feat: reimaged laptop

README.md

@@ -78,7 +78,7 @@
 4. Run the installer script from the nix store of the live system
     - you can get the path using `nix path-info .#packages.<target-system>.installer-package.<target>`
 4. Export all zpools and reboot into system
-6. Retrieve hostkeys using `ssh-keyscan <host> | grep -o 'ssh-ed25519.*' > host/<target>/secrets/host.pub
+6. Retrieve hostkeys using `ssh-keyscan <host> | grep -o 'ssh-ed25519.*' > host/<target>/secrets/host.pub`
 5. Deploy system
 
 ### Add secureboot to new systems

flake.nix

@@ -109,15 +109,15 @@
         hosts
         microvmConfigurations
         nixosConfigurations
+        minimalConfigurations
         ;
       nodes = self.nixosConfigurations // self.microvmConfigurations;
-      top = lib.mapAttrs (_: x: x.config.system.build.toplevel) self.nodes;
 
       inherit
         (lib.foldl' lib.recursiveUpdate {}
           (lib.mapAttrsToList
             (import ./nix/generate-installer-package.nix inputs)
-            self.nixosConfigurations))
+            self.minimalConfigurations))
         packages
         ;
     }
@@ -139,7 +139,7 @@
         inherit pkgs;
         modules = [
           ./nix/installer-configuration.nix
-          ./modules/os-conf/core/ssh.nix
+          ./modules/config/ssh.nix
           {system.stateVersion = stateVersion;}
         ];
         format =

hosts/patricknix/fs.nix

@@ -12,9 +12,9 @@
           type = "table";
           format = "gpt";
           partitions = [
-            (partEfiBoot "boot" "0%" "512MiB")
-            #(partSwap "swap" "1GiB" "17GiB")
-            (partLuksZfs "rpool" "rpool" "512MiB" "100%")
+            (partEfiBoot "boot" "0%" "1GiB")
+            (partSwap "swap" "1GiB" "17GiB")
+            (partLuksZfs "rpool" "rpool" "17GiB" "100%")
           ];
         };
       };

hosts/patricknix/secrets/host.pub

@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrr6bJgWzCuS+00EEBQRoylwput69tqvotgPjSF5xhz root@patricknix
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJLkYv7UrkdkTYj8YvoEwtwvaRBA4P/zYj5opl0+eDst root@patricknix

modules/config/nix.nix

@@ -7,7 +7,7 @@
     settings = {
       auto-optimise-store = true;
       allowed-users = ["@wheel" "nixseparatedebuginfod"];
-      trusted-users = ["root" "@wheel"];
+      trusted-users = ["root"];
       system-features = ["recursive-nix" "repl-flake" "big-parallel"];
       substituters = [
         "https://nix-config.cachix.org"
@@ -25,6 +25,8 @@
       ];
       cores = 0;
       max-jobs = "auto";
+      # make agenix rekey find the secrets even without trusted user
+      extra-sandbox-paths = ["/var/tmp/agenix-rekey?"];
     };
     daemonCPUSchedPolicy = "batch";
     daemonIOSchedPriority = 5;

modules/dev/default.nix

@@ -1,4 +1,9 @@
 {
+  lib,
+  minimal,
+  ...
+}:
+lib.optionalAttrs (!minimal) {
   imports = [
     ./docs.nix
   ];

modules/graphical/fonts.nix

@@ -1,4 +1,10 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  minimal,
+  lib,
+  ...
+}:
+lib.optionalAttrs (!minimal) {
   fonts = {
     enableGhostscriptFonts = false;
     fontDir.enable = false;

modules/hardware/nvidia.nix

@@ -1,8 +1,10 @@
 {
   lib,
+  minimal,
   pkgs,
   ...
-}: {
+}:
+lib.optionalAttrs (!minimal) {
   services.xserver.videoDrivers = lib.mkForce ["nvidia"];
 
   hardware = {

modules/hardware/pipewire.nix

@@ -1,8 +1,10 @@
 {
   lib,
+  minimal,
   pkgs,
   ...
-}: {
+}:
+lib.optionalAttrs (!minimal) {
   environment.systemPackages = with pkgs; [pulseaudio pulsemixer];
 
   hardware.pulseaudio.enable = lib.mkForce false;

modules/meta.nix

@@ -5,19 +5,18 @@
 }: let
   inherit
     (lib)
-    mdDoc
     mkOption
     types
     ;
 in {
   options.node = {
     name = mkOption {
-      description = mdDoc "A unique name for this node (host) in the repository. Defines the default hostname, but this can be overwritten.";
+      description = "A unique name for this node (host) in the repository. Defines the default hostname, but this can be overwritten.";
       type = types.str;
     };
 
     secretsDir = mkOption {
-      description = mdDoc "Path to the secrets directory for this node.";
+      description = "Path to the secrets directory for this node.";
       type = types.path;
     };
   };

modules/optional/secureboot.nix

@@ -1,9 +1,11 @@
 {
-  pkgs,
   lib,
+  minimal,
+  pkgs,
   config,
   ...
-}: {
+}:
+lib.optionalAttrs (!minimal) {
   environment.systemPackages = [
     # For debugging and troubleshooting Secure Boot.
     (pkgs.sbctl.override

modules/optional/steam.nix

@@ -1,4 +1,10 @@
-{pkgs, ...}: {
+{
+  lib,
+  minimal,
+  pkgs,
+  ...
+}:
+lib.optionalAttrs (!minimal) {
   programs.steam = {
     enable = true;
     package = pkgs.steam.override {

modules/optional/wayland.nix

@@ -1,4 +1,10 @@
-{pkgs, ...}: {
+{
+  lib,
+  minimal,
+  pkgs,
+  ...
+}:
+lib.optionalAttrs (!minimal) {
   services.dbus.enable = true;
   xdg.portal = {
     enable = true;

modules/optional/xserver.nix

@@ -1,4 +1,9 @@
 {
+  lib,
+  minimal,
+  ...
+}:
+lib.optionalAttrs (!minimal) {
   # Configure keymap in X11
   services.xserver = {
     enable = true;

nix/devshell.nix

@@ -45,6 +45,10 @@ in
         package = pkgs.deadnix;
         help = "Remove dead nix code";
       }
+      {
+        package = pkgs.nix-tree;
+        help = "Show nix closure tree";
+      }
       {
         package = pkgs.update-nix-fetchgit;
         help = "Update fetcher inside nix files";

nix/hosts.nix

@@ -12,15 +12,15 @@ inputs: let
     ;
 
   # Creates a new nixosSystem with the correct specialArgs, pkgs and name definition
-  mkHost = name: system: let
-    pkgs = self.pkgs.${system};
+  mkHost = {minimal}: name: hostCfg: let
+    pkgs = self.pkgs.${hostCfg.system};
   in
     nixosSystem {
       specialArgs = {
         # Use the correct instance lib that has our overlays
         inherit (pkgs) lib;
         inherit (self) nodes stateVersion;
-        inherit inputs;
+        inherit inputs minimal;
       };
       modules = [
         {
@@ -28,7 +28,7 @@ inputs: let
           # inputs.nixpkgs.nixosModules.readOnlyPkgs, since some nixosModules
           # like nixseparatedebuginfod depend on adding packages via nixpkgs.overlays.
           # So we just mimic the options and overlays defined by the passed pkgs set.
-          nixpkgs.hostPlatform = system;
+          nixpkgs.hostPlatform = hostCfg.system;
           nixpkgs.overlays = pkgs.overlays;
           nixpkgs.config = pkgs.config;
           node.name = name;
@@ -45,7 +45,8 @@ inputs: let
   # Get all hosts of type "nixos"
   nixosHosts = filterAttrs (_: x: x.type == "nixos") hosts;
   # Process each nixosHosts declaration and generatea nixosSystem definitions
-  nixosConfigurations = flip mapAttrs nixosHosts (name: hostCfg: mkHost name hostCfg.system);
+  nixosConfigurations = flip mapAttrs nixosHosts (mkHost {minimal = false;});
+  minimalConfigurations = flip mapAttrs nixosHosts (mkHost {minimal = true;});
 
   # True NixOS nodes can define additional microvms (guest nodes) that are built
   # together with the true host. We collect all defined microvm nodes
@@ -59,5 +60,6 @@ in {
     hosts
     microvmConfigurations
     nixosConfigurations
+    minimalConfigurations
     ;
 }

nix/installer-configuration.nix

@@ -15,9 +15,6 @@
     ];
   };
 
-  # Grub broken
-  boot.loader.systemd-boot.enable = true;
-
   environment = {
     variables.EDITOR = "nvim";
     systemPackages = with pkgs; [

users/patrick/default.nix

@@ -1,8 +1,11 @@
 {
   pkgs,
   config,
+  lib,
+  minimal,
   ...
-}: {
+}:
+lib.optionalAttrs (!minimal) {
   imports = [
     ../../modules/optional/steam.nix
     ./impermanence.nix