diff --git a/flake.lock b/flake.lock index ded4727..c5a5e39 100644 --- a/flake.lock +++ b/flake.lock @@ -278,11 +278,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1719594307, - "narHash": "sha256-n2fZDRl/X5rlx0fer7MMKAevtqflDKDsqKvHYuI9iR8=", + "lastModified": 1719601133, + "narHash": "sha256-2+e92LyX1fFj3mIZft+K8OzR9NT/1xtheO8hO/3DyRc=", "ref": "refs/heads/master", - "rev": "97a12374b7ab681794f8cc7b1bee0414136cbf51", - "revCount": 131, + "rev": "278ccbbd646e86cab5fd38d43d9134270d8123d0", + "revCount": 141, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, @@ -384,11 +384,11 @@ }, "nur": { "locked": { - "lastModified": 1719592641, - "narHash": "sha256-xgz6AcTVH1i8G3LPSitKNOQflfYU7wMTfAcUrO5FG+Y=", + "lastModified": 1719596768, + "narHash": "sha256-quSWztqqMxvSJIKddYp1D0GdR7Kg8JjEVCIzMbtBTQ4=", "owner": "nix-community", "repo": "NUR", - "rev": "ee1f0944028ebd11098d45c8e13658cffcac3550", + "rev": "35e48702118124ec52a071e300f55c78a4b7b338", "type": "github" }, "original": { diff --git a/hosts/common/disks/btrfs-impermanence.nix b/hosts/common/disks/btrfs/impermanence.nix similarity index 100% rename from hosts/common/disks/btrfs-impermanence.nix rename to hosts/common/disks/btrfs/impermanence.nix diff --git a/hosts/common/disks/btrfs-persist.nix b/hosts/common/disks/btrfs/persist.nix similarity index 100% rename from hosts/common/disks/btrfs-persist.nix rename to hosts/common/disks/btrfs/persist.nix diff --git a/hosts/common/disks/btrfs/standard.nix b/hosts/common/disks/btrfs/standard.nix new file mode 100644 index 0000000..5346d6d --- /dev/null +++ b/hosts/common/disks/btrfs/standard.nix @@ -0,0 +1,21 @@ +{ + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + + "/nix" = { + mountOptions = [ "subvol=nix" "noatime" ]; + mountpoint = "/nix"; + }; + + "/swap" = { + mountOptions = [ "noatime" ]; + mountpoint = "/.swapvol"; + swap.swapfile.size = "8192M"; + }; + }; +} diff --git a/hosts/common/disks/default.nix b/hosts/common/disks/default.nix index 22a05c9..45c392d 100644 --- a/hosts/common/disks/default.nix +++ b/hosts/common/disks/default.nix @@ -1,11 +1,11 @@ -{ device, fsType, encrypted, ... }: +{ device, fsType, encrypted, impermanence, ... }: let - # basic and perists configs. basic fs = ext4, persist fs = btrfs either encrypted or under lvm - basic = import ./gpt-bios-compact.nix { inherit device; }; - btrfs-persist-lvm = import ./btrfs-lvm.nix { inherit device; }; - btrfs-persist-luks = import ./btrfs-luks.nix { inherit device; }; + fsModule = if impermanence then ./${fsType}/persist.nix else ./${fsType}/standard.nix; + basic = import ./${fsType}/basic.nix { inherit device; }; + lvm = import ./lvm.nix { inherit device; fsModule = fsModule; }; + luks = import ./luks.nix { inherit device; fsModule = fsModule; }; in if fsType == "ext4" then basic -else if fsType == "btrfs" && encrypted then btrfs-persist-luks -else if fsType == "btrfs" then btrfs-persist-lvm -else null # or some default value +else if fsType == "btrfs" && encrypted then luks +else if fsType == "btrfs" then lvm +else null diff --git a/hosts/common/disks/gpt-bios-compact.nix b/hosts/common/disks/ext4/basic.nix similarity index 100% rename from hosts/common/disks/gpt-bios-compact.nix rename to hosts/common/disks/ext4/basic.nix diff --git a/hosts/common/disks/btrfs-luks.nix b/hosts/common/disks/luks.nix similarity index 84% rename from hosts/common/disks/btrfs-luks.nix rename to hosts/common/disks/luks.nix index cd0031b..22528a1 100644 --- a/hosts/common/disks/btrfs-luks.nix +++ b/hosts/common/disks/luks.nix @@ -1,4 +1,7 @@ -{device ? throw "Must define a devices, e.g. /dev/sda"}: +{ +device ? throw "Must define a device, e.g. /dev/sda", +fsModule ? "Must specify submodule" +}: { disko.devices = { disk = { @@ -26,7 +29,7 @@ type = "luks"; name = "crypted"; passwordFile = "/tmp/luks_secret.key"; # Interactive - content = (import ./btrfs-persist.nix); + content = (import "${fsModule}"); }; }; }; diff --git a/hosts/common/disks/btrfs-lvm.nix b/hosts/common/disks/lvm.nix similarity index 86% rename from hosts/common/disks/btrfs-lvm.nix rename to hosts/common/disks/lvm.nix index 2837ab9..1f6add9 100644 --- a/hosts/common/disks/btrfs-lvm.nix +++ b/hosts/common/disks/lvm.nix @@ -1,4 +1,7 @@ -{device ? throw "Must define a device, e.g. /dev/sda"}: +{ +device ? throw "Must define a device, e.g. /dev/sda", +fsModule ? "Must specify submodule" +}: { disko.devices = { disk.main = { @@ -36,7 +39,7 @@ lvs = { root = { size = "100%FREE"; - content = (import ./btrfs-persist.nix); + content = (import "${fsModule}"); }; }; }; diff --git a/hosts/common/optional/persistence.nix b/hosts/common/optional/persistence.nix index d8dfd17..1678ad6 100644 --- a/hosts/common/optional/persistence.nix +++ b/hosts/common/optional/persistence.nix @@ -1,8 +1,6 @@ -{enable}: { fileSystems."/persist".neededForBoot = true; environment.persistence."/persist" = { - inherit enable; hideMounts = true; directories = [ "/etc/nixos" diff --git a/hosts/nebula/default.nix b/hosts/nebula/default.nix index 6fdab58..9d341d1 100644 --- a/hosts/nebula/default.nix +++ b/hosts/nebula/default.nix @@ -4,6 +4,7 @@ let fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence dev = "/dev/sda"; # depends on target hardware encrypted = false; # currrently only applies to btrfs + impermanence = false; # currrently only applies to btrfs btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root"; user = "admin"; in @@ -15,7 +16,7 @@ in # Disk configuration inputs.disko.nixosModules.disko - (import ../common/disks { device = dev; fsType = fsType; encrypted = encrypted; }) + (import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; }) # Import core options ./hardware-configuration.nix diff --git a/hosts/semita/default.nix b/hosts/semita/default.nix index ac93180..c57891c 100644 --- a/hosts/semita/default.nix +++ b/hosts/semita/default.nix @@ -6,6 +6,7 @@ let encrypted = true; # currrently only applies to btrfs btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root"; user = "sam"; + impermanence = true; in { imports = @@ -15,10 +16,10 @@ in # Disk configuration inputs.disko.nixosModules.disko - (import ../common/disks { device = dev; fsType = fsType; encrypted = encrypted; }) + (import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; }) # Impermanence - (import ../common/disks/btrfs-impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; }) + (import ../common/disks/btrfs/impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; }) # Import core options ./hardware-configuration.nix diff --git a/hosts/sparky/default.nix b/hosts/sparky/default.nix index 0766dda..60b45c0 100644 --- a/hosts/sparky/default.nix +++ b/hosts/sparky/default.nix @@ -5,6 +5,7 @@ let dev = "/dev/sda"; # depends on target hardware encrypted = false; # currrently only applies to btrfs btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root"; + impermanence = true; in { imports = @@ -14,10 +15,10 @@ in # Disk configuration inputs.disko.nixosModules.disko - (import ../common/disks { device = dev; fsType = fsType; encrypted = encrypted; }) + (import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; }) # Impermanence - (import ../common/disks/btrfs-impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; }) + (import ../common/disks/btrfs/impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; }) # Import core options ./hardware-configuration.nix diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 8ed71c0..20de731 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -17,6 +17,8 @@ read -p "Enter hostname of target: " hostname read -p "Enter IP of target: " ip read -p "Enter config to install on target: " config read -p "Enter username (if none, use 'root'): " username +read -p "Using impermanence? (yes|no): " impermanence +[ "$impermanence" = "yes" ] && persist="/persist" # Delete key in known hosts if exists sed -i "/$ip/d" ~/.ssh/known_hosts @@ -36,11 +38,11 @@ cleanup() { trap cleanup EXIT # Create the directory for target host keys -install -d -m755 "$temp/persist/etc/ssh" +install -d -m755 "$temp$persist/etc/ssh" # Create ssh keys echo "Creating '$hostname' ssh keys" -ssh-keygen -t ed25519 -f "$temp/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" +ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" # Extract luks key from secrets luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ../nix-secrets/secrets.yaml") @@ -48,7 +50,7 @@ echo "$luks_secret" > /tmp/luks_secret.key # Generate age key from target host and user public ssh key echo "Generating age key from target host and user ssh key" -HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") +HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") echo -e "Host age key:\n$HOST_AGE_KEY\n" # Update .sops.yaml with new age key: @@ -67,7 +69,7 @@ sed -i "{ just update-sops-secrets && just update-flake-secrets && just update-flake # Copy current nix config over to target -cp -prv . "$temp/persist/etc/nixos" +cp -prv . "$temp$persist/etc/nixos" # Install Nixos to target SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/1.3.0 -- --extra-files "$temp" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"