host/asus: use disk to create btrfs luks encrypted #17
13 changed files with 244 additions and 46 deletions
4
Makefile
4
Makefile
|
@ -32,7 +32,7 @@ help:
|
||||||
define machine_rule
|
define machine_rule
|
||||||
.PHONY: $(1)
|
.PHONY: $(1)
|
||||||
$(1): ;
|
$(1): ;
|
||||||
systemctl --user reset-failed
|
# systemctl --user reset-failed
|
||||||
sudo nix run $(NIX_ARGS) .#switch/$(1) -- $(BUILD_ARGS)
|
sudo nix run $(NIX_ARGS) .#switch/$(1) -- $(BUILD_ARGS)
|
||||||
endef
|
endef
|
||||||
|
|
||||||
|
@ -47,7 +47,7 @@ $(foreach vps,$(VPS),$(eval $(call vps_rule,$(vps))))
|
||||||
|
|
||||||
.PHONY: rollback
|
.PHONY: rollback
|
||||||
rollback:
|
rollback:
|
||||||
sudo nixos-rebuild --rollback
|
sudo nixos-rebuild switch --rollback
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
# Editor
|
# Editor
|
||||||
|
|
63
disko/luks-btrfs.nix
Normal file
63
disko/luks-btrfs.nix
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
{ device, memSize ? 1024 * 5, swapSize ? "10G" }:
|
||||||
|
{
|
||||||
|
disko = {
|
||||||
|
inherit memSize;
|
||||||
|
|
||||||
|
devices = {
|
||||||
|
disk = {
|
||||||
|
main = {
|
||||||
|
type = "disk";
|
||||||
|
inherit device;
|
||||||
|
content = {
|
||||||
|
type = "gpt";
|
||||||
|
partitions = {
|
||||||
|
ESP = {
|
||||||
|
size = "512M";
|
||||||
|
type = "EF00";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "vfat";
|
||||||
|
mountpoint = "/boot";
|
||||||
|
mountOptions = [ "defaults" ];
|
||||||
|
};
|
||||||
|
priority = 1;
|
||||||
|
};
|
||||||
|
cryptoroot = {
|
||||||
|
size = "100%";
|
||||||
|
content = {
|
||||||
|
type = "luks";
|
||||||
|
name = "luksroot";
|
||||||
|
settings.allowDiscards = true;
|
||||||
|
passwordFile = "/tmp/secret.key";
|
||||||
|
content = {
|
||||||
|
type = "btrfs";
|
||||||
|
extraArgs = [ "-f" ];
|
||||||
|
subvolumes = {
|
||||||
|
root = {
|
||||||
|
mountpoint = "/";
|
||||||
|
mountOptions = [ "compress=zstd" ];
|
||||||
|
};
|
||||||
|
persistent = {
|
||||||
|
mountpoint = "/persistent";
|
||||||
|
mountOptions = [ "compress=zstd" "noatime" ];
|
||||||
|
};
|
||||||
|
nix = {
|
||||||
|
mountpoint = "/nix";
|
||||||
|
mountOptions = [ "compress=zstd" "noatime" ];
|
||||||
|
};
|
||||||
|
swap = {
|
||||||
|
mountpoint = "/.swapvol";
|
||||||
|
mountOptions = [ "noatime" ];
|
||||||
|
swap.swapfile.size = swapSize;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
37
flake.lock
37
flake.lock
|
@ -23,6 +23,26 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"disko": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1716431128,
|
||||||
|
"narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "disko",
|
||||||
|
"rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "disko",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"firefox-addons": {
|
"firefox-addons": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-utils": "flake-utils",
|
"flake-utils": "flake-utils",
|
||||||
|
@ -208,6 +228,21 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"impermanence": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1708968331,
|
||||||
|
"narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "impermanence",
|
||||||
|
"rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "impermanence",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"lan-mouse": {
|
"lan-mouse": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
|
@ -371,11 +406,13 @@
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"agenix": "agenix",
|
"agenix": "agenix",
|
||||||
|
"disko": "disko",
|
||||||
"firefox-addons": "firefox-addons",
|
"firefox-addons": "firefox-addons",
|
||||||
"flake-utils": "flake-utils_2",
|
"flake-utils": "flake-utils_2",
|
||||||
"hardware": "hardware",
|
"hardware": "hardware",
|
||||||
"home-manager": "home-manager_2",
|
"home-manager": "home-manager_2",
|
||||||
"home-manager-unstable": "home-manager-unstable",
|
"home-manager-unstable": "home-manager-unstable",
|
||||||
|
"impermanence": "impermanence",
|
||||||
"lan-mouse": "lan-mouse",
|
"lan-mouse": "lan-mouse",
|
||||||
"nil": "nil",
|
"nil": "nil",
|
||||||
"nixeovim": "nixeovim",
|
"nixeovim": "nixeovim",
|
||||||
|
|
17
flake.nix
17
flake.nix
|
@ -4,6 +4,11 @@
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
|
||||||
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||||
hardware.url = "github:NixOS/nixos-hardware/master";
|
hardware.url = "github:NixOS/nixos-hardware/master";
|
||||||
|
impermanence.url = "github:nix-community/impermanence";
|
||||||
|
disko = {
|
||||||
|
url = "github:nix-community/disko";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
|
|
||||||
firefox-addons.url = "github:nix-community/nur-combined/master?dir=repos/rycee/pkgs/firefox-addons";
|
firefox-addons.url = "github:nix-community/nur-combined/master?dir=repos/rycee/pkgs/firefox-addons";
|
||||||
|
|
||||||
|
@ -99,6 +104,11 @@
|
||||||
# Path to the agenix configuration file
|
# Path to the agenix configuration file
|
||||||
RULES = "./.agenix_config.nix";
|
RULES = "./.agenix_config.nix";
|
||||||
};
|
};
|
||||||
|
disk = pkgs.mkShell {
|
||||||
|
packages = [
|
||||||
|
inputs.disko.packages.${system}.disko
|
||||||
|
];
|
||||||
|
};
|
||||||
tools = pkgs.mkShell {
|
tools = pkgs.mkShell {
|
||||||
packages = with pkgs; [
|
packages = with pkgs; [
|
||||||
mkpasswd
|
mkpasswd
|
||||||
|
@ -131,7 +141,9 @@
|
||||||
modules =
|
modules =
|
||||||
(with inputs; [
|
(with inputs; [
|
||||||
agenix.nixosModules.default
|
agenix.nixosModules.default
|
||||||
home-manager.nixosModule
|
home-manager.nixosModules.default
|
||||||
|
disko.nixosModules.disko
|
||||||
|
impermanence.nixosModules.impermanence
|
||||||
])
|
])
|
||||||
++ [
|
++ [
|
||||||
# deployment settings
|
# deployment settings
|
||||||
|
@ -169,5 +181,8 @@
|
||||||
++ [ ./hosts/${hostname}/configuration.nix ];
|
++ [ ./hosts/${hostname}/configuration.nix ];
|
||||||
})
|
})
|
||||||
(import ./hosts inputs);
|
(import ./hosts inputs);
|
||||||
|
diskoConfigurations = {
|
||||||
|
asus-gl553vd = import ./hosts/asus-gl553vd/disk-config.nix;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,13 +1,9 @@
|
||||||
{ ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
# Use the systemd-boot EFI boot loader.
|
boot.loader.grub = {
|
||||||
boot.loader = {
|
enable = true;
|
||||||
systemd-boot = {
|
device = "nodev";
|
||||||
enable = true;
|
efiSupport = true;
|
||||||
configurationLimit = 10;
|
efiInstallAsRemovable = true;
|
||||||
};
|
enableCryptodisk = true;
|
||||||
|
|
||||||
efi.canTouchEfiVariables = true;
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,8 +1,7 @@
|
||||||
{ ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./boot.nix
|
./boot.nix
|
||||||
|
./imp.nix
|
||||||
./networking.nix
|
./networking.nix
|
||||||
./wireguard
|
./wireguard
|
||||||
];
|
];
|
||||||
|
|
55
hosts/asus-gl553vd/configs/imp.nix
Normal file
55
hosts/asus-gl553vd/configs/imp.nix
Normal file
|
@ -0,0 +1,55 @@
|
||||||
|
{ lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
# A setup which would clean root subvolume between boots remove automatically removed roots that
|
||||||
|
# are older than one day:
|
||||||
|
#
|
||||||
|
# Source: https://github.com/nix-community/impermanence
|
||||||
|
boot.initrd.postDeviceCommands = lib.mkAfter ''
|
||||||
|
mkdir /btrfs_tmp
|
||||||
|
mount /dev/mapper/luksroot /btrfs_tmp
|
||||||
|
if [[ -e /btrfs_tmp/root ]]; then
|
||||||
|
mkdir -p /btrfs_tmp/old_roots
|
||||||
|
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
|
||||||
|
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
|
||||||
|
fi
|
||||||
|
|
||||||
|
delete_subvolume_recursively() {
|
||||||
|
IFS=$'\n'
|
||||||
|
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
|
||||||
|
delete_subvolume_recursively "/btrfs_tmp/$i"
|
||||||
|
done
|
||||||
|
btrfs subvolume delete "$1"
|
||||||
|
}
|
||||||
|
|
||||||
|
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +1); do
|
||||||
|
delete_subvolume_recursively "$i"
|
||||||
|
done
|
||||||
|
|
||||||
|
btrfs subvolume create /btrfs_tmp/root
|
||||||
|
umount /btrfs_tmp
|
||||||
|
rm -r /btrfs_tmp
|
||||||
|
'';
|
||||||
|
|
||||||
|
age.identityPaths = map (v: "/persistent/system/etc/ssh/${v}") [
|
||||||
|
"ssh_host_rsa_key"
|
||||||
|
"ssh_host_ed25519_key"
|
||||||
|
];
|
||||||
|
|
||||||
|
environment.persistence."/persistent/system" = {
|
||||||
|
hideMounts = true;
|
||||||
|
directories = [
|
||||||
|
"/var/lib/bluetooth"
|
||||||
|
"/var/lib/nixos"
|
||||||
|
"/var/lib/systemd/coredump"
|
||||||
|
"/etc/NetworkManager/system-connections"
|
||||||
|
];
|
||||||
|
files = [
|
||||||
|
"/etc/machine-id"
|
||||||
|
"/etc/ssh/ssh_host_rsa_key"
|
||||||
|
"/etc/ssh/ssh_host_rsa_key.pub"
|
||||||
|
"/etc/ssh/ssh_host_ed25519_key"
|
||||||
|
"/etc/ssh/ssh_host_ed25519_key.pub"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,13 +1,10 @@
|
||||||
{ ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "laptop"; # Define your hostname.
|
hostName = "laptop"; # Define your hostname.
|
||||||
|
|
||||||
networkmanager.enable = true;
|
networkmanager.enable = true;
|
||||||
|
|
||||||
firewall.allowedTCPPortRanges = [
|
useDHCP = false;
|
||||||
{ from = 33000; to = 33999; }
|
interfaces.wlp2s0.useDHCP = true;
|
||||||
];
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
3
hosts/asus-gl553vd/disk-config.nix
Normal file
3
hosts/asus-gl553vd/disk-config.nix
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
import ../../disko/luks-btrfs.nix {
|
||||||
|
device = "/dev/disk/by-id/nvme-NE-256_2280_0015167003217";
|
||||||
|
}
|
|
@ -1,16 +1,7 @@
|
||||||
{ ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
# Include the results of the hardware scan.
|
imports = [
|
||||||
imports = [ ./generated.nix ];
|
./generated.nix # Include the results of the hardware scan.
|
||||||
|
./manual.nix
|
||||||
# Enable keyboard on the boot
|
|
||||||
boot.initrd.availableKernelModules = [ "hid_asus" ];
|
|
||||||
|
|
||||||
boot.kernelModules = [
|
|
||||||
# Enable containers
|
|
||||||
# See: https://github.com/NixOS/nixpkgs/issues/38676
|
|
||||||
"veth"
|
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,36 +1,56 @@
|
||||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
# and may be overwritten by future invocations. Please make changes
|
# and may be overwritten by future invocations. Please make changes
|
||||||
# to /etc/nixos/configuration.nix instead.
|
# to /etc/nixos/configuration.nix instead.
|
||||||
{ config, lib, pkgs, modulesPath, ... }:
|
{ config, lib, modulesPath, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
(modulesPath + "/installer/scan/not-detected.nix")
|
(modulesPath + "/installer/scan/not-detected.nix")
|
||||||
];
|
];
|
||||||
|
|
||||||
boot = {
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
initrd = {
|
boot.extraModulePackages = [ ];
|
||||||
availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
|
|
||||||
kernelModules = [ ];
|
|
||||||
};
|
|
||||||
|
|
||||||
kernelModules = [ "kvm-intel" ];
|
boot.initrd = {
|
||||||
extraModulePackages = [ ];
|
availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ];
|
||||||
|
kernelModules = [ ];
|
||||||
|
luks.devices."luksroot".device = "/dev/disk/by-uuid/eb896c1c-f012-412e-86bd-48f663377129";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems = {
|
fileSystems = {
|
||||||
"/" = {
|
"/" = {
|
||||||
device = "/dev/disk/by-uuid/e6c0cbba-7000-4b1e-ba53-e7b5f8ae11c0";
|
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
|
||||||
fsType = "ext4";
|
fsType = "btrfs";
|
||||||
|
options = [ "subvol=root" "compress=zstd" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
"/persistent" = {
|
||||||
|
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [ "subvol=persistent" "compress=zstd" ];
|
||||||
|
neededForBoot = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
"/nix" = {
|
||||||
|
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [ "subvol=nix" "compress=zstd" "noatime" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
"/.swapvol" = {
|
||||||
|
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [ "subvol=swap" "noatime" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
"/boot" = {
|
"/boot" = {
|
||||||
device = "/dev/disk/by-uuid/499C-4EBD";
|
device = "/dev/disk/by-uuid/94EE-CA0D";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = [{ device = "/dev/disk/by-uuid/fa457df9-cd48-4c81-90cb-a511a7689988"; }];
|
swapDevices = [{ device = "/.swapvol/swapfile"; }];
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
@ -40,6 +60,6 @@
|
||||||
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
|
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
|
||||||
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
|
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
}
|
}
|
||||||
|
|
22
hosts/asus-gl553vd/hardware-configuration/manual.nix
Normal file
22
hosts/asus-gl553vd/hardware-configuration/manual.nix
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
{ ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
boot.kernelModules = [
|
||||||
|
# Enable containers
|
||||||
|
# See: https://github.com/NixOS/nixpkgs/issues/38676
|
||||||
|
"veth"
|
||||||
|
];
|
||||||
|
|
||||||
|
# Enable keyboard on the boot
|
||||||
|
boot.initrd.availableKernelModules = [ "hid_asus" ];
|
||||||
|
|
||||||
|
fileSystems."/home/jan" = {
|
||||||
|
device = "/dev/disk/by-uuid/e6c0cbba-7000-4b1e-ba53-e7b5f8ae11c0";
|
||||||
|
fsType = "ext4";
|
||||||
|
options = [
|
||||||
|
"defaults"
|
||||||
|
"X-mount.subdir=home/jan"
|
||||||
|
"X-mount.mkdir"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,4 +1,4 @@
|
||||||
{ hostsPath, usersPath, ... }:
|
{ hostsPath, usersPath, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
asusData = import (hostsPath + "/asus-gl553vd/data.secret.nix");
|
asusData = import (hostsPath + "/asus-gl553vd/data.secret.nix");
|
||||||
|
|
Loading…
Reference in a new issue