feat(hosts,rusty): new rusty configuration

This commit is contained in:
Guz
2026-02-18 11:10:08 -03:00
parent 6f77b9e19e
commit 352e776b1e
4 changed files with 192 additions and 31 deletions

View File

@@ -5,46 +5,41 @@
}: {
imports = [
../../configuration.nix
../../home/worm/configuration.nix
inputs.disko.nixosModules.disko
./disks.nix
./hardware-configuration.nix
];
users.users."guz" = {
openssh.authorizedKeys.keyFiles = [
../../.ssh/guz-figther.pub
];
};
# Network
networking = {
hostName = lib.mkForce "rusty";
#wireless.enable = lib.mkForce true;
};
disko.devices.disk.main = {
device = "/dev/sda"; # This will be overwritten by disko-install
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot/efi";
mountOptions = ["dmask=0022" "fmask=0022" "nofail"];
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"via"
];
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
# Laptop features
services.logind.lidSwitch = "suspend";
services.logind.lidSwitchExternalPower = "lock";
boot.supportedFilesystems = {
btrfs = true;
};
boot.kernelParams = ["resume_offset=533760"];
boot.resumeDevice = "/dev/disk/by-label/nixos";
# HACK: Acer Aspire is a Bitch
boot.loader.systemd-boot.enable = lib.mkForce true;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
}

71
hosts/rusty/disks.nix Normal file
View File

@@ -0,0 +1,71 @@
{
disko.devices = {
disk.main = {
device = "/dev/sda"; # This will be overwritten by disko-install
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
label = "boot";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = ["defaults"];
};
};
luks = {
size = "100%";
label = "luks";
content = {
type = "luks";
name = "cryptroot";
extraOpenArgs = [
"--allow-discards"
"--perf-no_read_workqueue"
"--perf-no_write_workqueue"
];
settings = {crypttabExtraOpts = ["fido2-device=auto" "token-timeout=10"];};
content = {
type = "btrfs";
extraArgs = ["-L" "nixos" "-f"];
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = ["subvol=root" "compress=zstd" "noatime"];
};
"/home" = {
mountpoint = "/home";
mountOptions = ["subvol=home" "compress=zstd" "noatime"];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = ["subvol=nix" "compress=zstd" "noatime"];
};
"/persist" = {
mountpoint = "/persist";
mountOptions = ["subvol=persist" "compress=zstd" "noatime"];
};
"/log" = {
mountpoint = "/var/log";
mountOptions = ["subvol=log" "compress=zstd" "noatime"];
};
"/swap" = {
mountpoint = "/swap";
swap.swapfile.size = "4G";
};
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = true;
fileSystems."/var/log".neededForBoot = true;
}

View File

@@ -0,0 +1,22 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View File

@@ -0,0 +1,73 @@
{
config,
inputs,
...
}: {
imports = [
inputs.impermanence.nixosModules.impermanence
];
environment.persistence."/persist" = {
enable = true;
hideMounts = true;
directories = [
"/etc/nixos"
"/etc/NetworkManager/system-connections"
"/etc/secureboot"
"/var/db/sudo"
"/var/log"
"/var/lib/bluetooth"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
{
directory = "/var/lib/colord";
user = "colord";
group = "colord";
mode = "u=rwx,g=rx,o=";
}
];
files = [
"/etc/machine-id"
{
file = "/var/keys/secret_file";
parentDirectory = {mode = "u=rwx,g=,o=";};
}
];
};
boot.initrd.systemd = {
enable = true;
services.roolback = {
description = "Roolback BTRFS root subvolume to a pristine state";
wantedBy = ["initrd.target"];
after = ["systemd-cryptsetup@cryptroot.service"];
before = ["sysroot.mount"];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /mnt
# Mount BTRFS root to manipulate it's volumes
mount -o subvol=/ /dev/mapper/cryptroot /mnt
btrfs subvolume list -o /mnt/root |
cut -f9 -d' ' |
while read subvolume; do
echo "deleting /$subvolume subvolume..."
btrfs subvolume delete "/mnt/$subvolume"
done &&
echo "deleting /root subvolume..." &&
btrfs subvolume delete /mnt/root
echo "restoring blank /root subvolume..."
btrfs subvolume snapshot /mnt/root-blank /mnt/root
umount /mnt
'';
};
};
}