host/asus: use disk to create btrfs luks encrypted

- make: fix rollback command
- flake.lock: add disko module.
- flake.lock: add impermanence module.
- disko: add configuration to create luks-btrfs schema.
- host/asus: add new filesystem configuration (luks-btrfs)
- host/asus: mount user from old partition.
- host/asus: add impermanence module to store system configuration.
This commit is contained in:
Dmitriy Pleshevskiy 2024-05-26 00:21:41 +03:00
parent 6ef8e79113
commit b703b69513
Signed by: pleshevskiy
GPG key ID: 17041163DA10A9A2
13 changed files with 244 additions and 46 deletions

View file

@ -32,7 +32,7 @@ help:
define machine_rule
.PHONY: $(1)
$(1): ;
systemctl --user reset-failed
# systemctl --user reset-failed
sudo nix run $(NIX_ARGS) .#switch/$(1) -- $(BUILD_ARGS)
endef
@ -47,7 +47,7 @@ $(foreach vps,$(VPS),$(eval $(call vps_rule,$(vps))))
.PHONY: rollback
rollback:
sudo nixos-rebuild --rollback
sudo nixos-rebuild switch --rollback
################################################################################
# Editor

63
disko/luks-btrfs.nix Normal file
View file

@ -0,0 +1,63 @@
{ device, memSize ? 1024 * 5, swapSize ? "10G" }:
{
disko = {
inherit memSize;
devices = {
disk = {
main = {
type = "disk";
inherit device;
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
priority = 1;
};
cryptoroot = {
size = "100%";
content = {
type = "luks";
name = "luksroot";
settings.allowDiscards = true;
passwordFile = "/tmp/secret.key";
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
root = {
mountpoint = "/";
mountOptions = [ "compress=zstd" ];
};
persistent = {
mountpoint = "/persistent";
mountOptions = [ "compress=zstd" "noatime" ];
};
nix = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" ];
};
swap = {
mountpoint = "/.swapvol";
mountOptions = [ "noatime" ];
swap.swapfile.size = swapSize;
};
};
};
};
};
};
};
};
};
};
};
}

View file

@ -23,6 +23,26 @@
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1716431128,
"narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=",
"owner": "nix-community",
"repo": "disko",
"rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"firefox-addons": {
"inputs": {
"flake-utils": "flake-utils",
@ -208,6 +228,21 @@
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1708968331,
"narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"lan-mouse": {
"inputs": {
"nixpkgs": [
@ -371,11 +406,13 @@
"root": {
"inputs": {
"agenix": "agenix",
"disko": "disko",
"firefox-addons": "firefox-addons",
"flake-utils": "flake-utils_2",
"hardware": "hardware",
"home-manager": "home-manager_2",
"home-manager-unstable": "home-manager-unstable",
"impermanence": "impermanence",
"lan-mouse": "lan-mouse",
"nil": "nil",
"nixeovim": "nixeovim",

View file

@ -4,6 +4,11 @@
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
hardware.url = "github:NixOS/nixos-hardware/master";
impermanence.url = "github:nix-community/impermanence";
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
firefox-addons.url = "github:nix-community/nur-combined/master?dir=repos/rycee/pkgs/firefox-addons";
@ -99,6 +104,11 @@
# Path to the agenix configuration file
RULES = "./.agenix_config.nix";
};
disk = pkgs.mkShell {
packages = [
inputs.disko.packages.${system}.disko
];
};
tools = pkgs.mkShell {
packages = with pkgs; [
mkpasswd
@ -131,7 +141,9 @@
modules =
(with inputs; [
agenix.nixosModules.default
home-manager.nixosModule
home-manager.nixosModules.default
disko.nixosModules.disko
impermanence.nixosModules.impermanence
])
++ [
# deployment settings
@ -169,5 +181,8 @@
++ [ ./hosts/${hostname}/configuration.nix ];
})
(import ./hosts inputs);
diskoConfigurations = {
asus-gl553vd = import ./hosts/asus-gl553vd/disk-config.nix;
};
};
}

View file

@ -1,13 +1,9 @@
{ ... }:
{
# Use the systemd-boot EFI boot loader.
boot.loader = {
systemd-boot = {
enable = true;
configurationLimit = 10;
};
efi.canTouchEfiVariables = true;
boot.loader.grub = {
enable = true;
device = "nodev";
efiSupport = true;
efiInstallAsRemovable = true;
enableCryptodisk = true;
};
}

View file

@ -1,8 +1,7 @@
{ ... }:
{
imports = [
./boot.nix
./imp.nix
./networking.nix
./wireguard
];

View file

@ -0,0 +1,55 @@
{ lib, ... }:
{
# A setup which would clean root subvolume between boots remove automatically removed roots that
# are older than one day:
#
# Source: https://github.com/nix-community/impermanence
boot.initrd.postDeviceCommands = lib.mkAfter ''
mkdir /btrfs_tmp
mount /dev/mapper/luksroot /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +1); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp
rm -r /btrfs_tmp
'';
age.identityPaths = map (v: "/persistent/system/etc/ssh/${v}") [
"ssh_host_rsa_key"
"ssh_host_ed25519_key"
];
environment.persistence."/persistent/system" = {
hideMounts = true;
directories = [
"/var/lib/bluetooth"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
];
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
];
};
}

View file

@ -1,13 +1,10 @@
{ ... }:
{
networking = {
hostName = "laptop"; # Define your hostname.
networkmanager.enable = true;
firewall.allowedTCPPortRanges = [
{ from = 33000; to = 33999; }
];
useDHCP = false;
interfaces.wlp2s0.useDHCP = true;
};
}

View file

@ -0,0 +1,3 @@
import ../../disko/luks-btrfs.nix {
device = "/dev/disk/by-id/nvme-NE-256_2280_0015167003217";
}

View file

@ -1,16 +1,7 @@
{ ... }:
{
# Include the results of the hardware scan.
imports = [ ./generated.nix ];
# Enable keyboard on the boot
boot.initrd.availableKernelModules = [ "hid_asus" ];
boot.kernelModules = [
# Enable containers
# See: https://github.com/NixOS/nixpkgs/issues/38676
"veth"
imports = [
./generated.nix # Include the results of the hardware scan.
./manual.nix
];

View file

@ -1,36 +1,56 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ config, lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
kernelModules = [ ];
};
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
boot.initrd = {
availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ];
kernelModules = [ ];
luks.devices."luksroot".device = "/dev/disk/by-uuid/eb896c1c-f012-412e-86bd-48f663377129";
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/e6c0cbba-7000-4b1e-ba53-e7b5f8ae11c0";
fsType = "ext4";
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
fsType = "btrfs";
options = [ "subvol=root" "compress=zstd" ];
};
"/persistent" = {
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
fsType = "btrfs";
options = [ "subvol=persistent" "compress=zstd" ];
neededForBoot = true;
};
"/nix" = {
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
fsType = "btrfs";
options = [ "subvol=nix" "compress=zstd" "noatime" ];
};
"/.swapvol" = {
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
fsType = "btrfs";
options = [ "subvol=swap" "noatime" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/499C-4EBD";
device = "/dev/disk/by-uuid/94EE-CA0D";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
};
swapDevices = [{ device = "/dev/disk/by-uuid/fa457df9-cd48-4c81-90cb-a511a7689988"; }];
swapDevices = [{ device = "/.swapvol/swapfile"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
@ -40,6 +60,6 @@
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -0,0 +1,22 @@
{ ... }:
{
boot.kernelModules = [
# Enable containers
# See: https://github.com/NixOS/nixpkgs/issues/38676
"veth"
];
# Enable keyboard on the boot
boot.initrd.availableKernelModules = [ "hid_asus" ];
fileSystems."/home/jan" = {
device = "/dev/disk/by-uuid/e6c0cbba-7000-4b1e-ba53-e7b5f8ae11c0";
fsType = "ext4";
options = [
"defaults"
"X-mount.subdir=home/jan"
"X-mount.mkdir"
];
};
}

View file

@ -1,4 +1,4 @@
{ hostsPath, usersPath, ... }:
{ hostsPath, usersPath, lib, ... }:
let
asusData = import (hostsPath + "/asus-gl553vd/data.secret.nix");