host/asus: use disk to create btrfs luks encrypted #17

Merged
pleshevskiy merged 1 commit from luks-disko-imp into main 2024-05-27 16:41:29 +03:00
13 changed files with 244 additions and 46 deletions
Showing only changes of commit b703b69513 - Show all commits

View file

@ -32,7 +32,7 @@ help:
define machine_rule define machine_rule
.PHONY: $(1) .PHONY: $(1)
$(1): ; $(1): ;
systemctl --user reset-failed # systemctl --user reset-failed
sudo nix run $(NIX_ARGS) .#switch/$(1) -- $(BUILD_ARGS) sudo nix run $(NIX_ARGS) .#switch/$(1) -- $(BUILD_ARGS)
endef endef
@ -47,7 +47,7 @@ $(foreach vps,$(VPS),$(eval $(call vps_rule,$(vps))))
.PHONY: rollback .PHONY: rollback
rollback: rollback:
sudo nixos-rebuild --rollback sudo nixos-rebuild switch --rollback
################################################################################ ################################################################################
# Editor # Editor

63
disko/luks-btrfs.nix Normal file
View file

@ -0,0 +1,63 @@
{ device, memSize ? 1024 * 5, swapSize ? "10G" }:
{
disko = {
inherit memSize;
devices = {
disk = {
main = {
type = "disk";
inherit device;
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
priority = 1;
};
cryptoroot = {
size = "100%";
content = {
type = "luks";
name = "luksroot";
settings.allowDiscards = true;
passwordFile = "/tmp/secret.key";
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
root = {
mountpoint = "/";
mountOptions = [ "compress=zstd" ];
};
persistent = {
mountpoint = "/persistent";
mountOptions = [ "compress=zstd" "noatime" ];
};
nix = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" ];
};
swap = {
mountpoint = "/.swapvol";
mountOptions = [ "noatime" ];
swap.swapfile.size = swapSize;
};
};
};
};
};
};
};
};
};
};
};
}

View file

@ -23,6 +23,26 @@
"type": "github" "type": "github"
} }
}, },
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1716431128,
"narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=",
"owner": "nix-community",
"repo": "disko",
"rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"firefox-addons": { "firefox-addons": {
"inputs": { "inputs": {
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
@ -208,6 +228,21 @@
"type": "github" "type": "github"
} }
}, },
"impermanence": {
"locked": {
"lastModified": 1708968331,
"narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"lan-mouse": { "lan-mouse": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -371,11 +406,13 @@
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"disko": "disko",
"firefox-addons": "firefox-addons", "firefox-addons": "firefox-addons",
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_2",
"hardware": "hardware", "hardware": "hardware",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"home-manager-unstable": "home-manager-unstable", "home-manager-unstable": "home-manager-unstable",
"impermanence": "impermanence",
"lan-mouse": "lan-mouse", "lan-mouse": "lan-mouse",
"nil": "nil", "nil": "nil",
"nixeovim": "nixeovim", "nixeovim": "nixeovim",

View file

@ -4,6 +4,11 @@
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
hardware.url = "github:NixOS/nixos-hardware/master"; hardware.url = "github:NixOS/nixos-hardware/master";
impermanence.url = "github:nix-community/impermanence";
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
firefox-addons.url = "github:nix-community/nur-combined/master?dir=repos/rycee/pkgs/firefox-addons"; firefox-addons.url = "github:nix-community/nur-combined/master?dir=repos/rycee/pkgs/firefox-addons";
@ -99,6 +104,11 @@
# Path to the agenix configuration file # Path to the agenix configuration file
RULES = "./.agenix_config.nix"; RULES = "./.agenix_config.nix";
}; };
disk = pkgs.mkShell {
packages = [
inputs.disko.packages.${system}.disko
];
};
tools = pkgs.mkShell { tools = pkgs.mkShell {
packages = with pkgs; [ packages = with pkgs; [
mkpasswd mkpasswd
@ -131,7 +141,9 @@
modules = modules =
(with inputs; [ (with inputs; [
agenix.nixosModules.default agenix.nixosModules.default
home-manager.nixosModule home-manager.nixosModules.default
disko.nixosModules.disko
impermanence.nixosModules.impermanence
]) ])
++ [ ++ [
# deployment settings # deployment settings
@ -169,5 +181,8 @@
++ [ ./hosts/${hostname}/configuration.nix ]; ++ [ ./hosts/${hostname}/configuration.nix ];
}) })
(import ./hosts inputs); (import ./hosts inputs);
diskoConfigurations = {
asus-gl553vd = import ./hosts/asus-gl553vd/disk-config.nix;
};
}; };
} }

View file

@ -1,13 +1,9 @@
{ ... }:
{ {
# Use the systemd-boot EFI boot loader. boot.loader.grub = {
boot.loader = { enable = true;
systemd-boot = { device = "nodev";
enable = true; efiSupport = true;
configurationLimit = 10; efiInstallAsRemovable = true;
}; enableCryptodisk = true;
efi.canTouchEfiVariables = true;
}; };
} }

View file

@ -1,8 +1,7 @@
{ ... }:
{ {
imports = [ imports = [
./boot.nix ./boot.nix
./imp.nix
./networking.nix ./networking.nix
./wireguard ./wireguard
]; ];

View file

@ -0,0 +1,55 @@
{ lib, ... }:
{
# A setup which would clean root subvolume between boots remove automatically removed roots that
# are older than one day:
#
# Source: https://github.com/nix-community/impermanence
boot.initrd.postDeviceCommands = lib.mkAfter ''
mkdir /btrfs_tmp
mount /dev/mapper/luksroot /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +1); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp
rm -r /btrfs_tmp
'';
age.identityPaths = map (v: "/persistent/system/etc/ssh/${v}") [
"ssh_host_rsa_key"
"ssh_host_ed25519_key"
];
environment.persistence."/persistent/system" = {
hideMounts = true;
directories = [
"/var/lib/bluetooth"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
];
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
];
};
}

View file

@ -1,13 +1,10 @@
{ ... }:
{ {
networking = { networking = {
hostName = "laptop"; # Define your hostname. hostName = "laptop"; # Define your hostname.
networkmanager.enable = true; networkmanager.enable = true;
firewall.allowedTCPPortRanges = [ useDHCP = false;
{ from = 33000; to = 33999; } interfaces.wlp2s0.useDHCP = true;
];
}; };
} }

View file

@ -0,0 +1,3 @@
import ../../disko/luks-btrfs.nix {
device = "/dev/disk/by-id/nvme-NE-256_2280_0015167003217";
}

View file

@ -1,16 +1,7 @@
{ ... }:
{ {
# Include the results of the hardware scan. imports = [
imports = [ ./generated.nix ]; ./generated.nix # Include the results of the hardware scan.
./manual.nix
# Enable keyboard on the boot
boot.initrd.availableKernelModules = [ "hid_asus" ];
boot.kernelModules = [
# Enable containers
# See: https://github.com/NixOS/nixpkgs/issues/38676
"veth"
]; ];

View file

@ -1,36 +1,56 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, modulesPath, ... }:
{ {
imports = [ imports = [
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot = { boot.kernelModules = [ "kvm-intel" ];
initrd = { boot.extraModulePackages = [ ];
availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ]; boot.initrd = {
extraModulePackages = [ ]; availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ];
kernelModules = [ ];
luks.devices."luksroot".device = "/dev/disk/by-uuid/eb896c1c-f012-412e-86bd-48f663377129";
}; };
fileSystems = { fileSystems = {
"/" = { "/" = {
device = "/dev/disk/by-uuid/e6c0cbba-7000-4b1e-ba53-e7b5f8ae11c0"; device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
fsType = "ext4"; fsType = "btrfs";
options = [ "subvol=root" "compress=zstd" ];
};
"/persistent" = {
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
fsType = "btrfs";
options = [ "subvol=persistent" "compress=zstd" ];
neededForBoot = true;
};
"/nix" = {
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
fsType = "btrfs";
options = [ "subvol=nix" "compress=zstd" "noatime" ];
};
"/.swapvol" = {
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
fsType = "btrfs";
options = [ "subvol=swap" "noatime" ];
}; };
"/boot" = { "/boot" = {
device = "/dev/disk/by-uuid/499C-4EBD"; device = "/dev/disk/by-uuid/94EE-CA0D";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
}; };
}; };
swapDevices = [{ device = "/dev/disk/by-uuid/fa457df9-cd48-4c81-90cb-a511a7689988"; }]; swapDevices = [{ device = "/.swapvol/swapfile"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
@ -40,6 +60,6 @@
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

View file

@ -0,0 +1,22 @@
{ ... }:
{
boot.kernelModules = [
# Enable containers
# See: https://github.com/NixOS/nixpkgs/issues/38676
"veth"
];
# Enable keyboard on the boot
boot.initrd.availableKernelModules = [ "hid_asus" ];
fileSystems."/home/jan" = {
device = "/dev/disk/by-uuid/e6c0cbba-7000-4b1e-ba53-e7b5f8ae11c0";
fsType = "ext4";
options = [
"defaults"
"X-mount.subdir=home/jan"
"X-mount.mkdir"
];
};
}

View file

@ -1,4 +1,4 @@
{ hostsPath, usersPath, ... }: { hostsPath, usersPath, lib, ... }:
let let
asusData = import (hostsPath + "/asus-gl553vd/data.secret.nix"); asusData = import (hostsPath + "/asus-gl553vd/data.secret.nix");