Bootwip

2025-03-26 16:16:53 +01:00 · 2025-03-26 16:16:53 +01:00 · 10b8fc11fc
commit 10b8fc11fc
parent 8a765f001b
11 changed files with 64 additions and 83 deletions
--- a/flake.nix
+++ b/flake.nix
@ -188,7 +188,7 @@
        emacs-overlay.overlay
        inputs.nix-alien.overlays.default
        inputs.nix-ld-rs.overlays.default
-        agenix-rekey.overlays.default
+        # agenix-rekey.overlays.default
        devshell.overlays.default
      ];
      config = {
@ -229,8 +229,8 @@
        chaotic.nixosModules.default
        envfs.nixosModules.envfs
        stylix.nixosModules.stylix
-        agenix.nixosModules.default
-        agenix-rekey.nixosModules.default
+        # agenix.nixosModules.default
+        # agenix-rekey.nixosModules.default
      ];
      args = {
        inherit self inputs system;
--- a/secrets/rekeyed/nixos-fw16/1e80b286118d1a05182b8b59ae075c09-tristand_passwd_hash.age
+++ b/secrets/rekeyed/nixos-fw16/1e80b286118d1a05182b8b59ae075c09-tristand_passwd_hash.age
--- a/secrets/rekeyed/nixos-fw16/259fceb88a8ac9aa592e2bd7ad37050f-oeko-smb.age
+++ b/secrets/rekeyed/nixos-fw16/259fceb88a8ac9aa592e2bd7ad37050f-oeko-smb.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 nA0mnQ WtsuBNNRDJ2qBqqfKPYBjsG5J8RA1FLG22V4rcpmIAs
+b/BJpaLA/TCIMwRg0c7eO8UqIa+KPgpaOTmpVeW60k
+-> m-grease
+RCMzLSoDYLRPgxDe1bS2EOXDAD19QYDO3UI/0tzYNOGvcEMnHw
+--- WBgm8Vf3dtFoPsTbBIoS73fD824cOm5COYSz66dcvYQ
+¢˜6æ…{šÑ;æà³
+‰Ä÷³üJm‡	<<WÐ’ÑÇ§‚×É]øÎ/<2F>ú‰5YÅOò<4F>‘§¢ÝaÐ>Î÷ÒZ7ª†ó"y
--- a/secrets/rekeyed/nixos-fw16/3f7ba2027615b520a68df8c74eba9558-tester_passwd_hash.age
+++ b/secrets/rekeyed/nixos-fw16/3f7ba2027615b520a68df8c74eba9558-tester_passwd_hash.age
--- a/secrets/rekeyed/nixos-fw16/9632fb41a7c8b72726e87096a9ec145a-tester_passwd_hash.age
+++ b/secrets/rekeyed/nixos-fw16/9632fb41a7c8b72726e87096a9ec145a-tester_passwd_hash.age
--- a/secrets/rekeyed/nixos-fw16/d4ebce9353c576be067a9832580d7899-tristand_passwd_hash.age
+++ b/secrets/rekeyed/nixos-fw16/d4ebce9353c576be067a9832580d7899-tristand_passwd_hash.age
@ -1,9 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 MqgTQA kHKU7lp3SvhVlgDk8qBbQU+nrV8O84CLtR32ZGATDw4
-1E9KyKzKwio7ltF1H36tSLWSao0TPNNlbwJAwxhw3CI
-> +&-grease
-y1YrcXJ8+mGdSTrJywOZM/E8jbHPSX9rARC6uKOHgESGkH1NWsINbEk0/1fYHi62
-6Y+k9Ig9oX7taekoNCU
--- lgK5w16T9LaMc6yoWW+h+zVNyuKuoEoeJi8p7lura1Q
-X
-¢ò&ÃbZ[IßC>ÊÔ˜ÐžWp¼²ˆŠŠ?èµ ä[˜š-]À)
HY¦(u/Ý°šÄÃ»¹É–Ý÷Þ^æ‘¨à@„9öõýxVG.¾n
£9»°‡Rr¡ŸàŽxzJf<4A>±ÛwK‡zbq÷ZÖ©ùf»FÎÓ‹ê=†½¼Œ„P
--- a/secrets/rekeyed/nixos-fw16/d9071a3e62472d160241e0d2497a3b57-oeko-smb.age
+++ b/secrets/rekeyed/nixos-fw16/d9071a3e62472d160241e0d2497a3b57-oeko-smb.age
@ -1,8 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 MqgTQA 7y3on/Y6P89gncEtSzn6dak659D+C0jT0Lo711yQaQ0
-bsILI8jRG8MFJ2xSowtYyNYHPbcZmS+OFBbTrn7vNgo
-> a-grease /3
-faRjVzpKpTOBeDIZVd+uK9AGzVH7LYbIH3QiTZMHE+zE21fI6yjGEQyIE2jsVhTq
-q/PxcbNtJ9fZ2JCU43lGX7DveIYT7Z84vX955I3BkIppgQ4
--- dNDrqjg89dlNEf3ZkyW0fU7OyETfVPtRAw7JcRJxQ1o
-ŠâCØ¯<11>“
DXo¤Ø‚Á?9±ÿ©u°iÉÝ”s„çrºÞ©wyB¶~umÈ¹¶3Dæ€MÓëÏÅbé2táì€j`zDñXù
--- a/systems/nixos-fw16/default.nix
+++ b/systems/nixos-fw16/default.nix
@ -10,24 +10,24 @@
    (modulesPath + "/installer/scan/not-detected.nix")
    inputs.nixos-hardware.nixosModules.common-hidpi
    inputs.nixos-hardware.nixosModules.framework-16-7040-amd
-    ../../os-mods/age
-    ../../os-mods/net_disks/oeko.nix
+    # ../../os-mods/age
+    # ../../os-mods/net_disks/oeko.nix
    ../../os-mods/amdgpu
    ../../os-mods/cachix
    ../../os-mods/common
    ../../os-mods/desktop
    ../../os-mods/desktop/audio.nix
-    ../../os-mods/desktop/gaming.nix
-    ../../os-mods/desktop/printing.nix
-    ../../os-mods/netdata/client.nix
-    ../../os-mods/network
+    # ../../os-mods/desktop/gaming.nix
+    # ../../os-mods/desktop/printing.nix
+    # ../../os-mods/netdata/client.nix
+    # ../../os-mods/network
    ../../os-mods/ryzenapu
-    ../../os-mods/virt
+    # ../../os-mods/virt
    ../../users
    ./disks.nix
  ];

-  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRFEtmoq36QmvAwv/xIVdvaf+B9Scbm5cUFFkP/c1nS root@nixos-f16";
+  # age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRFEtmoq36QmvAwv/xIVdvaf+B9Scbm5cUFFkP/c1nS root@nixos-f16";
  nix.settings.builders-use-substitutes = true;
  nix.distributedBuilds = true;
  nix.buildMachines = [ ];
@ -127,17 +127,17 @@
    };
  };

-  specialisation = {
-    linux-latest.configuration = {
-      boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
-    };
-    linux-zen.configuration = {
-      boot.kernelPackages = lib.mkForce pkgs.linuxPackages_zen;
-    };
-    linux-cachyos.configuration = {
-      boot.kernelPackages = lib.mkForce pkgs.linuxPackages_cachyos;
-    };
-  };
+  # specialisation = {
+  # linux-latest.configuration = {
+  #   boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+  # };
+  # linux-zen.configuration = {
+  #   boot.kernelPackages = lib.mkForce pkgs.linuxPackages_zen;
+  # };
+  # linux-cachyos.configuration = {
+  #   boot.kernelPackages = lib.mkForce pkgs.linuxPackages_cachyos;
+  # };
+  # };
  boot = {
    # kernelPackages = pkgs.linuxPackages_latest; # bootstrap
    # kernelPackages = pkgs.linuxPackages_zen; # bootstrap
@ -165,7 +165,8 @@
    loader = {
      timeout = 0;
      systemd-boot = {
-        enable = false; # due to lanzaboote
+        # enable = false; # due to lanzaboote
+        enable = true; # bootstrap
        configurationLimit = 12;

        memtest86.enable = true;
@ -175,7 +176,7 @@
    };

    lanzaboote = {
-      enable = true;
+      # enable = true;
      configurationLimit = 12;
      # pkiBundle = "/etc/secureboot";
      pkiBundle = "/var/lib/sbctl";
--- a/systems/nixos-fw16/disks.nix
+++ b/systems/nixos-fw16/disks.nix
@ -16,8 +16,8 @@

  config = {
    boot = {
-      supportedFilesystems = [ "bcachefs" "vfat" ];
-      initrd.supportedFilesystems = [ "bcachefs" "vfat" ];
+      supportedFilesystems = [ "btrfs" "vfat" ];
+      initrd.supportedFilesystems = [ "btrfs" "vfat" ];
      initrd.luks.devices =
        lib.attrsets.mergeAttrsList
          (
@ -38,45 +38,32 @@
          );
    };

-    fileSystems =
-      let
-        automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
-        perm_opts = "uid=1001,gid=100";
-        smb_opts = [
-          "vers=3,credentials=/home/tristand/.smb-secrets"
-          perm_opts
-          automount_opts
+    fileSystems = {
+      "/" = {
+        device = "/dev/mapper/crypt_ssd_4t_data";
+        # device = "UUID=f89215ba-3313-42d3-8f68-051ad2453870";
+        fsType = "btrfs";
+        options = [
+          "rw"
+          "autodefrag"
+          "compress=zstd"
+          "discard=async"
+          "relatime"
+          "space_cache=v2"
+          "ssd"
        ];
-        sshfs_opts = [
-          "allow_other,_netdev,reconnect,ServerAliveInterval=15,IdentityFile=/var/secrets/id_ed25519"
-          perm_opts
-          automount_opts
-        ];
-      in
-      {
-        "/" = {
-          device = "/dev/mapper/crypt_ssd_4t_data";
-          # device = "UUID=f89215ba-3313-42d3-8f68-051ad2453870";
-          fsType = "bcachefs";
-          options = [ "relatime" ];
-        };
-
-        "/boot" = {
-          device = "/dev/disk/by-uuid/05A2-6A8A";
-          fsType = "vfat";
-          options = [ "fmask=0022" "dmask=0022" ];
-        };
-
-        # "/mnt/media_v2" = {
-        #  device = "root@23.88.68.113:/media_v2";
-        #  fsType = "sshfs";
-        #  options = sshfs_opts;
-        # };
      };

+      "/boot" = {
+        device = "/dev/disk/by-uuid/05A2-6A8A";
+        fsType = "vfat";
+        options = [ "fmask=0022" "dmask=0022" ];
+      };
+    };
+
    swapDevices = [
-      { device = "/dev/disk/by-uuid/a8f478f0-ad5e-47ae-8e18-63060f7e5706"; }
-      { device = "/dev/disk/by-uuid/59987b2a-c5c5-4547-95ad-f0d1dcdf8458"; }
+      # { device = "/dev/disk/by-uuid/a8f478f0-ad5e-47ae-8e18-63060f7e5706"; }
+      # { device = "/dev/disk/by-uuid/59987b2a-c5c5-4547-95ad-f0d1dcdf8458"; }
    ];

    system.fsPackages = [ pkgs.sshfs ];
--- a/users/admin-thin.nix
+++ b/users/admin-thin.nix
@ -8,9 +8,9 @@
  imports = [
    ../home-mods/audio
    ../home-mods/common
-    ../home-mods/firefox
+    ../home-mods/firefox/zen-browser.nix
    # ../home-mods/plasma
-    ../home-mods/shell
+    # ../home-mods/shell
  ];

  config.home = {
--- a/users/default.nix
+++ b/users/default.nix
@ -13,7 +13,8 @@
      extraGroups = [ "audio" "corectrl" "docker" "networkmanager" "i2c" "wheel" "libvirtd" "qemu-libvirtd" "input" ];
      shell = pkgs.fish;
      home = "/home/tester";
-      hashedPasswordFile = config.age.secrets.tester_passwd_hash.path;
+      # hashedPasswordFile = config.age.secrets.tester_passwd_hash.path;
+      initialPassword = "384249Nv";
    };
    tristand = {
      isNormalUser = true;
@ -21,7 +22,8 @@
      extraGroups = [ "audio" "corectrl" "dialout" "docker" "networkmanager" "i2c" "wheel" "libvirtd" "qemu-libvirtd" "input" ];
      shell = pkgs.fish;
      home = "/home/tristand";
-      hashedPasswordFile = config.age.secrets.tristand_passwd_hash.path;
+      # hashedPasswordFile = config.age.secrets.tristand_passwd_hash.path;
+      initialPassword = "384249Nv";
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4xz3EgIRiRb/gmnCSq17kHd4MLilf05zYOFZrwOIrA tristand@nixos-fw16"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDS/4JFRaAPoUaDiwDRbbNoaJqsBzaE+DEdaQH9OezM root@nixos-fw16"
@ -51,7 +53,7 @@
  home-manager = {
    useUserPackages = true;
    useGlobalPkgs = true;
-    users.tristand = import ./admin-fat.nix {
+    users.tristand = import ./admin-thin.nix {
      username = "tristand";

      inherit pkgs config inputs system lib;