feat(hosts,rusty): new rusty configuration
This commit is contained in:
@@ -5,46 +5,41 @@
|
||||
}: {
|
||||
imports = [
|
||||
../../configuration.nix
|
||||
../../home/worm/configuration.nix
|
||||
|
||||
inputs.disko.nixosModules.disko
|
||||
./disks.nix
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
users.users."guz" = {
|
||||
openssh.authorizedKeys.keyFiles = [
|
||||
../../.ssh/guz-figther.pub
|
||||
];
|
||||
};
|
||||
|
||||
# Network
|
||||
networking = {
|
||||
hostName = lib.mkForce "rusty";
|
||||
#wireless.enable = lib.mkForce true;
|
||||
};
|
||||
|
||||
disko.devices.disk.main = {
|
||||
device = "/dev/sda"; # This will be overwritten by disko-install
|
||||
type = "disk";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
ESP = {
|
||||
size = "500M";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot/efi";
|
||||
mountOptions = ["dmask=0022" "fmask=0022" "nofail"];
|
||||
};
|
||||
};
|
||||
root = {
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "ext4";
|
||||
mountpoint = "/";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
nixpkgs.config.allowUnfreePredicate = pkg:
|
||||
builtins.elem (lib.getName pkg) [
|
||||
"via"
|
||||
];
|
||||
|
||||
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
|
||||
boot.loader.grub = {
|
||||
efiSupport = true;
|
||||
efiInstallAsRemovable = true;
|
||||
device = "nodev";
|
||||
# Laptop features
|
||||
services.logind.lidSwitch = "suspend";
|
||||
services.logind.lidSwitchExternalPower = "lock";
|
||||
|
||||
boot.supportedFilesystems = {
|
||||
btrfs = true;
|
||||
};
|
||||
boot.kernelParams = ["resume_offset=533760"];
|
||||
boot.resumeDevice = "/dev/disk/by-label/nixos";
|
||||
|
||||
# HACK: Acer Aspire is a Bitch
|
||||
boot.loader.systemd-boot.enable = lib.mkForce true;
|
||||
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
|
||||
}
|
||||
|
||||
71
hosts/rusty/disks.nix
Normal file
71
hosts/rusty/disks.nix
Normal file
@@ -0,0 +1,71 @@
|
||||
{
|
||||
disko.devices = {
|
||||
disk.main = {
|
||||
device = "/dev/sda"; # This will be overwritten by disko-install
|
||||
type = "disk";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
ESP = {
|
||||
label = "boot";
|
||||
size = "512M";
|
||||
type = "EF00";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
mountOptions = ["defaults"];
|
||||
};
|
||||
};
|
||||
luks = {
|
||||
size = "100%";
|
||||
label = "luks";
|
||||
content = {
|
||||
type = "luks";
|
||||
name = "cryptroot";
|
||||
extraOpenArgs = [
|
||||
"--allow-discards"
|
||||
"--perf-no_read_workqueue"
|
||||
"--perf-no_write_workqueue"
|
||||
];
|
||||
settings = {crypttabExtraOpts = ["fido2-device=auto" "token-timeout=10"];};
|
||||
content = {
|
||||
type = "btrfs";
|
||||
extraArgs = ["-L" "nixos" "-f"];
|
||||
subvolumes = {
|
||||
"/root" = {
|
||||
mountpoint = "/";
|
||||
mountOptions = ["subvol=root" "compress=zstd" "noatime"];
|
||||
};
|
||||
"/home" = {
|
||||
mountpoint = "/home";
|
||||
mountOptions = ["subvol=home" "compress=zstd" "noatime"];
|
||||
};
|
||||
"/nix" = {
|
||||
mountpoint = "/nix";
|
||||
mountOptions = ["subvol=nix" "compress=zstd" "noatime"];
|
||||
};
|
||||
"/persist" = {
|
||||
mountpoint = "/persist";
|
||||
mountOptions = ["subvol=persist" "compress=zstd" "noatime"];
|
||||
};
|
||||
"/log" = {
|
||||
mountpoint = "/var/log";
|
||||
mountOptions = ["subvol=log" "compress=zstd" "noatime"];
|
||||
};
|
||||
"/swap" = {
|
||||
mountpoint = "/swap";
|
||||
swap.swapfile.size = "4G";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems."/persist".neededForBoot = true;
|
||||
fileSystems."/var/log".neededForBoot = true;
|
||||
}
|
||||
22
hosts/rusty/hardware-configuration.nix
Normal file
22
hosts/rusty/hardware-configuration.nix
Normal file
@@ -0,0 +1,22 @@
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "sd_mod"];
|
||||
boot.initrd.kernelModules = [];
|
||||
boot.kernelModules = ["kvm-intel"];
|
||||
boot.extraModulePackages = [];
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
||||
73
hosts/rusty/impermanence.nix
Normal file
73
hosts/rusty/impermanence.nix
Normal file
@@ -0,0 +1,73 @@
|
||||
{
|
||||
config,
|
||||
inputs,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
inputs.impermanence.nixosModules.impermanence
|
||||
];
|
||||
|
||||
environment.persistence."/persist" = {
|
||||
enable = true;
|
||||
hideMounts = true;
|
||||
directories = [
|
||||
"/etc/nixos"
|
||||
"/etc/NetworkManager/system-connections"
|
||||
"/etc/secureboot"
|
||||
"/var/db/sudo"
|
||||
"/var/log"
|
||||
"/var/lib/bluetooth"
|
||||
"/var/lib/nixos"
|
||||
"/var/lib/systemd/coredump"
|
||||
{
|
||||
directory = "/var/lib/colord";
|
||||
user = "colord";
|
||||
group = "colord";
|
||||
mode = "u=rwx,g=rx,o=";
|
||||
}
|
||||
];
|
||||
files = [
|
||||
"/etc/machine-id"
|
||||
{
|
||||
file = "/var/keys/secret_file";
|
||||
parentDirectory = {mode = "u=rwx,g=,o=";};
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
boot.initrd.systemd = {
|
||||
enable = true;
|
||||
services.roolback = {
|
||||
description = "Roolback BTRFS root subvolume to a pristine state";
|
||||
wantedBy = ["initrd.target"];
|
||||
|
||||
after = ["systemd-cryptsetup@cryptroot.service"];
|
||||
|
||||
before = ["sysroot.mount"];
|
||||
|
||||
unitConfig.DefaultDependencies = "no";
|
||||
serviceConfig.Type = "oneshot";
|
||||
|
||||
script = ''
|
||||
mkdir -p /mnt
|
||||
|
||||
# Mount BTRFS root to manipulate it's volumes
|
||||
mount -o subvol=/ /dev/mapper/cryptroot /mnt
|
||||
|
||||
btrfs subvolume list -o /mnt/root |
|
||||
cut -f9 -d' ' |
|
||||
while read subvolume; do
|
||||
echo "deleting /$subvolume subvolume..."
|
||||
btrfs subvolume delete "/mnt/$subvolume"
|
||||
done &&
|
||||
echo "deleting /root subvolume..." &&
|
||||
btrfs subvolume delete /mnt/root
|
||||
|
||||
echo "restoring blank /root subvolume..."
|
||||
btrfs subvolume snapshot /mnt/root-blank /mnt/root
|
||||
|
||||
umount /mnt
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
Reference in New Issue
Block a user