diff --git a/nodes/hosts/nixy/configuration.nix b/nodes/hosts/nixy/configuration.nix new file mode 100644 index 0000000..84698a0 --- /dev/null +++ b/nodes/hosts/nixy/configuration.nix @@ -0,0 +1,21 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, lib, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./impermanence.nix + ./programs/streamcontroller.nix + ./system/bootloader.nix + ./system/environment.nix + ./system/filesystems.nix + ./system/networking.nix + ]; + + system.stateVersion = "24.11"; # Did you read the comment? +} + diff --git a/nodes/hosts/nixy/disk-config.nix b/nodes/hosts/nixy/disk-config.nix new file mode 100644 index 0000000..0772bf1 --- /dev/null +++ b/nodes/hosts/nixy/disk-config.nix @@ -0,0 +1,119 @@ +{ + disko.devices = { + disk = { + nvme1n1 = { + type = "disk"; + device = "/dev/nvme1n1"; + content = { + type = "gpt"; + partitions = { + ESP = { + label = "boot"; + name = "ESP"; + size = "4500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "umask=0077" + "defaults" + ]; + }; + }; + luks = { + size = "100%"; + label = "luks"; + content = { + type = "luks"; + name = "cryptroot"; + # disable settings.keyFile if you want to use interactive password entry + #passwordFile = "/tmp/secret.key"; # Interactive + settings = { + allowDiscards = true; + #keyFile = "/tmp/secret.key"; + }; + + #additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + }; + }; + }; + }; + }; + }; + }; + nvme0n1 = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + luks = { + size = "100%"; + label = "lukshome"; + content = { + type = "luks"; + name = "crypthome"; + settings = { + allowDiscards = true; + #keyFile = "/tmp/secret.key"; + }; + + content = { + type = "btrfs"; + extraArgs = ["-L" "home" "-f"]; + subvolumes = { + "/home" = { + mountpoint = "/home"; + mountOptions = ["subvol=home" "compress=zstd" "noatime"]; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; + fileSystems."/nix/persist".neededForBoot = true; + fileSystems."/var/log".neededForBoot = true; + fileSystems."/home".neededForBoot = true; +} diff --git a/nodes/hosts/nixy/hardware-configuration.nix b/nodes/hosts/nixy/hardware-configuration.nix new file mode 100644 index 0000000..eadc2f7 --- /dev/null +++ b/nodes/hosts/nixy/hardware-configuration.nix @@ -0,0 +1,21 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp8s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp7s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/nodes/hosts/nixy/impermanence.nix b/nodes/hosts/nixy/impermanence.nix new file mode 100644 index 0000000..6dedd07 --- /dev/null +++ b/nodes/hosts/nixy/impermanence.nix @@ -0,0 +1,40 @@ +{lib, ...}: { + # Reset root subvolume on boot + boot.initrd.postResumeCommands = lib.mkAfter '' + mkdir /btrfs_tmp + mount /dev/disk/by-partlabel/luks /btrfs_tmp # CONFIRM THIS IS CORRECT FROM findmnt + if [[ -e /btrfs_tmp/root ]]; then + mkdir -p /btrfs_tmp/old_roots + timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") + mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" + fi + + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/btrfs_tmp/$i" + done + btrfs subvolume delete "$1" + } + + for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do + delete_subvolume_recursively "$i" + done + + btrfs subvolume create /btrfs_tmp/root + umount /btrfs_tmp + ''; + + # Use /persist as the persistence root, matching Disko's mountpoint + environment.persistence."/nix/persist" = { + hideMounts = true; + directories = [ + "/etc" # System configuration (Keep this here for persistence via bind-mount) + "/var/spool" # Mail queues, cron jobs + "/srv" # Web server data, etc. + "/root" + ]; + files = [ + ]; + }; +} diff --git a/nodes/hosts/nixy/node.nix b/nodes/hosts/nixy/node.nix new file mode 100644 index 0000000..0bc182d --- /dev/null +++ b/nodes/hosts/nixy/node.nix @@ -0,0 +1,4 @@ +{ + os = "nixos"; + channel = "stable"; +}