feat: make nixos-laptop empheral

2023-09-25 18:29:29 +02:00 · 2023-09-25 18:29:29 +02:00 · f43b993869
commit f43b993869
parent 0603a18d9e
12 changed files with 355 additions and 182 deletions
--- a/hosts/nixos-laptop/disko.nix
+++ b/hosts/nixos-laptop/disko.nix
@ -0,0 +1,94 @@
+{ lib, ... }:
+
+{
+  # needed for zfs pool
+  networking.hostId = "9c85d185";
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "64M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        rootFsOptions = {
+          compression = "zstd";
+          "com.sun:auto-snapshot" = "false";
+        };
+        mountpoint = null;
+
+        datasets = {
+          encrypted = {
+            type = "zfs_fs";
+            options = {
+              mountpoint = "none";
+              encryption = "aes-256-gcm";
+              keyformat = "passphrase";
+            };
+            # use this to read the key during boot
+            postCreateHook = ''
+              zfs set keylocation="prompt" "zroot/$name";
+            '';
+          };
+          "encrypted/root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+            postCreateHook = "zfs snapshot zroot/encrypted/root@blank";
+          };
+          "encrypted/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+          };
+          "encrypted/persist" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/persist";
+            options."com.sun:auto-snapshot" = "true";
+          };
+        };
+      };
+    };
+  };
+  # rollback to blank
+  boot.initrd.postDeviceCommands = lib.mkAfter ''
+    zfs rollback -r zroot/encrypted/root@blank
+  '';
+  fileSystems."/persist".neededForBoot = true;
+  # HACK: to fix issue of agenix running before impermanence
+  age.identityPaths = [
+    "/etc/ssh/ssh_host_ed25519_key"
+    "/etc/ssh/ssh_host_rsa_key"
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+    "/persist/etc/ssh/ssh_host_rsa_key"
+  ];
+  services.zfs = {
+    autoScrub.enable = true;
+    trim.enable = true;
+    autoSnapshot.enable = true;
+  };
+}