From b703b695130348fc94dea9442ae91308adda082f Mon Sep 17 00:00:00 2001 From: Dmitriy Pleshevskiy Date: Sun, 26 May 2024 00:21:41 +0300 Subject: [PATCH] host/asus: use disk to create btrfs luks encrypted - make: fix rollback command - flake.lock: add disko module. - flake.lock: add impermanence module. - disko: add configuration to create luks-btrfs schema. - host/asus: add new filesystem configuration (luks-btrfs) - host/asus: mount user from old partition. - host/asus: add impermanence module to store system configuration. --- Makefile | 4 +- disko/luks-btrfs.nix | 63 +++++++++++++++++++ flake.lock | 37 +++++++++++ flake.nix | 17 ++++- hosts/asus-gl553vd/configs/boot.nix | 16 ++--- hosts/asus-gl553vd/configs/default.nix | 3 +- hosts/asus-gl553vd/configs/imp.nix | 55 ++++++++++++++++ hosts/asus-gl553vd/configs/networking.nix | 7 +-- hosts/asus-gl553vd/disk-config.nix | 3 + .../hardware-configuration/default.nix | 15 +---- .../hardware-configuration/generated.nix | 46 ++++++++++---- .../hardware-configuration/manual.nix | 22 +++++++ hosts/asus-gl553vd/users/jan.nix | 2 +- 13 files changed, 244 insertions(+), 46 deletions(-) create mode 100644 disko/luks-btrfs.nix create mode 100644 hosts/asus-gl553vd/configs/imp.nix create mode 100644 hosts/asus-gl553vd/disk-config.nix create mode 100644 hosts/asus-gl553vd/hardware-configuration/manual.nix diff --git a/Makefile b/Makefile index 8c33e7e..66643f8 100644 --- a/Makefile +++ b/Makefile @@ -32,7 +32,7 @@ help: define machine_rule .PHONY: $(1) $(1): ; - systemctl --user reset-failed + # systemctl --user reset-failed sudo nix run $(NIX_ARGS) .#switch/$(1) -- $(BUILD_ARGS) endef @@ -47,7 +47,7 @@ $(foreach vps,$(VPS),$(eval $(call vps_rule,$(vps)))) .PHONY: rollback rollback: - sudo nixos-rebuild --rollback + sudo nixos-rebuild switch --rollback ################################################################################ # Editor diff --git a/disko/luks-btrfs.nix b/disko/luks-btrfs.nix new file mode 100644 index 0000000..ab4001e --- /dev/null +++ b/disko/luks-btrfs.nix @@ -0,0 +1,63 @@ +{ device, memSize ? 1024 * 5, swapSize ? "10G" }: +{ + disko = { + inherit memSize; + + devices = { + disk = { + main = { + type = "disk"; + inherit device; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + priority = 1; + }; + cryptoroot = { + size = "100%"; + content = { + type = "luks"; + name = "luksroot"; + settings.allowDiscards = true; + passwordFile = "/tmp/secret.key"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + root = { + mountpoint = "/"; + mountOptions = [ "compress=zstd" ]; + }; + persistent = { + mountpoint = "/persistent"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + nix = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + swap = { + mountpoint = "/.swapvol"; + mountOptions = [ "noatime" ]; + swap.swapfile.size = swapSize; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/flake.lock b/flake.lock index c69ab1b..3dd9d8d 100644 --- a/flake.lock +++ b/flake.lock @@ -23,6 +23,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716431128, + "narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=", + "owner": "nix-community", + "repo": "disko", + "rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "firefox-addons": { "inputs": { "flake-utils": "flake-utils", @@ -208,6 +228,21 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1708968331, + "narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, "lan-mouse": { "inputs": { "nixpkgs": [ @@ -371,11 +406,13 @@ "root": { "inputs": { "agenix": "agenix", + "disko": "disko", "firefox-addons": "firefox-addons", "flake-utils": "flake-utils_2", "hardware": "hardware", "home-manager": "home-manager_2", "home-manager-unstable": "home-manager-unstable", + "impermanence": "impermanence", "lan-mouse": "lan-mouse", "nil": "nil", "nixeovim": "nixeovim", diff --git a/flake.nix b/flake.nix index ab284ac..f744bcc 100644 --- a/flake.nix +++ b/flake.nix @@ -4,6 +4,11 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; hardware.url = "github:NixOS/nixos-hardware/master"; + impermanence.url = "github:nix-community/impermanence"; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; firefox-addons.url = "github:nix-community/nur-combined/master?dir=repos/rycee/pkgs/firefox-addons"; @@ -99,6 +104,11 @@ # Path to the agenix configuration file RULES = "./.agenix_config.nix"; }; + disk = pkgs.mkShell { + packages = [ + inputs.disko.packages.${system}.disko + ]; + }; tools = pkgs.mkShell { packages = with pkgs; [ mkpasswd @@ -131,7 +141,9 @@ modules = (with inputs; [ agenix.nixosModules.default - home-manager.nixosModule + home-manager.nixosModules.default + disko.nixosModules.disko + impermanence.nixosModules.impermanence ]) ++ [ # deployment settings @@ -169,5 +181,8 @@ ++ [ ./hosts/${hostname}/configuration.nix ]; }) (import ./hosts inputs); + diskoConfigurations = { + asus-gl553vd = import ./hosts/asus-gl553vd/disk-config.nix; + }; }; } diff --git a/hosts/asus-gl553vd/configs/boot.nix b/hosts/asus-gl553vd/configs/boot.nix index 7053e4e..51a54a0 100644 --- a/hosts/asus-gl553vd/configs/boot.nix +++ b/hosts/asus-gl553vd/configs/boot.nix @@ -1,13 +1,9 @@ -{ ... }: - { - # Use the systemd-boot EFI boot loader. - boot.loader = { - systemd-boot = { - enable = true; - configurationLimit = 10; - }; - - efi.canTouchEfiVariables = true; + boot.loader.grub = { + enable = true; + device = "nodev"; + efiSupport = true; + efiInstallAsRemovable = true; + enableCryptodisk = true; }; } diff --git a/hosts/asus-gl553vd/configs/default.nix b/hosts/asus-gl553vd/configs/default.nix index 224fec7..5a27f80 100644 --- a/hosts/asus-gl553vd/configs/default.nix +++ b/hosts/asus-gl553vd/configs/default.nix @@ -1,8 +1,7 @@ -{ ... }: - { imports = [ ./boot.nix + ./imp.nix ./networking.nix ./wireguard ]; diff --git a/hosts/asus-gl553vd/configs/imp.nix b/hosts/asus-gl553vd/configs/imp.nix new file mode 100644 index 0000000..1d4b861 --- /dev/null +++ b/hosts/asus-gl553vd/configs/imp.nix @@ -0,0 +1,55 @@ +{ lib, ... }: + +{ + # A setup which would clean root subvolume between boots remove automatically removed roots that + # are older than one day: + # + # Source: https://github.com/nix-community/impermanence + boot.initrd.postDeviceCommands = lib.mkAfter '' + mkdir /btrfs_tmp + mount /dev/mapper/luksroot /btrfs_tmp + if [[ -e /btrfs_tmp/root ]]; then + mkdir -p /btrfs_tmp/old_roots + timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") + mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" + fi + + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/btrfs_tmp/$i" + done + btrfs subvolume delete "$1" + } + + for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +1); do + delete_subvolume_recursively "$i" + done + + btrfs subvolume create /btrfs_tmp/root + umount /btrfs_tmp + rm -r /btrfs_tmp + ''; + + age.identityPaths = map (v: "/persistent/system/etc/ssh/${v}") [ + "ssh_host_rsa_key" + "ssh_host_ed25519_key" + ]; + + environment.persistence."/persistent/system" = { + hideMounts = true; + directories = [ + "/var/lib/bluetooth" + "/var/lib/nixos" + "/var/lib/systemd/coredump" + "/etc/NetworkManager/system-connections" + ]; + files = [ + "/etc/machine-id" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + ]; + }; +} diff --git a/hosts/asus-gl553vd/configs/networking.nix b/hosts/asus-gl553vd/configs/networking.nix index bdcb0e5..1f87c5a 100644 --- a/hosts/asus-gl553vd/configs/networking.nix +++ b/hosts/asus-gl553vd/configs/networking.nix @@ -1,13 +1,10 @@ -{ ... }: - { networking = { hostName = "laptop"; # Define your hostname. networkmanager.enable = true; - firewall.allowedTCPPortRanges = [ - { from = 33000; to = 33999; } - ]; + useDHCP = false; + interfaces.wlp2s0.useDHCP = true; }; } diff --git a/hosts/asus-gl553vd/disk-config.nix b/hosts/asus-gl553vd/disk-config.nix new file mode 100644 index 0000000..06adec2 --- /dev/null +++ b/hosts/asus-gl553vd/disk-config.nix @@ -0,0 +1,3 @@ +import ../../disko/luks-btrfs.nix { + device = "/dev/disk/by-id/nvme-NE-256_2280_0015167003217"; +} diff --git a/hosts/asus-gl553vd/hardware-configuration/default.nix b/hosts/asus-gl553vd/hardware-configuration/default.nix index fe5feb3..4417a9f 100644 --- a/hosts/asus-gl553vd/hardware-configuration/default.nix +++ b/hosts/asus-gl553vd/hardware-configuration/default.nix @@ -1,16 +1,7 @@ -{ ... }: - { - # Include the results of the hardware scan. - imports = [ ./generated.nix ]; - - # Enable keyboard on the boot - boot.initrd.availableKernelModules = [ "hid_asus" ]; - - boot.kernelModules = [ - # Enable containers - # See: https://github.com/NixOS/nixpkgs/issues/38676 - "veth" + imports = [ + ./generated.nix # Include the results of the hardware scan. + ./manual.nix ]; diff --git a/hosts/asus-gl553vd/hardware-configuration/generated.nix b/hosts/asus-gl553vd/hardware-configuration/generated.nix index 145e45c..b9a0dfa 100644 --- a/hosts/asus-gl553vd/hardware-configuration/generated.nix +++ b/hosts/asus-gl553vd/hardware-configuration/generated.nix @@ -1,36 +1,56 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ config, lib, modulesPath, ... }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot = { - initrd = { - availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - kernelModules = [ ]; - }; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; - kernelModules = [ "kvm-intel" ]; - extraModulePackages = [ ]; + boot.initrd = { + availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ]; + kernelModules = [ ]; + luks.devices."luksroot".device = "/dev/disk/by-uuid/eb896c1c-f012-412e-86bd-48f663377129"; }; fileSystems = { "/" = { - device = "/dev/disk/by-uuid/e6c0cbba-7000-4b1e-ba53-e7b5f8ae11c0"; - fsType = "ext4"; + device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a"; + fsType = "btrfs"; + options = [ "subvol=root" "compress=zstd" ]; + }; + + "/persistent" = { + device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a"; + fsType = "btrfs"; + options = [ "subvol=persistent" "compress=zstd" ]; + neededForBoot = true; + }; + + "/nix" = { + device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a"; + fsType = "btrfs"; + options = [ "subvol=nix" "compress=zstd" "noatime" ]; + }; + + "/.swapvol" = { + device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a"; + fsType = "btrfs"; + options = [ "subvol=swap" "noatime" ]; }; "/boot" = { - device = "/dev/disk/by-uuid/499C-4EBD"; + device = "/dev/disk/by-uuid/94EE-CA0D"; fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; }; }; - swapDevices = [{ device = "/dev/disk/by-uuid/fa457df9-cd48-4c81-90cb-a511a7689988"; }]; + swapDevices = [{ device = "/.swapvol/swapfile"; }]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's @@ -40,6 +60,6 @@ # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/hosts/asus-gl553vd/hardware-configuration/manual.nix b/hosts/asus-gl553vd/hardware-configuration/manual.nix new file mode 100644 index 0000000..a70c713 --- /dev/null +++ b/hosts/asus-gl553vd/hardware-configuration/manual.nix @@ -0,0 +1,22 @@ +{ ... }: + +{ + boot.kernelModules = [ + # Enable containers + # See: https://github.com/NixOS/nixpkgs/issues/38676 + "veth" + ]; + + # Enable keyboard on the boot + boot.initrd.availableKernelModules = [ "hid_asus" ]; + + fileSystems."/home/jan" = { + device = "/dev/disk/by-uuid/e6c0cbba-7000-4b1e-ba53-e7b5f8ae11c0"; + fsType = "ext4"; + options = [ + "defaults" + "X-mount.subdir=home/jan" + "X-mount.mkdir" + ]; + }; +} diff --git a/hosts/asus-gl553vd/users/jan.nix b/hosts/asus-gl553vd/users/jan.nix index 50d7a4e..a4744a5 100644 --- a/hosts/asus-gl553vd/users/jan.nix +++ b/hosts/asus-gl553vd/users/jan.nix @@ -1,4 +1,4 @@ -{ hostsPath, usersPath, ... }: +{ hostsPath, usersPath, lib, ... }: let asusData = import (hostsPath + "/asus-gl553vd/data.secret.nix");