Compare commits

..

3 Commits

7 changed files with 220 additions and 70 deletions

View File

@ -9,6 +9,7 @@
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./disko.nix
]; ];
my = { my = {
@ -16,6 +17,7 @@
desktop.enable = true; desktop.enable = true;
gaming.enable = true; gaming.enable = true;
personal.enable = true; personal.enable = true;
impermanence.enable = true;
}; };
programs.hyprland = { programs.hyprland = {
nvidiaSupport = true; nvidiaSupport = true;
@ -52,17 +54,8 @@
# BOOT # BOOT
supportedFilesystems = [ "btrfs" "ntfs" ]; supportedFilesystems = [ "zfs" "btrfs" "ntfs" ];
loader = { loader.systemd-boot.enable = true;
grub = {
enable = true;
device = "nodev";
efiSupport = true;
useOSProber = true;
};
efi.canTouchEfiVariables = true;
};
kernelModules = [ "lm92" "drivetemp" ]; kernelModules = [ "lm92" "drivetemp" ];
}; };

View File

@ -0,0 +1,119 @@
{ pkgs, ... }:
{
# needed for zfs pool
networking.hostId = "1f8b8073";
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_500GB_S2RBNX0J351943M";
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
encryptedSwap = {
size = "8G";
content = {
type = "swap";
randomEncryption = true;
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
};
zpool = {
zroot = {
type = "zpool";
rootFsOptions = {
compression = "zstd";
"com.sun:auto-snapshot" = "false";
"acltype" = "posixacl"; # NOTE: needed for systemd https://github.com/NixOS/nixpkgs/issues/16954
};
mountpoint = null;
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = "aes-256-gcm";
keyformat = "passphrase";
};
# use this to read the key during boot
postCreateHook = ''
zfs set keylocation="prompt" "zroot/$name";
'';
};
"encrypted/root" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/";
postCreateHook = "zfs snapshot zroot/encrypted/root@blank";
};
"encrypted/nix" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/nix";
};
"encrypted/persist" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/persist";
options."com.sun:auto-snapshot" = "true";
};
};
};
};
};
# rollback to blank
boot.initrd.systemd.services.rollback = {
description = "Rollback ZFS datasets to a pristine state";
wantedBy = [
"initrd.target"
];
after = [
"zfs-import-zroot.service"
];
before = [
"sysroot.mount"
];
path = with pkgs; [
zfs
];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
zfs rollback -r zroot/encrypted/root@blank && echo "rollback complete"
'';
};
fileSystems."/persist".neededForBoot = true;
# HACK: to fix issue of agenix running before impermanence
age.identityPaths = [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_rsa_key"
"/persist/etc/ssh/ssh_host_ed25519_key"
"/persist/etc/ssh/ssh_host_rsa_key"
];
services.zfs = {
autoScrub.enable = true;
trim.enable = true;
autoSnapshot.enable = true;
};
}

View File

@ -16,44 +16,6 @@
kernelModules = [ "kvm-amd" ]; kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ]; extraModulePackages = [ ];
}; };
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1";
fsType = "btrfs";
options = [ "subvol=root" "compress=zstd" ];
};
"/home" = {
device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1";
fsType = "btrfs";
options = [ "subvol=home" "compress=zstd" ];
};
"/nix" = {
device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1";
fsType = "btrfs";
options = [ "subvol=nix" "compress=zstd" ];
};
"/var/log" = {
device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1";
fsType = "btrfs";
options = [ "subvol=log" "compress=zstd" ];
neededForBoot = true;
};
"/boot" = {
device = "/dev/disk/by-uuid/297B-C04C";
fsType = "vfat";
};
"/media/games" = {
device = "/dev/disk/by-uuid/8f92ff36-a685-4a67-a3d4-55136dc5f286";
fsType = "ext4";
};
};
swapDevices = [{ device = "/dev/disk/by-uuid/00ad6f74-f23e-4ac0-abfb-89bdfe5ab8ae"; }];
hardware.cpu.amd.updateMicrocode = hardware.cpu.amd.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware; lib.mkDefault config.hardware.enableRedistributableFirmware;

View File

@ -3,14 +3,12 @@
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ pkgs { pkgs
, inputs , inputs
, lib
, ... , ...
}: { }: {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./disko.nix ./disko.nix
./impermanence.nix
]; ];
my = { my = {
@ -20,25 +18,10 @@
desktop.enable = true; desktop.enable = true;
personal.enable = true; personal.enable = true;
webis.enable = true; webis.enable = true;
impermanence.enable = true;
}; };
}; };
environment.systemPackages = [
(
pkgs.writeShellApplication {
name = "zfs-diff";
runtimeInputs = with pkgs; [ zfs coreutils parallel tree ];
text = ''
zfs diff -F zroot/encrypted/root@blank | awk '$2 == "F" && system("test -e /persist/"$3) != 0 { print $3 }' 2>/dev/null | tree --fromfile . "$@"
'';
}
)
];
home-manager.users.moritz.home.packages = with pkgs; [
# jetbrains.idea-ultimate
];
# BOOT # BOOT
boot = { boot = {
supportedFilesystems = [ "zfs" ]; supportedFilesystems = [ "zfs" ];

View File

@ -12,7 +12,7 @@
type = "gpt"; type = "gpt";
partitions = { partitions = {
ESP = { ESP = {
size = "64M"; size = "512M";
type = "EF00"; type = "EF00";
content = { content = {
type = "filesystem"; type = "filesystem";

View File

@ -0,0 +1,95 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.my.profiles.impermanence;
in
{
options.my.profiles.impermanence.enable = mkEnableOption "impermanence";
config = mkIf cfg.enable {
age.secrets = {
root-password.file = ../../secrets/root-password.age;
moritz-password.file = ../../secrets/moritz-password.age;
};
users.users = {
root.hashedPasswordFile = config.age.secrets.root-password.path;
moritz.hashedPasswordFile = config.age.secrets.moritz-password.path;
};
users.mutableUsers = false;
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/etc/NetworkManager/system-connections"
"/var/db/dhcpcd/"
"/var/lib/NetworkManager/"
"/var/lib/bluetooth"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/var/log"
];
files = [
"/etc/machine-id"
"/etc/nix/id_rsa"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
users.moritz = {
directories = [
".SynologyDrive/data"
".SynologyDrive/log"
".cache/keepassxc"
".cache/nvim/luac"
".config/Nextcloud"
".config/keepassxc"
".local/share/direnv"
".local/share/nvim"
".local/share/zoxide"
".local/share/JetBrains"
".config/JetBrains"
".local/state/nvim"
".config/kdeconnect"
".cat_installer" # eduroam
".mozilla"
"Documents"
"Downloads"
"Music"
"Pictures"
"Videos"
{ directory = ".gnupg"; mode = "0700"; }
{ directory = ".local/share/keyrings"; mode = "0700"; }
{ directory = ".ssh"; mode = "0700"; }
];
files = [
".local/share/fish/fish_history"
".local/share/nix/trusted-settings.json"
".parallel/will-cite"
];
};
users.root = {
home = "/root";
directories = [
{ directory = ".gnupg"; mode = "0700"; }
{ directory = ".ssh"; mode = "0700"; }
];
files = [
".local/share/nix/trusted-settings.json"
];
};
};
environment.systemPackages = [
(
pkgs.writeShellApplication {
name = "zfs-diff";
runtimeInputs = with pkgs; [ zfs coreutils parallel tree ];
text = ''
zfs diff -F zroot/encrypted/root@blank | awk '$2 == "F" && system("test -e /persist/"$3) != 0 { print $3 }' 2>/dev/null | tree --fromfile . "$@"
'';
}
)
];
};
}

View File

@ -60,14 +60,12 @@ in
programs.hyprland = { programs.hyprland = {
enable = true; enable = true;
enableNvidiaPatches = cfg.nvidiaSupport;
}; };
home-manager.users.moritz = { home-manager.users.moritz = {
# enable home-manager module # enable home-manager module
wayland.windowManager.hyprland = { wayland.windowManager.hyprland = {
enable = true; enable = true;
enableNvidiaPatches = cfg.nvidiaSupport;
extraConfig = import ./_config.nix args; extraConfig = import ./_config.nix args;
systemd.extraCommands = [ systemd.extraCommands = [
"systemctl --user stop hyprland-session.target" "systemctl --user stop hyprland-session.target"