diff --git a/README.md b/README.md index 2c1880d..6d14404 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,7 @@ ## Hosts - `patricknix` my main laptop +- `desktopnix` my main desktop ## Users - `patrick` my normal everyday unprivileged user @@ -70,6 +71,11 @@ ### Add additional hosts 1. Add host definition to `hosts.toml` +2. Create host configuration in `hosts/` + 1. Create and fill `default.nix` + 1. Fill `net.nix` + 1. Fill `fs.nix` + ## Deploy diff --git a/flake.lock b/flake.lock index 9098959..9ccf3ce 100644 --- a/flake.lock +++ b/flake.lock @@ -114,6 +114,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1693189188, + "narHash": "sha256-o6otfsB/ecudboYFwiCeL49BX3/8vRC/XUZTgkaDx54=", + "owner": "nix-community", + "repo": "disko", + "rev": "00169fe4a6015a88c3799f0bf89689e06a4d4896", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -345,6 +365,7 @@ "agenix-rekey": "agenix-rekey", "colmena": "colmena", "devshell": "devshell", + "disko": "disko", "flake-utils": "flake-utils", "home-manager": "home-manager", "hyprland": "hyprland", diff --git a/flake.nix b/flake.nix index 0402519..5f616af 100644 --- a/flake.nix +++ b/flake.nix @@ -7,6 +7,11 @@ # to prevent multiple instances of systems systems.url = "github:nix-systems/default"; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + home-manager = { url = "github:nix-community/home-manager"; # should use system nixpkgs instead of their own @@ -90,7 +95,7 @@ } // flake-utils.lib.eachDefaultSystem (system: rec { pkgs = import nixpkgs { - overlays = [(import nix/lib.nix inputs)]; + overlays = import ./lib inputs; inherit system; # TODO fix this to only allow specific unfree packages config.allowUnfree = true; diff --git a/hosts/common/core/default.nix b/hosts/common/core/default.nix index 1db7b5f..eb459c8 100644 --- a/hosts/common/core/default.nix +++ b/hosts/common/core/default.nix @@ -20,6 +20,7 @@ inputs.impermanence.nixosModules.impermanence inputs.agenix.nixosModules.default inputs.agenix-rekey.nixosModules.default + inputs.disko.nixosModules.disko ]; age.identityPaths = ["/state/etc/ssh/ssh_host_ed25519_key"]; } diff --git a/hosts/common/core/impermanence.nix b/hosts/common/core/impermanence.nix index 536235c..972bbde 100644 --- a/hosts/common/core/impermanence.nix +++ b/hosts/common/core/impermanence.nix @@ -5,6 +5,7 @@ }: { # to allow all users to access hm managed persistent folders programs.fuse.userAllowOther = true; + fileSystems."/state".neededForBoot = true; environment.persistence."/state" = { hideMounts = true; @@ -15,6 +16,18 @@ ]; directories = [ + { + directory = "/var/log"; + user = "root"; + group = "root"; + mode = "0755"; + } + { + directory = "/var/lib/systemd"; + user = "root"; + group = "root"; + mode = "0755"; + } { directory = "/var/lib/nixos"; user = "root"; @@ -22,9 +35,6 @@ mode = "0775"; } ] - ++ lib.lists.optionals config.hardware.acpilight.enable [ - "/var/lib/systemd/backlight" - ] ++ lib.lists.optionals config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]; diff --git a/hosts/common/dev/default.nix b/hosts/common/dev/default.nix index f21a843..abd5598 100644 --- a/hosts/common/dev/default.nix +++ b/hosts/common/dev/default.nix @@ -3,4 +3,9 @@ ./docs.nix ]; environment.enableDebugInfo = true; + environment.shellInit = '' + gpg-connect-agent /bye + export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) + umask 077 + ''; } diff --git a/hosts/desktopnix/default.nix b/hosts/desktopnix/default.nix new file mode 100644 index 0000000..a51ac1c --- /dev/null +++ b/hosts/desktopnix/default.nix @@ -0,0 +1,14 @@ +{inputs, ...}: { + imports = [ + inputs.nixos-hardware.nixosModules.common-gpu-nvidia-nonprime + inputs.nixos-hardware.nixosModules.common-pc + inputs.nixos-hardware.nixosModules.common-pc-hdd + inputs.nixos-hardware.nixosModules.common-pc-ssd + + ../common/core + ../common/dev + + ./net.nix + ./fs.nix + ]; +} diff --git a/hosts/desktopnix/fs.nix b/hosts/desktopnix/fs.nix new file mode 100644 index 0000000..8e259a2 --- /dev/null +++ b/hosts/desktopnix/fs.nix @@ -0,0 +1,50 @@ +{ + config, + lib, + ... +}: { + disko.devices = { + disk = { + m2-ssd = { + type = "disk"; + device = "/dev/disk/by-id/${config.secrets.secrets.local.disk.m2-ssd}"; + content = with lib.disko.gpt; { + type = "table"; + format = "gpt"; + partitions = [ + (partEfiBoot "boot" "0%" "512MiB") + (partSwap "swap" "1GiB" "17GiB") + (partLuksZfs "rpool" "17GiB" "100%") + ]; + }; + }; + sata-ssd = { + type = "disk"; + device = "/dev/disk/by-id/${config.secrets.secrets.local.disk.sata-ssd}"; + content = with lib.disko.gpt; { + type = "table"; + format = "gpt"; + partitions = [ + (partLuksZfs "infantry-fighting-vehicle" "0%" "100%") + ]; + }; + }; + sata-hdd = { + type = "disk"; + device = "/dev/disk/by-id/${config.secrets.secrets.local.disk.sata-hdd}"; + content = with lib.disko.gpt; { + type = "table"; + format = "gpt"; + partitions = [ + (partLuksZfs "panzer" "0%" "100%") + ]; + }; + }; + }; + zpool = with lib.disko.zfs; { + rpool = defaultZpoolOptions // {datasets = defaultZfsDatasets;}; + infantry-fighting-vehicle = defaultZpoolOptions // {datasets = {};}; + panzer = defaultZpoolOptions // {datasets = {};}; + }; + }; +} diff --git a/hosts/desktopnix/net.nix b/hosts/desktopnix/net.nix new file mode 100644 index 0000000..07236d8 --- /dev/null +++ b/hosts/desktopnix/net.nix @@ -0,0 +1,12 @@ +{config, ...}: { + networking = { + inherit (config.secrets.secrets.local.networking) hostId; + }; + systemd.network.networks = { + "01-lan1" = { + DHCP = "yes"; + matchConfig.MACAddress = config.secrets.secrets.local.networking.lan1.mac; + dns = ["192.168.178.2"]; + }; + }; +} diff --git a/hosts/desktopnix/secrets/secrets.nix.age b/hosts/desktopnix/secrets/secrets.nix.age new file mode 100644 index 0000000..5938deb Binary files /dev/null and b/hosts/desktopnix/secrets/secrets.nix.age differ diff --git a/hosts/patricknix/default.nix b/hosts/patricknix/default.nix index 8075efb..c0d1a38 100644 --- a/hosts/patricknix/default.nix +++ b/hosts/patricknix/default.nix @@ -30,10 +30,5 @@ ../../users/patrick ]; # Set your time zone. - time.timeZone = "Asia/Seoul"; - environment.shellInit = '' - gpg-connect-agent /bye - export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) - umask 077 - ''; + time.timeZone = "Europe/Berlin"; } diff --git a/hosts/patricknix/net.nix b/hosts/patricknix/net.nix index 9c5877e..1bc16d6 100644 --- a/hosts/patricknix/net.nix +++ b/hosts/patricknix/net.nix @@ -13,15 +13,25 @@ "01-lan1" = { DHCP = "yes"; matchConfig.MACAddress = config.secrets.secrets.local.networking.lan1.mac; - networkConfig.IPv6PrivacyExtensions = "yes"; + networkConfig = { + IPv6PrivacyExtensions = "yes"; + MulticastDNS = true; + }; dns = ["9.9.9.9"]; + dhcpV4Config.RouteMetric = 10; + dhcpV6Config.RouteMetric = 10; }; "01-wlan1" = { DHCP = "yes"; matchConfig.MACAddress = config.secrets.secrets.local.networking.wlan1.mac; - networkConfig.IPv6PrivacyExtensions = "yes"; + networkConfig = { + IPv6PrivacyExtensions = "yes"; + MulticastDNS = true; + }; # TODO: change dns to own when at home dns = ["9.9.9.9"]; + dhcpV4Config.RouteMetric = 40; + dhcpV6Config.RouteMetric = 40; }; }; age.secrets.eduroam = { diff --git a/lib/default.nix b/lib/default.nix new file mode 100644 index 0000000..9d899f5 --- /dev/null +++ b/lib/default.nix @@ -0,0 +1,4 @@ +inputs: [ + (import ./impermanence.nix inputs) + (import ./disko.nix inputs) +] diff --git a/lib/disko.nix b/lib/disko.nix new file mode 100644 index 0000000..89baef6 --- /dev/null +++ b/lib/disko.nix @@ -0,0 +1,79 @@ +inputs: self: super: { + lib = + super.lib + // { + disko = { + gpt = { + partEfiBoot = name: start: end: { + inherit name start end; + fs-type = "fat32"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + partSwap = name: start: end: { + inherit name start end; + fs-type = "linux-swap"; + content = { + type = "swap"; + randomEncryption = true; + }; + }; + partLuksZfs = name: start: end: { + inherit start end; + name = "enc-${name}"; + content = { + type = "luks"; + name = "enc-${name}"; + extraOpenArgs = ["--allow-discard"]; + content = { + type = "zfs"; + pool = name; + }; + }; + }; + }; + zfs = rec { + defaultZpoolOptions = { + type = "zpool"; + rootFsOptions = { + compression = "zstd"; + acltype = "posix"; + atime = "off"; + xattr = "sa"; + dnodesize = "auto"; + mountpoint = "none"; + canmount = "off"; + devices = "off"; + }; + options.ashift = "12"; + }; + defaultZfsDatasets = { + "local" = unmountable; + "local/root" = + filesystem "/" + // { + postCreateHook = "zfs snapshot rpool/local/root@blank"; + }; + "local/nix" = filesystem "/nix"; + "local/state" = filesystem "/state"; + "safe" = unmountable; + "safe/persist" = filesystem "/persist"; + }; + unmountable = {type = "zfs_fs";}; + filesystem = mountpoint: { + type = "zfs_fs"; + options = { + canmount = "noauto"; + inherit mountpoint; + }; + inherit mountpoint; + # needed for initrd dependency + }; + }; + }; + }; +} diff --git a/nix/lib.nix b/lib/impermanence.nix similarity index 100% rename from nix/lib.nix rename to lib/impermanence.nix