host/asus: use disk to create btrfs luks encrypted
- make: fix rollback command - flake.lock: add disko module. - flake.lock: add impermanence module. - disko: add configuration to create luks-btrfs schema. - host/asus: add new filesystem configuration (luks-btrfs) - host/asus: mount user from old partition. - host/asus: add impermanence module to store system configuration.
This commit is contained in:
parent
6ef8e79113
commit
b703b69513
13 changed files with 244 additions and 46 deletions
4
Makefile
4
Makefile
|
@ -32,7 +32,7 @@ help:
|
|||
define machine_rule
|
||||
.PHONY: $(1)
|
||||
$(1): ;
|
||||
systemctl --user reset-failed
|
||||
# systemctl --user reset-failed
|
||||
sudo nix run $(NIX_ARGS) .#switch/$(1) -- $(BUILD_ARGS)
|
||||
endef
|
||||
|
||||
|
@ -47,7 +47,7 @@ $(foreach vps,$(VPS),$(eval $(call vps_rule,$(vps))))
|
|||
|
||||
.PHONY: rollback
|
||||
rollback:
|
||||
sudo nixos-rebuild --rollback
|
||||
sudo nixos-rebuild switch --rollback
|
||||
|
||||
################################################################################
|
||||
# Editor
|
||||
|
|
63
disko/luks-btrfs.nix
Normal file
63
disko/luks-btrfs.nix
Normal file
|
@ -0,0 +1,63 @@
|
|||
{ device, memSize ? 1024 * 5, swapSize ? "10G" }:
|
||||
{
|
||||
disko = {
|
||||
inherit memSize;
|
||||
|
||||
devices = {
|
||||
disk = {
|
||||
main = {
|
||||
type = "disk";
|
||||
inherit device;
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
ESP = {
|
||||
size = "512M";
|
||||
type = "EF00";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
mountOptions = [ "defaults" ];
|
||||
};
|
||||
priority = 1;
|
||||
};
|
||||
cryptoroot = {
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "luks";
|
||||
name = "luksroot";
|
||||
settings.allowDiscards = true;
|
||||
passwordFile = "/tmp/secret.key";
|
||||
content = {
|
||||
type = "btrfs";
|
||||
extraArgs = [ "-f" ];
|
||||
subvolumes = {
|
||||
root = {
|
||||
mountpoint = "/";
|
||||
mountOptions = [ "compress=zstd" ];
|
||||
};
|
||||
persistent = {
|
||||
mountpoint = "/persistent";
|
||||
mountOptions = [ "compress=zstd" "noatime" ];
|
||||
};
|
||||
nix = {
|
||||
mountpoint = "/nix";
|
||||
mountOptions = [ "compress=zstd" "noatime" ];
|
||||
};
|
||||
swap = {
|
||||
mountpoint = "/.swapvol";
|
||||
mountOptions = [ "noatime" ];
|
||||
swap.swapfile.size = swapSize;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
37
flake.lock
37
flake.lock
|
@ -23,6 +23,26 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"disko": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1716431128,
|
||||
"narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"firefox-addons": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
|
@ -208,6 +228,21 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"impermanence": {
|
||||
"locked": {
|
||||
"lastModified": 1708968331,
|
||||
"narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
|
||||
"owner": "nix-community",
|
||||
"repo": "impermanence",
|
||||
"rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "impermanence",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"lan-mouse": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
|
@ -371,11 +406,13 @@
|
|||
"root": {
|
||||
"inputs": {
|
||||
"agenix": "agenix",
|
||||
"disko": "disko",
|
||||
"firefox-addons": "firefox-addons",
|
||||
"flake-utils": "flake-utils_2",
|
||||
"hardware": "hardware",
|
||||
"home-manager": "home-manager_2",
|
||||
"home-manager-unstable": "home-manager-unstable",
|
||||
"impermanence": "impermanence",
|
||||
"lan-mouse": "lan-mouse",
|
||||
"nil": "nil",
|
||||
"nixeovim": "nixeovim",
|
||||
|
|
17
flake.nix
17
flake.nix
|
@ -4,6 +4,11 @@
|
|||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
|
||||
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||
hardware.url = "github:NixOS/nixos-hardware/master";
|
||||
impermanence.url = "github:nix-community/impermanence";
|
||||
disko = {
|
||||
url = "github:nix-community/disko";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
firefox-addons.url = "github:nix-community/nur-combined/master?dir=repos/rycee/pkgs/firefox-addons";
|
||||
|
||||
|
@ -99,6 +104,11 @@
|
|||
# Path to the agenix configuration file
|
||||
RULES = "./.agenix_config.nix";
|
||||
};
|
||||
disk = pkgs.mkShell {
|
||||
packages = [
|
||||
inputs.disko.packages.${system}.disko
|
||||
];
|
||||
};
|
||||
tools = pkgs.mkShell {
|
||||
packages = with pkgs; [
|
||||
mkpasswd
|
||||
|
@ -131,7 +141,9 @@
|
|||
modules =
|
||||
(with inputs; [
|
||||
agenix.nixosModules.default
|
||||
home-manager.nixosModule
|
||||
home-manager.nixosModules.default
|
||||
disko.nixosModules.disko
|
||||
impermanence.nixosModules.impermanence
|
||||
])
|
||||
++ [
|
||||
# deployment settings
|
||||
|
@ -169,5 +181,8 @@
|
|||
++ [ ./hosts/${hostname}/configuration.nix ];
|
||||
})
|
||||
(import ./hosts inputs);
|
||||
diskoConfigurations = {
|
||||
asus-gl553vd = import ./hosts/asus-gl553vd/disk-config.nix;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,13 +1,9 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader = {
|
||||
systemd-boot = {
|
||||
enable = true;
|
||||
configurationLimit = 10;
|
||||
};
|
||||
|
||||
efi.canTouchEfiVariables = true;
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
device = "nodev";
|
||||
efiSupport = true;
|
||||
efiInstallAsRemovable = true;
|
||||
enableCryptodisk = true;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,8 +1,7 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./boot.nix
|
||||
./imp.nix
|
||||
./networking.nix
|
||||
./wireguard
|
||||
];
|
||||
|
|
55
hosts/asus-gl553vd/configs/imp.nix
Normal file
55
hosts/asus-gl553vd/configs/imp.nix
Normal file
|
@ -0,0 +1,55 @@
|
|||
{ lib, ... }:
|
||||
|
||||
{
|
||||
# A setup which would clean root subvolume between boots remove automatically removed roots that
|
||||
# are older than one day:
|
||||
#
|
||||
# Source: https://github.com/nix-community/impermanence
|
||||
boot.initrd.postDeviceCommands = lib.mkAfter ''
|
||||
mkdir /btrfs_tmp
|
||||
mount /dev/mapper/luksroot /btrfs_tmp
|
||||
if [[ -e /btrfs_tmp/root ]]; then
|
||||
mkdir -p /btrfs_tmp/old_roots
|
||||
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
|
||||
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
|
||||
fi
|
||||
|
||||
delete_subvolume_recursively() {
|
||||
IFS=$'\n'
|
||||
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
|
||||
delete_subvolume_recursively "/btrfs_tmp/$i"
|
||||
done
|
||||
btrfs subvolume delete "$1"
|
||||
}
|
||||
|
||||
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +1); do
|
||||
delete_subvolume_recursively "$i"
|
||||
done
|
||||
|
||||
btrfs subvolume create /btrfs_tmp/root
|
||||
umount /btrfs_tmp
|
||||
rm -r /btrfs_tmp
|
||||
'';
|
||||
|
||||
age.identityPaths = map (v: "/persistent/system/etc/ssh/${v}") [
|
||||
"ssh_host_rsa_key"
|
||||
"ssh_host_ed25519_key"
|
||||
];
|
||||
|
||||
environment.persistence."/persistent/system" = {
|
||||
hideMounts = true;
|
||||
directories = [
|
||||
"/var/lib/bluetooth"
|
||||
"/var/lib/nixos"
|
||||
"/var/lib/systemd/coredump"
|
||||
"/etc/NetworkManager/system-connections"
|
||||
];
|
||||
files = [
|
||||
"/etc/machine-id"
|
||||
"/etc/ssh/ssh_host_rsa_key"
|
||||
"/etc/ssh/ssh_host_rsa_key.pub"
|
||||
"/etc/ssh/ssh_host_ed25519_key"
|
||||
"/etc/ssh/ssh_host_ed25519_key.pub"
|
||||
];
|
||||
};
|
||||
}
|
|
@ -1,13 +1,10 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
networking = {
|
||||
hostName = "laptop"; # Define your hostname.
|
||||
|
||||
networkmanager.enable = true;
|
||||
|
||||
firewall.allowedTCPPortRanges = [
|
||||
{ from = 33000; to = 33999; }
|
||||
];
|
||||
useDHCP = false;
|
||||
interfaces.wlp2s0.useDHCP = true;
|
||||
};
|
||||
}
|
||||
|
|
3
hosts/asus-gl553vd/disk-config.nix
Normal file
3
hosts/asus-gl553vd/disk-config.nix
Normal file
|
@ -0,0 +1,3 @@
|
|||
import ../../disko/luks-btrfs.nix {
|
||||
device = "/dev/disk/by-id/nvme-NE-256_2280_0015167003217";
|
||||
}
|
|
@ -1,16 +1,7 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
# Include the results of the hardware scan.
|
||||
imports = [ ./generated.nix ];
|
||||
|
||||
# Enable keyboard on the boot
|
||||
boot.initrd.availableKernelModules = [ "hid_asus" ];
|
||||
|
||||
boot.kernelModules = [
|
||||
# Enable containers
|
||||
# See: https://github.com/NixOS/nixpkgs/issues/38676
|
||||
"veth"
|
||||
imports = [
|
||||
./generated.nix # Include the results of the hardware scan.
|
||||
./manual.nix
|
||||
];
|
||||
|
||||
|
||||
|
|
|
@ -1,36 +1,56 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{ config, lib, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot = {
|
||||
initrd = {
|
||||
availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
|
||||
kernelModules = [ ];
|
||||
};
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
kernelModules = [ "kvm-intel" ];
|
||||
extraModulePackages = [ ];
|
||||
boot.initrd = {
|
||||
availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ];
|
||||
kernelModules = [ ];
|
||||
luks.devices."luksroot".device = "/dev/disk/by-uuid/eb896c1c-f012-412e-86bd-48f663377129";
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/disk/by-uuid/e6c0cbba-7000-4b1e-ba53-e7b5f8ae11c0";
|
||||
fsType = "ext4";
|
||||
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=root" "compress=zstd" ];
|
||||
};
|
||||
|
||||
"/persistent" = {
|
||||
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=persistent" "compress=zstd" ];
|
||||
neededForBoot = true;
|
||||
};
|
||||
|
||||
"/nix" = {
|
||||
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=nix" "compress=zstd" "noatime" ];
|
||||
};
|
||||
|
||||
"/.swapvol" = {
|
||||
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=swap" "noatime" ];
|
||||
};
|
||||
|
||||
"/boot" = {
|
||||
device = "/dev/disk/by-uuid/499C-4EBD";
|
||||
device = "/dev/disk/by-uuid/94EE-CA0D";
|
||||
fsType = "vfat";
|
||||
options = [ "fmask=0022" "dmask=0022" ];
|
||||
};
|
||||
};
|
||||
|
||||
swapDevices = [{ device = "/dev/disk/by-uuid/fa457df9-cd48-4c81-90cb-a511a7689988"; }];
|
||||
swapDevices = [{ device = "/.swapvol/swapfile"; }];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
|
@ -40,6 +60,6 @@
|
|||
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
|
||||
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
||||
|
|
22
hosts/asus-gl553vd/hardware-configuration/manual.nix
Normal file
22
hosts/asus-gl553vd/hardware-configuration/manual.nix
Normal file
|
@ -0,0 +1,22 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
boot.kernelModules = [
|
||||
# Enable containers
|
||||
# See: https://github.com/NixOS/nixpkgs/issues/38676
|
||||
"veth"
|
||||
];
|
||||
|
||||
# Enable keyboard on the boot
|
||||
boot.initrd.availableKernelModules = [ "hid_asus" ];
|
||||
|
||||
fileSystems."/home/jan" = {
|
||||
device = "/dev/disk/by-uuid/e6c0cbba-7000-4b1e-ba53-e7b5f8ae11c0";
|
||||
fsType = "ext4";
|
||||
options = [
|
||||
"defaults"
|
||||
"X-mount.subdir=home/jan"
|
||||
"X-mount.mkdir"
|
||||
];
|
||||
};
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
{ hostsPath, usersPath, ... }:
|
||||
{ hostsPath, usersPath, lib, ... }:
|
||||
|
||||
let
|
||||
asusData = import (hostsPath + "/asus-gl553vd/data.secret.nix");
|
||||
|
|
Loading…
Reference in a new issue