feat(desktop)!: switch to zfs

2023-12-08 19:19:56 +01:00 · 2023-12-08 19:19:56 +01:00 · 1b22c1345f
commit 1b22c1345f
parent 4f9b3b082a
6 changed files with 219 additions and 69 deletions
--- a/hosts/nixos-desktop/default.nix
+++ b/hosts/nixos-desktop/default.nix
@ -9,6 +9,7 @@
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
+    ./disko.nix
  ];

  my = {
@ -16,6 +17,7 @@
      desktop.enable = true;
      gaming.enable = true;
      personal.enable = true;
+      impermanence.enable = true;
    };
    programs.hyprland = {
      nvidiaSupport = true;
@ -52,17 +54,8 @@

    # BOOT

-    supportedFilesystems = [ "btrfs" "ntfs" ];
-    loader = {
-      grub = {
-        enable = true;
-        device = "nodev";
-        efiSupport = true;
-        useOSProber = true;
-      };
-      efi.canTouchEfiVariables = true;
-    };
-
+    supportedFilesystems = [ "zfs" "btrfs" "ntfs" ];
+    loader.systemd-boot.enable = true;
    kernelModules = [ "lm92" "drivetemp" ];
  };

--- a/hosts/nixos-desktop/disko.nix
+++ b/hosts/nixos-desktop/disko.nix
@ -0,0 +1,119 @@
+{ pkgs, ... }:
+
+{
+  # needed for zfs pool
+  networking.hostId = "1f8b8073";
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_500GB_S2RBNX0J351943M";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            encryptedSwap = {
+              size = "8G";
+              content = {
+                type = "swap";
+                randomEncryption = true;
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        rootFsOptions = {
+          compression = "zstd";
+          "com.sun:auto-snapshot" = "false";
+          "acltype" = "posixacl"; # NOTE: needed for systemd https://github.com/NixOS/nixpkgs/issues/16954
+        };
+        mountpoint = null;
+
+        datasets = {
+          encrypted = {
+            type = "zfs_fs";
+            options = {
+              mountpoint = "none";
+              encryption = "aes-256-gcm";
+              keyformat = "passphrase";
+            };
+            # use this to read the key during boot
+            postCreateHook = ''
+              zfs set keylocation="prompt" "zroot/$name";
+            '';
+          };
+          "encrypted/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs snapshot zroot/encrypted/root@blank";
+          };
+          "encrypted/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+          };
+          "encrypted/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            options."com.sun:auto-snapshot" = "true";
+          };
+        };
+      };
+    };
+  };
+  # rollback to blank
+  boot.initrd.systemd.services.rollback = {
+    description = "Rollback ZFS datasets to a pristine state";
+    wantedBy = [
+      "initrd.target"
+    ];
+    after = [
+      "zfs-import-zroot.service"
+    ];
+    before = [
+      "sysroot.mount"
+    ];
+    path = with pkgs; [
+      zfs
+    ];
+    unitConfig.DefaultDependencies = "no";
+    serviceConfig.Type = "oneshot";
+    script = ''
+      zfs rollback -r zroot/encrypted/root@blank && echo "rollback complete"
+    '';
+  };
+  fileSystems."/persist".neededForBoot = true;
+  # HACK: to fix issue of agenix running before impermanence
+  age.identityPaths = [
+    "/etc/ssh/ssh_host_ed25519_key"
+    "/etc/ssh/ssh_host_rsa_key"
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+    "/persist/etc/ssh/ssh_host_rsa_key"
+  ];
+  services.zfs = {
+    autoScrub.enable = true;
+    trim.enable = true;
+    autoSnapshot.enable = true;
+  };
+}
--- a/hosts/nixos-desktop/hardware-configuration.nix
+++ b/hosts/nixos-desktop/hardware-configuration.nix
@ -16,44 +16,6 @@
    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [ ];
  };
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1";
-      fsType = "btrfs";
-      options = [ "subvol=root" "compress=zstd" ];
-    };
-
-    "/home" = {
-      device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1";
-      fsType = "btrfs";
-      options = [ "subvol=home" "compress=zstd" ];
-    };
-
-    "/nix" = {
-      device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1";
-      fsType = "btrfs";
-      options = [ "subvol=nix" "compress=zstd" ];
-    };
-
-    "/var/log" = {
-      device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1";
-      fsType = "btrfs";
-      options = [ "subvol=log" "compress=zstd" ];
-      neededForBoot = true;
-    };
-
-    "/boot" = {
-      device = "/dev/disk/by-uuid/297B-C04C";
-      fsType = "vfat";
-    };
-
-    "/media/games" = {
-      device = "/dev/disk/by-uuid/8f92ff36-a685-4a67-a3d4-55136dc5f286";
-      fsType = "ext4";
-    };
-  };
-
-  swapDevices = [{ device = "/dev/disk/by-uuid/00ad6f74-f23e-4ac0-abfb-89bdfe5ab8ae"; }];

  hardware.cpu.amd.updateMicrocode =
    lib.mkDefault config.hardware.enableRedistributableFirmware;