From b1a2be5480af27f6589eea92165bb8f2aa190526 Mon Sep 17 00:00:00 2001 From: Tristan Druyen Date: Mon, 18 Sep 2023 15:55:29 +0200 Subject: [PATCH] Add disko & move hardware stuff to hardware.nix Signed-off-by: Tristan Druyen --- configuration.nix | 13 ----- disko.nix | 123 ++++++++++++++++++++++++++++++++++++++++++++++ flake.nix | 3 ++ hardware.nix | 28 +++++++++-- home.nix | 3 +- 5 files changed, 151 insertions(+), 19 deletions(-) create mode 100644 disko.nix diff --git a/configuration.nix b/configuration.nix index 561615b..a1230be 100644 --- a/configuration.nix +++ b/configuration.nix @@ -14,19 +14,6 @@ ''; }; - # Bootloader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - # Setup keyfile - boot.initrd.secrets = { - "/crypto_keyfile.bin" = null; - }; - - # Enable swap on luks - boot.initrd.luks.devices."luks-fa1e760a-71a3-4a79-a791-684cd82d9c3c".device = "/dev/disk/by-uuid/fa1e760a-71a3-4a79-a791-684cd82d9c3c"; - boot.initrd.luks.devices."luks-fa1e760a-71a3-4a79-a791-684cd82d9c3c".keyFile = "/crypto_keyfile.bin"; - fonts.fonts = with pkgs; [ noto-fonts noto-fonts-cjk diff --git a/disko.nix b/disko.nix new file mode 100644 index 0000000..51f9312 --- /dev/null +++ b/disko.nix @@ -0,0 +1,123 @@ +{ + disko.devices = { + disk = { + cryptroot_0 = { + type = "disk"; + device = "/dev/disk/by-path/pci-0000:02:00.0-nvme-1"; + content = { + type = "gpt"; + partitions = { + ESP = { + label = "fake_EFI"; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountOptions = [ + "defaults" + ]; + }; + }; + luks = { + end = "-256G"; + content = { + type = "luks"; + name = "crypted_0"; + extraOpenArgs = ["--allow-discards"]; + passwordFile = "/tmp/secret.key"; + additionalKeyFiles = []; + # content is empty here as the btrfs partition will be created via extraArgs of the cryptroot_1 partition def + }; + }; + luksSwap = { + end = "-192G"; + content = { + type = "luks"; + name = "crypted_swap_0"; + extraOpenArgs = ["--allow-discards"]; + passwordFile = "/tmp/secret.key"; + additionalKeyFiles = []; + content = { + type = "swap"; + }; + }; + }; + }; + }; + }; + cryptroot_1 = { + type = "disk"; + device = "/dev/disk/by-path/pci-0000:04:00.0-nvme-1"; + content = { + type = "gpt"; + partitions = { + ESP = { + label = "real_EFI"; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + }; + luks = { + end = "-256G"; + content = { + type = "luks"; + name = "crypted_1"; + extraOpenArgs = ["--allow-discards"]; + passwordFile = "/tmp/secret.key"; + additionalKeyFiles = []; + content = { + type = "btrfs"; + extraArgs = [ + "-L btrfs_vault" + "-f" + "-m raid1" + "-d raid1" + "/dev/mapper/crypted_0" + ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = ["compress=zstd" "noatime"]; + }; + }; + }; + }; + }; + luksSwap = { + end = "-192G"; + content = { + type = "luks"; + name = "crypted_swap_1"; + extraOpenArgs = ["--allow-discards"]; + passwordFile = "/tmp/secret.key"; + additionalKeyFiles = []; + content = { + type = "swap"; + resumeDevice = true; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/flake.nix b/flake.nix index 4a7d934..36b3fe4 100644 --- a/flake.nix +++ b/flake.nix @@ -34,6 +34,9 @@ formatter = { x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.alejandra; }; + diskoConfigurations = { + nixos-pulse = import ./disko.nix; + }; nixosConfigurations = let customPkgs = import nixpkgs { system = "x86_64-linux"; diff --git a/hardware.nix b/hardware.nix index 43f1eb3..ce44bbc 100644 --- a/hardware.nix +++ b/hardware.nix @@ -10,11 +10,31 @@ ]; boot = { + # Bootloader. + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + initrd = { + # Setup keyfile + secrets = { + "/crypto_keyfile.bin" = null; + }; + + # modules availableKernelModules = ["xhci_pci" "uas" "sd_mod"]; kernelModules = []; - luks.devices."luks-0ebc7402-5f50-4549-a407-b1f859285102".device = "/dev/disk/by-uuid/0ebc7402-5f50-4549-a407-b1f859285102"; + # Enable swap on luks + luks = { + # Root + devices."luks-0ebc7402-5f50-4549-a407-b1f859285102".device = "/dev/disk/by-uuid/0ebc7402-5f50-4549-a407-b1f859285102"; + + # Swap + devices."luks-fa1e760a-71a3-4a79-a791-684cd82d9c3c".device = "/dev/disk/by-uuid/fa1e760a-71a3-4a79-a791-684cd82d9c3c"; + devices."luks-fa1e760a-71a3-4a79-a791-684cd82d9c3c".keyFile = "/crypto_keyfile.bin"; + }; }; kernelModules = ["kvm-amd" "amdgpu"]; @@ -45,9 +65,9 @@ useDHCP = false; ipv4.addresses = [ { - address = "192.168.0.21"; - prefixLength = 24; - } + address = "192.168.0.21"; + prefixLength = 24; + } ]; }; }; diff --git a/home.nix b/home.nix index 0ea6804..6fe3f17 100644 --- a/home.nix +++ b/home.nix @@ -67,13 +67,12 @@ user = "root"; identityFile = "~/.ssh/id_v81_ed25519"; }; - "desk-arch" = { + "desk-arch" = { host = "desk-arch"; hostname = "tristan-desk-arch"; user = "tristand"; identityFile = "~/.ssh/id_v81_ed25519"; }; - }; };