mauville: migrate to disko (#43)

* mauville: move to disko with btrfs on /dev/nvme0n1 * mauville: add media and archive disks with btrfs * mauville: run ssh in initrd to type luks password mauville: force system.autoUpgrade.allowReboot to false mauville: bump stateVersion no public secrets, autogen initrd ssh on activation
2024-11-22 07:53:55 -05:00 · 2024-07-16 21:13:30 -04:00 · 2024-07-16 21:13:30 -04:00 · 03f1092599
parent 444fefdd8e
commit 03f1092599
3 changed files with 138 additions and 39 deletions
--- a/hosts/mauville/default.nix
+++ b/hosts/mauville/default.nix
@ -12,7 +12,7 @@
 in {
  imports = [
    ../common
-    ./filesystems.nix
+    ./disko.nix
    ./home.nix
    self.inputs.nixhw.nixosModules.common-amd-cpu
    self.inputs.nixhw.nixosModules.common-amd-gpu
@ -48,8 +48,44 @@ in {
    syncthingKey.file = ../../secrets/syncthing/mauville/key.age;
  };

+  system.activationScripts.gen-initrd-ssh.text = ''
+    KEY_PATH="/etc/secrets/initrd/ssh_host_ed25519_key"
+
+    mkdir -p /etc/secrets/initrd
+
+    # Check if the file already exists
+    if [ -f "$KEY_PATH" ]; then
+      echo "Key already exists at $KEY_PATH. Skipping ssh-keygen."
+    else
+      # Generate the SSH key if it doesn't exist
+      ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f "$KEY_PATH"
+      echo "SSH key generated at $KEY_PATH."
+    fi
+  '';
+
  boot = {
-    initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "sd_mod"];
+    initrd = {
+      availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" "r8169"];
+
+      network = {
+        enable = true;
+        flushBeforeStage2 = true;
+
+        ssh = {
+          enable = true;
+          port = 22;
+          authorizedKeyFiles = config.users.users.root.openssh.authorizedKeys.keyFiles;
+          hostKeys = [/etc/secrets/initrd/ssh_host_ed25519_key];
+        };
+
+        udhcpc.enable = true;
+
+        postCommands = ''
+          # Automatically ask for the password on SSH login
+          echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
+        '';
+      };
+    };

    loader = {
      efi.canTouchEfiVariables = true;
@ -98,7 +134,12 @@ in {
  };

  environment.variables.GDK_SCALE = "1.25";
-  system.stateVersion = "23.11";
+
+  system = {
+    autoUpgrade.allowReboot = lib.mkForce false;
+    stateVersion = "24.05";
+  };
+
  zramSwap.memoryPercent = 100;

  ar = {
--- a/hosts/mauville/disko.nix
+++ b/hosts/mauville/disko.nix
@ -0,0 +1,94 @@
+{
+  disko.devices = {
+    disk = {
+      media = {
+        type = "disk";
+        device = "/dev/sda1";
+        content = {
+          type = "gpt";
+          partitions = {
+            root = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                extraArgs = ["-f"]; # Override existing partition
+                mountpoint = "/mnt/Media";
+                mountOptions = ["compress=zstd" "noatime"];
+              };
+            };
+          };
+        };
+      };
+
+      archive = {
+        type = "disk";
+        device = "/dev/sda2";
+        content = {
+          type = "gpt";
+          partitions = {
+            root = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                extraArgs = ["-f"]; # Override existing partition
+                mountpoint = "/mnt/Archive";
+                mountOptions = ["compress=zstd" "noatime"];
+              };
+            };
+          };
+        };
+      };
+
+      vdb = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1024M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "defaults"
+                ];
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "crypted";
+                content = {
+                  type = "btrfs";
+                  extraArgs = ["-f"];
+                  subvolumes = {
+                    "/root" = {
+                      mountpoint = "/";
+                      mountOptions = ["compress=zstd" "noatime"];
+                    };
+                    "persist" = {
+                      mountpoint = "/persist";
+                      mountOptions = ["compress=zstd" "noatime"];
+                    };
+                    "/home" = {
+                      mountpoint = "/home";
+                      mountOptions = ["compress=zstd" "noatime"];
+                    };
+                    "/nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = ["compress=zstd" "noatime"];
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/mauville/filesystems.nix
+++ b/hosts/mauville/filesystems.nix
@ -1,36 +0,0 @@
-{
-  config,
-  inputs,
-  lib,
-  pkgs,
-  ...
-}: {
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-uuid/c4217c88-3101-434b-8321-58e2ac89527c";
-      fsType = "ext4";
-    };
-
-    "/boot" = {
-      device = "/dev/disk/by-uuid/3445-B2A0";
-      fsType = "vfat";
-    };
-
-    "/mnt/Archive" = {
-      device = "/dev/disk/by-uuid/f7e9e6d6-2bf6-429a-aaf0-49b55d53fc83";
-      fsType = "ext4";
-    };
-
-    "/mnt/Media" = {
-      device = "/dev/disk/by-uuid/d988d5ca-f9d6-4d85-aa0e-8a437b3c859a";
-      fsType = "ext4";
-    };
-  };
-
-  swapDevices = [
-    {
-      device = "/dev/disk/by-uuid/26094ada-7ba4-4437-bacb-b3cdf6c3397b";
-      priority = 1;
-    }
-  ];
-}