From 1b22c1345fae128616e4293f2d389475494d650e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Fri, 8 Dec 2023 19:19:56 +0100 Subject: [PATCH] feat(desktop)!: switch to zfs --- hosts/nixos-desktop/default.nix | 15 +-- hosts/nixos-desktop/disko.nix | 119 ++++++++++++++++++ .../nixos-desktop/hardware-configuration.nix | 38 ------ hosts/nixos-laptop/default.nix | 19 +-- modules/profiles/impermanence.nix | 95 ++++++++++++++ modules/programs/hyprland/default.nix | 2 - 6 files changed, 219 insertions(+), 69 deletions(-) create mode 100644 hosts/nixos-desktop/disko.nix create mode 100644 modules/profiles/impermanence.nix diff --git a/hosts/nixos-desktop/default.nix b/hosts/nixos-desktop/default.nix index 2edef3d..1d29c32 100644 --- a/hosts/nixos-desktop/default.nix +++ b/hosts/nixos-desktop/default.nix @@ -9,6 +9,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix + ./disko.nix ]; my = { @@ -16,6 +17,7 @@ desktop.enable = true; gaming.enable = true; personal.enable = true; + impermanence.enable = true; }; programs.hyprland = { nvidiaSupport = true; @@ -52,17 +54,8 @@ # BOOT - supportedFilesystems = [ "btrfs" "ntfs" ]; - loader = { - grub = { - enable = true; - device = "nodev"; - efiSupport = true; - useOSProber = true; - }; - efi.canTouchEfiVariables = true; - }; - + supportedFilesystems = [ "zfs" "btrfs" "ntfs" ]; + loader.systemd-boot.enable = true; kernelModules = [ "lm92" "drivetemp" ]; }; diff --git a/hosts/nixos-desktop/disko.nix b/hosts/nixos-desktop/disko.nix new file mode 100644 index 0000000..96d8b60 --- /dev/null +++ b/hosts/nixos-desktop/disko.nix @@ -0,0 +1,119 @@ +{ pkgs, ... }: + +{ + # needed for zfs pool + networking.hostId = "1f8b8073"; + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_500GB_S2RBNX0J351943M"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + encryptedSwap = { + size = "8G"; + content = { + type = "swap"; + randomEncryption = true; + }; + }; + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + }; + zpool = { + zroot = { + type = "zpool"; + rootFsOptions = { + compression = "zstd"; + "com.sun:auto-snapshot" = "false"; + "acltype" = "posixacl"; # NOTE: needed for systemd https://github.com/NixOS/nixpkgs/issues/16954 + }; + mountpoint = null; + + datasets = { + encrypted = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + encryption = "aes-256-gcm"; + keyformat = "passphrase"; + }; + # use this to read the key during boot + postCreateHook = '' + zfs set keylocation="prompt" "zroot/$name"; + ''; + }; + "encrypted/root" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/"; + postCreateHook = "zfs snapshot zroot/encrypted/root@blank"; + }; + "encrypted/nix" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/nix"; + }; + "encrypted/persist" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/persist"; + options."com.sun:auto-snapshot" = "true"; + }; + }; + }; + }; + }; + # rollback to blank + boot.initrd.systemd.services.rollback = { + description = "Rollback ZFS datasets to a pristine state"; + wantedBy = [ + "initrd.target" + ]; + after = [ + "zfs-import-zroot.service" + ]; + before = [ + "sysroot.mount" + ]; + path = with pkgs; [ + zfs + ]; + unitConfig.DefaultDependencies = "no"; + serviceConfig.Type = "oneshot"; + script = '' + zfs rollback -r zroot/encrypted/root@blank && echo "rollback complete" + ''; + }; + fileSystems."/persist".neededForBoot = true; + # HACK: to fix issue of agenix running before impermanence + age.identityPaths = [ + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_rsa_key" + "/persist/etc/ssh/ssh_host_ed25519_key" + "/persist/etc/ssh/ssh_host_rsa_key" + ]; + services.zfs = { + autoScrub.enable = true; + trim.enable = true; + autoSnapshot.enable = true; + }; +} diff --git a/hosts/nixos-desktop/hardware-configuration.nix b/hosts/nixos-desktop/hardware-configuration.nix index 75c7ac5..ce0041c 100644 --- a/hosts/nixos-desktop/hardware-configuration.nix +++ b/hosts/nixos-desktop/hardware-configuration.nix @@ -16,44 +16,6 @@ kernelModules = [ "kvm-amd" ]; extraModulePackages = [ ]; }; - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1"; - fsType = "btrfs"; - options = [ "subvol=root" "compress=zstd" ]; - }; - - "/home" = { - device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1"; - fsType = "btrfs"; - options = [ "subvol=home" "compress=zstd" ]; - }; - - "/nix" = { - device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1"; - fsType = "btrfs"; - options = [ "subvol=nix" "compress=zstd" ]; - }; - - "/var/log" = { - device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1"; - fsType = "btrfs"; - options = [ "subvol=log" "compress=zstd" ]; - neededForBoot = true; - }; - - "/boot" = { - device = "/dev/disk/by-uuid/297B-C04C"; - fsType = "vfat"; - }; - - "/media/games" = { - device = "/dev/disk/by-uuid/8f92ff36-a685-4a67-a3d4-55136dc5f286"; - fsType = "ext4"; - }; - }; - - swapDevices = [{ device = "/dev/disk/by-uuid/00ad6f74-f23e-4ac0-abfb-89bdfe5ab8ae"; }]; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; diff --git a/hosts/nixos-laptop/default.nix b/hosts/nixos-laptop/default.nix index 2709bcf..953f8cb 100644 --- a/hosts/nixos-laptop/default.nix +++ b/hosts/nixos-laptop/default.nix @@ -3,14 +3,12 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { pkgs , inputs -, lib , ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ./disko.nix - ./impermanence.nix ]; my = { @@ -20,25 +18,10 @@ desktop.enable = true; personal.enable = true; webis.enable = true; + impermanence.enable = true; }; }; - environment.systemPackages = [ - ( - pkgs.writeShellApplication { - name = "zfs-diff"; - runtimeInputs = with pkgs; [ zfs coreutils parallel tree ]; - text = '' - zfs diff -F zroot/encrypted/root@blank | awk '$2 == "F" && system("test -e /persist/"$3) != 0 { print $3 }' 2>/dev/null | tree --fromfile . "$@" - ''; - } - ) - ]; - - home-manager.users.moritz.home.packages = with pkgs; [ - # jetbrains.idea-ultimate - ]; - # BOOT boot = { supportedFilesystems = [ "zfs" ]; diff --git a/modules/profiles/impermanence.nix b/modules/profiles/impermanence.nix new file mode 100644 index 0000000..89bfacd --- /dev/null +++ b/modules/profiles/impermanence.nix @@ -0,0 +1,95 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.my.profiles.impermanence; +in +{ + options.my.profiles.impermanence.enable = mkEnableOption "impermanence"; + + config = mkIf cfg.enable { + age.secrets = { + root-password.file = ../../secrets/root-password.age; + moritz-password.file = ../../secrets/moritz-password.age; + }; + users.users = { + root.hashedPasswordFile = config.age.secrets.root-password.path; + moritz.hashedPasswordFile = config.age.secrets.moritz-password.path; + }; + users.mutableUsers = false; + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/etc/NetworkManager/system-connections" + "/var/db/dhcpcd/" + "/var/lib/NetworkManager/" + "/var/lib/bluetooth" + "/var/lib/nixos" + "/var/lib/systemd/coredump" + "/var/log" + ]; + files = [ + "/etc/machine-id" + "/etc/nix/id_rsa" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + users.moritz = { + directories = [ + ".SynologyDrive/data" + ".SynologyDrive/log" + ".cache/keepassxc" + ".cache/nvim/luac" + ".config/Nextcloud" + ".config/keepassxc" + ".local/share/direnv" + ".local/share/nvim" + ".local/share/zoxide" + ".local/share/JetBrains" + ".config/JetBrains" + ".local/state/nvim" + ".config/kdeconnect" + ".cat_installer" # eduroam + ".mozilla" + "Documents" + "Downloads" + "Music" + "Pictures" + "Videos" + { directory = ".gnupg"; mode = "0700"; } + { directory = ".local/share/keyrings"; mode = "0700"; } + { directory = ".ssh"; mode = "0700"; } + ]; + files = [ + ".local/share/fish/fish_history" + ".local/share/nix/trusted-settings.json" + ".parallel/will-cite" + ]; + }; + users.root = { + home = "/root"; + directories = [ + { directory = ".gnupg"; mode = "0700"; } + { directory = ".ssh"; mode = "0700"; } + ]; + files = [ + ".local/share/nix/trusted-settings.json" + ]; + }; + }; + + environment.systemPackages = [ + ( + pkgs.writeShellApplication { + name = "zfs-diff"; + runtimeInputs = with pkgs; [ zfs coreutils parallel tree ]; + text = '' + zfs diff -F zroot/encrypted/root@blank | awk '$2 == "F" && system("test -e /persist/"$3) != 0 { print $3 }' 2>/dev/null | tree --fromfile . "$@" + ''; + } + ) + ]; + }; +} diff --git a/modules/programs/hyprland/default.nix b/modules/programs/hyprland/default.nix index 3a323e4..9deeb57 100644 --- a/modules/programs/hyprland/default.nix +++ b/modules/programs/hyprland/default.nix @@ -60,14 +60,12 @@ in programs.hyprland = { enable = true; - enableNvidiaPatches = cfg.nvidiaSupport; }; home-manager.users.moritz = { # enable home-manager module wayland.windowManager.hyprland = { enable = true; - enableNvidiaPatches = cfg.nvidiaSupport; extraConfig = import ./_config.nix args; systemd.extraCommands = [ "systemctl --user stop hyprland-session.target"