From 245bbb8de6c5a73bf6be09e48c9e6433337d8a27 Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 26 May 2024 13:11:54 +0100 Subject: [PATCH] auto: bootstrapping sparky --- flake.lock | 32 ++++++------ hosts/bootstrap/default.nix | 18 +++---- hosts/common/disks/luks-btrfs-subvolumes.nix | 54 +++++++++++--------- 3 files changed, 55 insertions(+), 49 deletions(-) diff --git a/flake.lock b/flake.lock index f9f1551..07a7ac7 100644 --- a/flake.lock +++ b/flake.lock @@ -155,11 +155,11 @@ ] }, "locked": { - "lastModified": 1716679503, - "narHash": "sha256-aX8AEWHLwuiYX8OCpTnHGrQeei1Gb+AGbk1hq+RIClg=", + "lastModified": 1716711219, + "narHash": "sha256-TnZETiQPXbyT5mdCHMOyrJnx2+BwroMBRrguciz1vEo=", "owner": "nix-community", "repo": "home-manager", - "rev": "e4611630c3cc8ed618b48d92f6291f65be9f7913", + "rev": "05e6ba83eb3585ce0aff7b41e4bd0e317d05ad4a", "type": "github" }, "original": { @@ -228,11 +228,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716685908, - "narHash": "sha256-lVKaygQD16Kfld/Jq6/646OIQiJh8P2/gz29gvd0P08=", + "lastModified": 1716725506, + "narHash": "sha256-RjDe7MWPgutEOFxAN7A6m7X/xJOLzBUQgHO2vvNLI6U=", "ref": "refs/heads/master", - "rev": "31ea4397c72c7c0ce650ea4cadfa7924ef84074f", - "revCount": 35, + "rev": "38def2b57c5d77a1eea960f5e52109304f80a6ef", + "revCount": 36, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, @@ -255,11 +255,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1716061101, - "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=", + "lastModified": 1716655032, + "narHash": "sha256-kQ25DAiCGigsNR/Quxm3v+JGXAEXZ8I7RAF4U94bGzE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2", + "rev": "59a450646ec8ee0397f5fa54a08573e8240eb91f", "type": "github" }, "original": { @@ -300,11 +300,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1716673923, - "narHash": "sha256-2u/NXh4FBbj8myQJTd3Are+a+qvhkXeqnpT/jq6VX2s=", + "lastModified": 1716717390, + "narHash": "sha256-Hd8ky86xAFDrUqNPPx0bO/1x6WUEyWNLrdTEVShAMb8=", "owner": "nix-community", "repo": "nixvim", - "rev": "1cc2e02fcaabd224348fa0dbfeb311063787a060", + "rev": "beb86eec7cad226d100d2841aae09fc2d4e152a8", "type": "github" }, "original": { @@ -360,11 +360,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1716400300, - "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=", + "lastModified": 1716692524, + "narHash": "sha256-sALodaA7Zkp/JD6ehgwc0UCBrSBfB4cX66uFGTsqeFU=", "owner": "mic92", "repo": "sops-nix", - "rev": "b549832718b8946e875c016a4785d204fcfc2e53", + "rev": "962797a8d7f15ed7033031731d0bb77244839960", "type": "github" }, "original": { diff --git a/hosts/bootstrap/default.nix b/hosts/bootstrap/default.nix index ee7aa32..b89cf3c 100644 --- a/hosts/bootstrap/default.nix +++ b/hosts/bootstrap/default.nix @@ -3,13 +3,13 @@ let pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys); secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; -in +in { imports = - [ + [ # Disk configuration inputs.disko.nixosModules.disko - (import ../common/disks/std-disk-config.nix { device = "/dev/vda"; }) + (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda"; }) ../common/optional/btrfs-impermanence.nix inputs.impermanence.nixosModules.impermanence inputs.sops-nix.nixosModules.sops @@ -42,14 +42,14 @@ in ]; }; - + i18n.defaultLocale = "en_GB.UTF-8"; console = { font = "Lat2-Terminus16"; keyMap = "uk"; - useXkbConfig = false; + useXkbConfig = false; }; - + boot = { loader = { @@ -96,7 +96,7 @@ in pkgs.just pkgs.git pkgs.neovim - ]; + ]; services.openssh = { enable = true; @@ -115,7 +115,7 @@ in }; }; - programs.ssh.extraConfig = '' + programs.ssh.extraConfig = '' Host git.bitlab21.com IdentitiesOnly yes StrictHostKeyChecking no @@ -125,7 +125,7 @@ in security.pam = { sshAgentAuth.enable = true; }; - + networking.firewall.allowedTCPPorts = [ 22 ]; services = { diff --git a/hosts/common/disks/luks-btrfs-subvolumes.nix b/hosts/common/disks/luks-btrfs-subvolumes.nix index 9191570..650a714 100644 --- a/hosts/common/disks/luks-btrfs-subvolumes.nix +++ b/hosts/common/disks/luks-btrfs-subvolumes.nix @@ -1,9 +1,13 @@ +{...}: +let + sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path; +in { disko.devices = { disk = { vdb = { type = "disk"; - device = "/dev/vdb"; + inherit device; content = { type = "gpt"; partitions = { @@ -28,33 +32,35 @@ #passwordFile = "/tmp/secret.key"; # Interactive settings = { allowDiscards = true; - keyFile = "/tmp/secret.key"; + keyFile = "${sopsHashedPasswordFile}"; }; - additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/home" = { - mountpoint = "/home"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/swap" = { - mountpoint = "/.swapvol"; - swap.swapfile.size = "20M"; - }; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "/root" = { + mountpoint = "/"; + }; + + "/persist" = { + mountOptions = [ "subvol=persist" ]; + mountpoint = "/persist"; + }; + + "/nix" = { + mountOptions = [ "subvol=nix" "noatime" ]; + mountpoint = "/nix"; + }; + + "/swap" = { + mountOptions = [ "noatime" ]; + mountpoint = "/.swapvol"; + swap.swapfile.size = "8192M"; + }; + }; }; }; }; - }; }; }; };