ b/flakes/nixos/impermanence.nix
@ -0,0 +1,23 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.impermanence.nixosModules.impermanence ];
+
+  # this folder is where the files will be stored (don't put it in tmpfs)
+  environment.persistence."/nix/persist/system" = {
+    directories = [
+      # bind mounted from /nix/persist/system/etc/nixos to /etc/nixos
+      #"/etc/NetworkManager/system-connections"
+      "/etc/clash-meta" # clash-meta
+      "/etc/secureboot" # sbctl, lanzaboote, etc
+    ];
+    files = [
+      # NOTE: if you persist /var/log directory, you should persist /etc/machine-id as well
+      # otherwise it will affect disk usage of log service
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+    ];
+  };
+}
--- a/users/guanranwang/nixos.nix
+++ b/users/guanranwang/nixos.nix
@ -17,7 +17,8 @@

  sops = {
    defaultSopsFile = ./secrets/secrets.yaml;
-    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    age.sshKeyPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
+    gnupg.sshKeyPaths = [];
    secrets = {
      "clash-config" = {
        #mode = "0444"; # readable