host/asus: use disk to create btrfs luks encrypted

- make: fix rollback command - flake.lock: add disko module. - flake.lock: add impermanence module. - disko: add configuration to create luks-btrfs schema. - host/asus: add new filesystem configuration (luks-btrfs) - host/asus: mount user from old partition. - host/asus: add impermanence module to store system configuration.
2024-05-26 00:21:41 +03:00 · 2024-05-26 00:21:41 +03:00 · b703b69513
commit b703b69513
parent 6ef8e79113
13 changed files with 244 additions and 46 deletions
--- a/4
+++ b/4
@ -32,7 +32,7 @@ help:
 define machine_rule
 .PHONY: $(1)
 $(1): ;
-	systemctl --user reset-failed
+	# systemctl --user reset-failed
 	sudo nix run $(NIX_ARGS) .#switch/$(1) -- $(BUILD_ARGS)
 endef

@ -47,7 +47,7 @@ $(foreach vps,$(VPS),$(eval $(call vps_rule,$(vps))))

 .PHONY: rollback
 rollback:
-	sudo nixos-rebuild --rollback
+	sudo nixos-rebuild switch --rollback

 ################################################################################
 # Editor
--- a/disko/luks-btrfs.nix
+++ b/disko/luks-btrfs.nix
@ -0,0 +1,63 @@
+{ device, memSize ? 1024 * 5, swapSize ? "10G" }:
+{
+  disko = {
+    inherit memSize;
+
+    devices = {
+      disk = {
+        main = {
+          type = "disk";
+          inherit device;
+          content = {
+            type = "gpt";
+            partitions = {
+              ESP = {
+                size = "512M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                  mountOptions = [ "defaults" ];
+                };
+                priority = 1;
+              };
+              cryptoroot = {
+                size = "100%";
+                content = {
+                  type = "luks";
+                  name = "luksroot";
+                  settings.allowDiscards = true;
+                  passwordFile = "/tmp/secret.key";
+                  content = {
+                    type = "btrfs";
+                    extraArgs = [ "-f" ];
+                    subvolumes = {
+                      root = {
+                        mountpoint = "/";
+                        mountOptions = [ "compress=zstd" ];
+                      };
+                      persistent = {
+                        mountpoint = "/persistent";
+                        mountOptions = [ "compress=zstd" "noatime" ];
+                      };
+                      nix = {
+                        mountpoint = "/nix";
+                        mountOptions = [ "compress=zstd" "noatime" ];
+                      };
+                      swap = {
+                        mountpoint = "/.swapvol";
+                        mountOptions = [ "noatime" ];
+                        swap.swapfile.size = swapSize;
+                      };
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/flake.lock
+++ b/flake.lock
@ -23,6 +23,26 @@
        "type": "github"
      }
    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1716431128,
+        "narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
    "firefox-addons": {
      "inputs": {
        "flake-utils": "flake-utils",
@ -208,6 +228,21 @@
        "type": "github"
      }
    },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1708968331,
+        "narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
    "lan-mouse": {
      "inputs": {
        "nixpkgs": [
@ -371,11 +406,13 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
+        "disko": "disko",
        "firefox-addons": "firefox-addons",
        "flake-utils": "flake-utils_2",
        "hardware": "hardware",
        "home-manager": "home-manager_2",
        "home-manager-unstable": "home-manager-unstable",
+        "impermanence": "impermanence",
        "lan-mouse": "lan-mouse",
        "nil": "nil",
        "nixeovim": "nixeovim",
--- a/flake.nix
+++ b/flake.nix
@ -4,6 +4,11 @@
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    hardware.url = "github:NixOS/nixos-hardware/master";
+    impermanence.url = "github:nix-community/impermanence";
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };

    firefox-addons.url = "github:nix-community/nur-combined/master?dir=repos/rycee/pkgs/firefox-addons";

@ -99,6 +104,11 @@
              # Path to the agenix configuration file
              RULES = "./.agenix_config.nix";
            };
+            disk = pkgs.mkShell {
+              packages = [
+                inputs.disko.packages.${system}.disko
+              ];
+            };
            tools = pkgs.mkShell {
              packages = with pkgs; [
                mkpasswd
@ -131,7 +141,9 @@
              modules =
                (with inputs; [
                  agenix.nixosModules.default
-                  home-manager.nixosModule
+                  home-manager.nixosModules.default
+                  disko.nixosModules.disko
+                  impermanence.nixosModules.impermanence
                ])
                ++ [
                  # deployment settings
@ -169,5 +181,8 @@
                ++ [ ./hosts/${hostname}/configuration.nix ];
            })
          (import ./hosts inputs);
+      diskoConfigurations = {
+        asus-gl553vd = import ./hosts/asus-gl553vd/disk-config.nix;
+      };
    };
 }
--- a/hosts/asus-gl553vd/configs/boot.nix
+++ b/hosts/asus-gl553vd/configs/boot.nix
@ -1,13 +1,9 @@
-{ ... }:
-
 {
-  # Use the systemd-boot EFI boot loader.
-  boot.loader = {
-    systemd-boot = {
-      enable = true;
-      configurationLimit = 10;
-    };
-
-    efi.canTouchEfiVariables = true;
+  boot.loader.grub = {
+    enable = true;
+    device = "nodev";
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    enableCryptodisk = true;
  };
 }
--- a/hosts/asus-gl553vd/configs/default.nix
+++ b/hosts/asus-gl553vd/configs/default.nix
@ -1,8 +1,7 @@
-{ ... }:
-
 {
  imports = [
    ./boot.nix
+    ./imp.nix
    ./networking.nix
    ./wireguard
  ];
--- a/hosts/asus-gl553vd/configs/imp.nix
+++ b/hosts/asus-gl553vd/configs/imp.nix
@ -0,0 +1,55 @@
+{ lib, ... }:
+
+{
+  # A setup which would clean root subvolume between boots remove automatically removed roots that
+  # are older than one day:
+  # 
+  # Source: https://github.com/nix-community/impermanence
+  boot.initrd.postDeviceCommands = lib.mkAfter ''
+    mkdir /btrfs_tmp
+    mount /dev/mapper/luksroot /btrfs_tmp
+    if [[ -e /btrfs_tmp/root ]]; then
+        mkdir -p /btrfs_tmp/old_roots
+        timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
+        mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
+    fi
+
+    delete_subvolume_recursively() {
+        IFS=$'\n'
+        for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
+            delete_subvolume_recursively "/btrfs_tmp/$i"
+        done
+        btrfs subvolume delete "$1"
+    }
+
+    for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +1); do
+        delete_subvolume_recursively "$i"
+    done
+
+    btrfs subvolume create /btrfs_tmp/root
+    umount /btrfs_tmp
+    rm -r /btrfs_tmp
+  '';
+
+  age.identityPaths = map (v: "/persistent/system/etc/ssh/${v}") [
+    "ssh_host_rsa_key"
+    "ssh_host_ed25519_key"
+  ];
+
+  environment.persistence."/persistent/system" = {
+    hideMounts = true;
+    directories = [
+      "/var/lib/bluetooth"
+      "/var/lib/nixos"
+      "/var/lib/systemd/coredump"
+      "/etc/NetworkManager/system-connections"
+    ];
+    files = [
+      "/etc/machine-id"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+    ];
+  };
+}
--- a/hosts/asus-gl553vd/configs/networking.nix
+++ b/hosts/asus-gl553vd/configs/networking.nix
@ -1,13 +1,10 @@
-{ ... }:
-
 {
  networking = {
    hostName = "laptop"; # Define your hostname.

    networkmanager.enable = true;

-    firewall.allowedTCPPortRanges = [
-      { from = 33000; to = 33999; }
-    ];
+    useDHCP = false;
+    interfaces.wlp2s0.useDHCP = true;
  };
 }
--- a/hosts/asus-gl553vd/disk-config.nix
+++ b/hosts/asus-gl553vd/disk-config.nix
@ -0,0 +1,3 @@
+import ../../disko/luks-btrfs.nix {
+  device = "/dev/disk/by-id/nvme-NE-256_2280_0015167003217";
+}
--- a/hosts/asus-gl553vd/hardware-configuration/default.nix
+++ b/hosts/asus-gl553vd/hardware-configuration/default.nix
@ -1,16 +1,7 @@
-{ ... }:
-
 {
-  # Include the results of the hardware scan.
-  imports = [ ./generated.nix ];
-
-  # Enable keyboard on the boot
-  boot.initrd.availableKernelModules = [ "hid_asus" ];
-
-  boot.kernelModules = [
-    # Enable containers
-    # See: https://github.com/NixOS/nixpkgs/issues/38676
-    "veth"
+  imports = [
+    ./generated.nix # Include the results of the hardware scan.
+    ./manual.nix
  ];


--- a/hosts/asus-gl553vd/hardware-configuration/generated.nix
+++ b/hosts/asus-gl553vd/hardware-configuration/generated.nix
@ -1,36 +1,56 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, lib, modulesPath, ... }:

 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];

-  boot = {
-    initrd = {
-      availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
-      kernelModules = [ ];
-    };
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];

-    kernelModules = [ "kvm-intel" ];
-    extraModulePackages = [ ];
+  boot.initrd = {
+    availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ];
+    kernelModules = [ ];
+    luks.devices."luksroot".device = "/dev/disk/by-uuid/eb896c1c-f012-412e-86bd-48f663377129";
  };

  fileSystems = {
    "/" = {
-      device = "/dev/disk/by-uuid/e6c0cbba-7000-4b1e-ba53-e7b5f8ae11c0";
-      fsType = "ext4";
+      device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
+      fsType = "btrfs";
+      options = [ "subvol=root" "compress=zstd" ];
+    };
+
+    "/persistent" = {
+      device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
+      fsType = "btrfs";
+      options = [ "subvol=persistent" "compress=zstd" ];
+      neededForBoot = true;
+    };
+
+    "/nix" = {
+      device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
+      fsType = "btrfs";
+      options = [ "subvol=nix" "compress=zstd" "noatime" ];
+    };
+
+    "/.swapvol" = {
+      device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
+      fsType = "btrfs";
+      options = [ "subvol=swap" "noatime" ];
    };

    "/boot" = {
-      device = "/dev/disk/by-uuid/499C-4EBD";
+      device = "/dev/disk/by-uuid/94EE-CA0D";
      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
    };
  };

-  swapDevices = [{ device = "/dev/disk/by-uuid/fa457df9-cd48-4c81-90cb-a511a7689988"; }];
+  swapDevices = [{ device = "/.swapvol/swapfile"; }];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
@ -40,6 +60,6 @@
  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;

-  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/asus-gl553vd/hardware-configuration/manual.nix
+++ b/hosts/asus-gl553vd/hardware-configuration/manual.nix
@ -0,0 +1,22 @@
+{ ... }:
+
+{
+  boot.kernelModules = [
+    # Enable containers
+    # See: https://github.com/NixOS/nixpkgs/issues/38676
+    "veth"
+  ];
+
+  # Enable keyboard on the boot
+  boot.initrd.availableKernelModules = [ "hid_asus" ];
+
+  fileSystems."/home/jan" = {
+    device = "/dev/disk/by-uuid/e6c0cbba-7000-4b1e-ba53-e7b5f8ae11c0";
+    fsType = "ext4";
+    options = [
+      "defaults"
+      "X-mount.subdir=home/jan"
+      "X-mount.mkdir"
+    ];
+  };
+}
--- a/hosts/asus-gl553vd/users/jan.nix
+++ b/hosts/asus-gl553vd/users/jan.nix
@ -1,4 +1,4 @@
-{ hostsPath, usersPath, ... }:
+{ hostsPath, usersPath, lib, ... }:

 let
  asusData = import (hostsPath + "/asus-gl553vd/data.secret.nix");