feat: reimaged laptop

2023-09-26 22:25:58 +02:00 · 2023-09-26 22:25:58 +02:00 · df40786d28
parent 4b81b90d50
commit df40786d28
18 changed files with 69 additions and 28 deletions
--- a/README.md
+++ b/README.md
@ -78,7 +78,7 @@
 4. Run the installer script from the nix store of the live system
    - you can get the path using `nix path-info .#packages.<target-system>.installer-package.<target>`
 4. Export all zpools and reboot into system
-6. Retrieve hostkeys using `ssh-keyscan <host> | grep -o 'ssh-ed25519.*' > host/<target>/secrets/host.pub
+6. Retrieve hostkeys using `ssh-keyscan <host> | grep -o 'ssh-ed25519.*' > host/<target>/secrets/host.pub`
 5. Deploy system
 ### Add secureboot to new systems
--- a/flake.nix
+++ b/flake.nix
@ -109,15 +109,15 @@
        hosts
        microvmConfigurations
        nixosConfigurations
        minimalConfigurations
        ;
      nodes = self.nixosConfigurations // self.microvmConfigurations;
      top = lib.mapAttrs (_: x: x.config.system.build.toplevel) self.nodes;
      inherit
        (lib.foldl' lib.recursiveUpdate {}
          (lib.mapAttrsToList
            (import ./nix/generate-installer-package.nix inputs)
-            self.nixosConfigurations))
+            self.minimalConfigurations))
        packages
        ;
    }
@ -139,7 +139,7 @@
        inherit pkgs;
        modules = [
          ./nix/installer-configuration.nix
-          ./modules/os-conf/core/ssh.nix
+          ./modules/config/ssh.nix
          {system.stateVersion = stateVersion;}
        ];
        format =
--- a/hosts/patricknix/fs.nix
+++ b/hosts/patricknix/fs.nix
@ -12,9 +12,9 @@
          type = "table";
          format = "gpt";
          partitions = [
-            (partEfiBoot "boot" "0%" "512MiB")
+            (partEfiBoot "boot" "0%" "1GiB")
-            #(partSwap "swap" "1GiB" "17GiB")
+            (partSwap "swap" "1GiB" "17GiB")
-            (partLuksZfs "rpool" "rpool" "512MiB" "100%")
+            (partLuksZfs "rpool" "rpool" "17GiB" "100%")
          ];
        };
      };
--- a/hosts/patricknix/secrets/host.pub
+++ b/hosts/patricknix/secrets/host.pub
@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrr6bJgWzCuS+00EEBQRoylwput69tqvotgPjSF5xhz root@patricknix
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJLkYv7UrkdkTYj8YvoEwtwvaRBA4P/zYj5opl0+eDst root@patricknix
--- a/modules/config/nix.nix
+++ b/modules/config/nix.nix
@ -7,7 +7,7 @@
    settings = {
      auto-optimise-store = true;
      allowed-users = ["@wheel" "nixseparatedebuginfod"];
-      trusted-users = ["root" "@wheel"];
+      trusted-users = ["root"];
      system-features = ["recursive-nix" "repl-flake" "big-parallel"];
      substituters = [
        "https://nix-config.cachix.org"
@ -25,6 +25,8 @@
      ];
      cores = 0;
      max-jobs = "auto";
      # make agenix rekey find the secrets even without trusted user
      extra-sandbox-paths = ["/var/tmp/agenix-rekey?"];
    };
    daemonCPUSchedPolicy = "batch";
    daemonIOSchedPriority = 5;
--- a/modules/dev/default.nix
+++ b/modules/dev/default.nix
@ -1,4 +1,9 @@
 {
  lib,
  minimal,
  ...
 }:
 lib.optionalAttrs (!minimal) {
  imports = [
    ./docs.nix
  ];
--- a/modules/graphical/fonts.nix
+++ b/modules/graphical/fonts.nix
@ -1,4 +1,10 @@
-{pkgs, ...}: {
+{
  pkgs,
  minimal,
  lib,
  ...
 }:
 lib.optionalAttrs (!minimal) {
  fonts = {
    enableGhostscriptFonts = false;
    fontDir.enable = false;
--- a/modules/hardware/nvidia.nix
+++ b/modules/hardware/nvidia.nix
@ -1,8 +1,10 @@
 {
  lib,
  minimal,
  pkgs,
  ...
-}: {
+}:
 lib.optionalAttrs (!minimal) {
  services.xserver.videoDrivers = lib.mkForce ["nvidia"];
  hardware = {
--- a/modules/hardware/pipewire.nix
+++ b/modules/hardware/pipewire.nix
@ -1,8 +1,10 @@
 {
  lib,
  minimal,
  pkgs,
  ...
-}: {
+}:
 lib.optionalAttrs (!minimal) {
  environment.systemPackages = with pkgs; [pulseaudio pulsemixer];
  hardware.pulseaudio.enable = lib.mkForce false;
--- a/modules/meta.nix
+++ b/modules/meta.nix
@ -5,19 +5,18 @@
 }: let
  inherit
    (lib)
    mdDoc
    mkOption
    types
    ;
 in {
  options.node = {
    name = mkOption {
-      description = mdDoc "A unique name for this node (host) in the repository. Defines the default hostname, but this can be overwritten.";
+      description = "A unique name for this node (host) in the repository. Defines the default hostname, but this can be overwritten.";
      type = types.str;
    };
    secretsDir = mkOption {
-      description = mdDoc "Path to the secrets directory for this node.";
+      description = "Path to the secrets directory for this node.";
      type = types.path;
    };
  };
--- a/modules/optional/secureboot.nix
+++ b/modules/optional/secureboot.nix
@ -1,9 +1,11 @@
 {
  pkgs,
  lib,
  minimal,
  pkgs,
  config,
  ...
-}: {
+}:
 lib.optionalAttrs (!minimal) {
  environment.systemPackages = [
    # For debugging and troubleshooting Secure Boot.
    (pkgs.sbctl.override
--- a/modules/optional/steam.nix
+++ b/modules/optional/steam.nix
@ -1,4 +1,10 @@
-{pkgs, ...}: {
+{
  lib,
  minimal,
  pkgs,
  ...
 }:
 lib.optionalAttrs (!minimal) {
  programs.steam = {
    enable = true;
    package = pkgs.steam.override {
--- a/modules/optional/wayland.nix
+++ b/modules/optional/wayland.nix
@ -1,4 +1,10 @@
-{pkgs, ...}: {
+{
  lib,
  minimal,
  pkgs,
  ...
 }:
 lib.optionalAttrs (!minimal) {
  services.dbus.enable = true;
  xdg.portal = {
    enable = true;
--- a/modules/optional/xserver.nix
+++ b/modules/optional/xserver.nix
@ -1,4 +1,9 @@
 {
  lib,
  minimal,
  ...
 }:
 lib.optionalAttrs (!minimal) {
  # Configure keymap in X11
  services.xserver = {
    enable = true;
--- a/nix/devshell.nix
+++ b/nix/devshell.nix
@ -45,6 +45,10 @@ in
        package = pkgs.deadnix;
        help = "Remove dead nix code";
      }
      {
        package = pkgs.nix-tree;
        help = "Show nix closure tree";
      }
      {
        package = pkgs.update-nix-fetchgit;
        help = "Update fetcher inside nix files";
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@ -12,15 +12,15 @@ inputs: let
    ;
  # Creates a new nixosSystem with the correct specialArgs, pkgs and name definition
-  mkHost = name: system: let
+  mkHost = {minimal}: name: hostCfg: let
-    pkgs = self.pkgs.${system};
+    pkgs = self.pkgs.${hostCfg.system};
  in
    nixosSystem {
      specialArgs = {
        # Use the correct instance lib that has our overlays
        inherit (pkgs) lib;
        inherit (self) nodes stateVersion;
-        inherit inputs;
+        inherit inputs minimal;
      };
      modules = [
        {
@ -28,7 +28,7 @@ inputs: let
          # inputs.nixpkgs.nixosModules.readOnlyPkgs, since some nixosModules
          # like nixseparatedebuginfod depend on adding packages via nixpkgs.overlays.
          # So we just mimic the options and overlays defined by the passed pkgs set.
-          nixpkgs.hostPlatform = system;
+          nixpkgs.hostPlatform = hostCfg.system;
          nixpkgs.overlays = pkgs.overlays;
          nixpkgs.config = pkgs.config;
          node.name = name;
@ -45,7 +45,8 @@ inputs: let
  # Get all hosts of type "nixos"
  nixosHosts = filterAttrs (_: x: x.type == "nixos") hosts;
  # Process each nixosHosts declaration and generatea nixosSystem definitions
-  nixosConfigurations = flip mapAttrs nixosHosts (name: hostCfg: mkHost name hostCfg.system);
+  nixosConfigurations = flip mapAttrs nixosHosts (mkHost {minimal = false;});
  minimalConfigurations = flip mapAttrs nixosHosts (mkHost {minimal = true;});
  # True NixOS nodes can define additional microvms (guest nodes) that are built
  # together with the true host. We collect all defined microvm nodes
@ -59,5 +60,6 @@ in {
    hosts
    microvmConfigurations
    nixosConfigurations
    minimalConfigurations
    ;
 }
--- a/nix/installer-configuration.nix
+++ b/nix/installer-configuration.nix
@ -15,9 +15,6 @@
    ];
  };
  # Grub broken
  boot.loader.systemd-boot.enable = true;
  environment = {
    variables.EDITOR = "nvim";
    systemPackages = with pkgs; [
--- a/users/patrick/default.nix
+++ b/users/patrick/default.nix
@ -1,8 +1,11 @@
 {
  pkgs,
  config,
  lib,
  minimal,
  ...
-}: {
+}:
 lib.optionalAttrs (!minimal) {
  imports = [
    ../../modules/optional/steam.nix
    ./impermanence.nix
`@ -1 +1 @@`
	`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrr6bJgWzCuS+00EEBQRoylwput69tqvotgPjSF5xhz root@patricknix`	`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJLkYv7UrkdkTYj8YvoEwtwvaRBA4P/zYj5opl0+eDst root@patricknix`