From 03f109259975fb60746020974d13942f7f020827 Mon Sep 17 00:00:00 2001 From: Aly Raffauf Date: Tue, 16 Jul 2024 21:13:30 -0400 Subject: [PATCH] mauville: migrate to disko (#43) * mauville: move to disko with btrfs on /dev/nvme0n1 * mauville: add media and archive disks with btrfs * mauville: run ssh in initrd to type luks password mauville: force system.autoUpgrade.allowReboot to false mauville: bump stateVersion no public secrets, autogen initrd ssh on activation --- hosts/mauville/default.nix | 47 +++++++++++++++-- hosts/mauville/disko.nix | 94 ++++++++++++++++++++++++++++++++++ hosts/mauville/filesystems.nix | 36 ------------- 3 files changed, 138 insertions(+), 39 deletions(-) create mode 100644 hosts/mauville/disko.nix delete mode 100644 hosts/mauville/filesystems.nix diff --git a/hosts/mauville/default.nix b/hosts/mauville/default.nix index 9db9cade..b03f4f95 100644 --- a/hosts/mauville/default.nix +++ b/hosts/mauville/default.nix @@ -12,7 +12,7 @@ in { imports = [ ../common - ./filesystems.nix + ./disko.nix ./home.nix self.inputs.nixhw.nixosModules.common-amd-cpu self.inputs.nixhw.nixosModules.common-amd-gpu @@ -48,8 +48,44 @@ in { syncthingKey.file = ../../secrets/syncthing/mauville/key.age; }; + system.activationScripts.gen-initrd-ssh.text = '' + KEY_PATH="/etc/secrets/initrd/ssh_host_ed25519_key" + + mkdir -p /etc/secrets/initrd + + # Check if the file already exists + if [ -f "$KEY_PATH" ]; then + echo "Key already exists at $KEY_PATH. Skipping ssh-keygen." + else + # Generate the SSH key if it doesn't exist + ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f "$KEY_PATH" + echo "SSH key generated at $KEY_PATH." + fi + ''; + boot = { - initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "sd_mod"]; + initrd = { + availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" "r8169"]; + + network = { + enable = true; + flushBeforeStage2 = true; + + ssh = { + enable = true; + port = 22; + authorizedKeyFiles = config.users.users.root.openssh.authorizedKeys.keyFiles; + hostKeys = [/etc/secrets/initrd/ssh_host_ed25519_key]; + }; + + udhcpc.enable = true; + + postCommands = '' + # Automatically ask for the password on SSH login + echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile + ''; + }; + }; loader = { efi.canTouchEfiVariables = true; @@ -98,7 +134,12 @@ in { }; environment.variables.GDK_SCALE = "1.25"; - system.stateVersion = "23.11"; + + system = { + autoUpgrade.allowReboot = lib.mkForce false; + stateVersion = "24.05"; + }; + zramSwap.memoryPercent = 100; ar = { diff --git a/hosts/mauville/disko.nix b/hosts/mauville/disko.nix new file mode 100644 index 00000000..968b5745 --- /dev/null +++ b/hosts/mauville/disko.nix @@ -0,0 +1,94 @@ +{ + disko.devices = { + disk = { + media = { + type = "disk"; + device = "/dev/sda1"; + content = { + type = "gpt"; + partitions = { + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = ["-f"]; # Override existing partition + mountpoint = "/mnt/Media"; + mountOptions = ["compress=zstd" "noatime"]; + }; + }; + }; + }; + }; + + archive = { + type = "disk"; + device = "/dev/sda2"; + content = { + type = "gpt"; + partitions = { + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = ["-f"]; # Override existing partition + mountpoint = "/mnt/Archive"; + mountOptions = ["compress=zstd" "noatime"]; + }; + }; + }; + }; + }; + + vdb = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "1024M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "crypted"; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "persist" = { + mountpoint = "/persist"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = ["compress=zstd" "noatime"]; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/mauville/filesystems.nix b/hosts/mauville/filesystems.nix deleted file mode 100644 index b98f5b3b..00000000 --- a/hosts/mauville/filesystems.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ - config, - inputs, - lib, - pkgs, - ... -}: { - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/c4217c88-3101-434b-8321-58e2ac89527c"; - fsType = "ext4"; - }; - - "/boot" = { - device = "/dev/disk/by-uuid/3445-B2A0"; - fsType = "vfat"; - }; - - "/mnt/Archive" = { - device = "/dev/disk/by-uuid/f7e9e6d6-2bf6-429a-aaf0-49b55d53fc83"; - fsType = "ext4"; - }; - - "/mnt/Media" = { - device = "/dev/disk/by-uuid/d988d5ca-f9d6-4d85-aa0e-8a437b3c859a"; - fsType = "ext4"; - }; - }; - - swapDevices = [ - { - device = "/dev/disk/by-uuid/26094ada-7ba4-4437-bacb-b3cdf6c3397b"; - priority = 1; - } - ]; -}