81fw-nixos: setup disko, impermanence

This commit is contained in:
Guanran Wang 2023-10-12 22:21:14 +08:00
parent 48fbc3b8f0
commit b554b2fbf0
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8
4 changed files with 129 additions and 4 deletions

View file

@ -37,9 +37,27 @@
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
impermanence = {
url = "github:nix-community/impermanence";
};
};
outputs = { self, nixpkgs, berberman, home-manager, hosts, hyprland, lanzaboote, nix-darwin, sops-nix, ... } @ inputs: {
outputs = { self,
nixpkgs,
berberman,
home-manager,
hosts,
hyprland,
lanzaboote,
nix-darwin,
sops-nix,
disko,
impermanence,
... } @ inputs: {
# nix-darwin (macOS)
darwinConfigurations = {
@ -67,15 +85,20 @@
modules = [
./nixos # Entrypoint
./machines/nixos/81fw-lenovo-legion-y7000 # Hardware-specific configurations
./machines/nixos/81fw-lenovo-legion-y7000/machine-1 # Machine-specific configurations
#./machines/nixos/81fw-lenovo-legion-y7000/machine-1 # Machine-specific configurations
./users/guanranwang/nixos.nix # User-specific configurations
./flakes/nixos/berberman.nix # Flakes
./flakes/nixos/home-manager.nix
./flakes/nixos/hosts.nix
./flakes/nixos/lanzaboote.nix
./flakes/nixos/sops-nix.nix
./flakes/nixos/impermanence.nix
./flakes/nixos/disko.nix
{ networking.hostName = "81fw-nixos"; }
{
_module.args.disks = [ "/dev/nvme0n1" ]; # Disko
networking.hostName = "81fw-nixos";
}
];
};

78
flakes/nixos/disko.nix Normal file
View file

@ -0,0 +1,78 @@
{ disks ? [ "/dev/vdb" ], inputs, ... }:
{
imports = [ inputs.disko.nixosModules.disko ];
disko.devices = {
disk = {
"one" = {
type = "disk";
device = builtins.elemAt disks 0;
content = {
type = "gpt";
partitions = {
ESP = {
size = "2G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
};
luks = {
#size = "100%";
end = "-16G";
content = {
type = "luks";
name = "crypted";
extraOpenArgs = [ "--allow-discards" ];
# if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key`
passwordFile = "/tmp/secret.key"; # Interactive
#settings.keyFile = "/tmp/secret.key";
#additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
content = {
type = "btrfs";
extraArgs = [ "-f" ];
mountpoint = "/btrfs";
subvolumes = {
"/@home" = {
mountpoint = "/home";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/@nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" ];
};
};
};
};
};
swap = {
size = "100%";
content = {
type = "swap";
randomEncryption = true;
resumeDevice = true; # resume from hiberation from this device
};
};
};
};
};
};
nodev = {
"/" = {
fsType = "tmpfs";
mountOptions = [
"size=2G"
"defaults"
"mode=755"
];
};
};
};
}

View file

@ -0,0 +1,23 @@
{ inputs, ... }:
{
imports = [ inputs.impermanence.nixosModules.impermanence ];
# this folder is where the files will be stored (don't put it in tmpfs)
environment.persistence."/nix/persist/system" = {
directories = [
# bind mounted from /nix/persist/system/etc/nixos to /etc/nixos
#"/etc/NetworkManager/system-connections"
"/etc/clash-meta" # clash-meta
"/etc/secureboot" # sbctl, lanzaboote, etc
];
files = [
# NOTE: if you persist /var/log directory, you should persist /etc/machine-id as well
# otherwise it will affect disk usage of log service
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
};
}

View file

@ -17,7 +17,8 @@
sops = {
defaultSopsFile = ./secrets/secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
age.sshKeyPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
gnupg.sshKeyPaths = [];
secrets = {
"clash-config" = {
#mode = "0444"; # readable