diff --git a/hosts/rusty/configuration.nix b/hosts/rusty/configuration.nix index b4d5262..5bf3c8d 100644 --- a/hosts/rusty/configuration.nix +++ b/hosts/rusty/configuration.nix @@ -5,46 +5,41 @@ }: { imports = [ ../../configuration.nix + ../../home/worm/configuration.nix + inputs.disko.nixosModules.disko + ./disks.nix + ./hardware-configuration.nix ]; + users.users."guz" = { + openssh.authorizedKeys.keyFiles = [ + ../../.ssh/guz-figther.pub + ]; + }; + # Network networking = { hostName = lib.mkForce "rusty"; #wireless.enable = lib.mkForce true; }; - disko.devices.disk.main = { - device = "/dev/sda"; # This will be overwritten by disko-install - type = "disk"; - content = { - type = "gpt"; - partitions = { - ESP = { - size = "500M"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot/efi"; - mountOptions = ["dmask=0022" "fmask=0022" "nofail"]; - }; - }; - root = { - size = "100%"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - }; - }; - }; - }; - }; + nixpkgs.config.allowUnfreePredicate = pkg: + builtins.elem (lib.getName pkg) [ + "via" + ]; - boot.loader.efi.canTouchEfiVariables = lib.mkForce false; - boot.loader.grub = { - efiSupport = true; - efiInstallAsRemovable = true; - device = "nodev"; + # Laptop features + services.logind.lidSwitch = "suspend"; + services.logind.lidSwitchExternalPower = "lock"; + + boot.supportedFilesystems = { + btrfs = true; }; + boot.kernelParams = ["resume_offset=533760"]; + boot.resumeDevice = "/dev/disk/by-label/nixos"; + + # HACK: Acer Aspire is a Bitch + boot.loader.systemd-boot.enable = lib.mkForce true; + boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/hosts/rusty/disks.nix b/hosts/rusty/disks.nix new file mode 100644 index 0000000..c387d01 --- /dev/null +++ b/hosts/rusty/disks.nix @@ -0,0 +1,71 @@ +{ + disko.devices = { + disk.main = { + device = "/dev/sda"; # This will be overwritten by disko-install + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + label = "boot"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = ["defaults"]; + }; + }; + luks = { + size = "100%"; + label = "luks"; + content = { + type = "luks"; + name = "cryptroot"; + extraOpenArgs = [ + "--allow-discards" + "--perf-no_read_workqueue" + "--perf-no_write_workqueue" + ]; + settings = {crypttabExtraOpts = ["fido2-device=auto" "token-timeout=10"];}; + content = { + type = "btrfs"; + extraArgs = ["-L" "nixos" "-f"]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = ["subvol=root" "compress=zstd" "noatime"]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = ["subvol=home" "compress=zstd" "noatime"]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = ["subvol=nix" "compress=zstd" "noatime"]; + }; + "/persist" = { + mountpoint = "/persist"; + mountOptions = ["subvol=persist" "compress=zstd" "noatime"]; + }; + "/log" = { + mountpoint = "/var/log"; + mountOptions = ["subvol=log" "compress=zstd" "noatime"]; + }; + "/swap" = { + mountpoint = "/swap"; + swap.swapfile.size = "4G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = true; + fileSystems."/var/log".neededForBoot = true; +} diff --git a/hosts/rusty/hardware-configuration.nix b/hosts/rusty/hardware-configuration.nix new file mode 100644 index 0000000..61ccb89 --- /dev/null +++ b/hosts/rusty/hardware-configuration.nix @@ -0,0 +1,22 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/rusty/impermanence.nix b/hosts/rusty/impermanence.nix new file mode 100644 index 0000000..e10bd5d --- /dev/null +++ b/hosts/rusty/impermanence.nix @@ -0,0 +1,73 @@ +{ + config, + inputs, + ... +}: { + imports = [ + inputs.impermanence.nixosModules.impermanence + ]; + + environment.persistence."/persist" = { + enable = true; + hideMounts = true; + directories = [ + "/etc/nixos" + "/etc/NetworkManager/system-connections" + "/etc/secureboot" + "/var/db/sudo" + "/var/log" + "/var/lib/bluetooth" + "/var/lib/nixos" + "/var/lib/systemd/coredump" + { + directory = "/var/lib/colord"; + user = "colord"; + group = "colord"; + mode = "u=rwx,g=rx,o="; + } + ]; + files = [ + "/etc/machine-id" + { + file = "/var/keys/secret_file"; + parentDirectory = {mode = "u=rwx,g=,o=";}; + } + ]; + }; + + boot.initrd.systemd = { + enable = true; + services.roolback = { + description = "Roolback BTRFS root subvolume to a pristine state"; + wantedBy = ["initrd.target"]; + + after = ["systemd-cryptsetup@cryptroot.service"]; + + before = ["sysroot.mount"]; + + unitConfig.DefaultDependencies = "no"; + serviceConfig.Type = "oneshot"; + + script = '' + mkdir -p /mnt + + # Mount BTRFS root to manipulate it's volumes + mount -o subvol=/ /dev/mapper/cryptroot /mnt + + btrfs subvolume list -o /mnt/root | + cut -f9 -d' ' | + while read subvolume; do + echo "deleting /$subvolume subvolume..." + btrfs subvolume delete "/mnt/$subvolume" + done && + echo "deleting /root subvolume..." && + btrfs subvolume delete /mnt/root + + echo "restoring blank /root subvolume..." + btrfs subvolume snapshot /mnt/root-blank /mnt/root + + umount /mnt + ''; + }; + }; +}