Lithospherical/nix-config
1
0
Fork 0
forked from jan-leila/nix-config
Code Pull requests Activity

got impermanence to wipe drive

Browse source
This commit is contained in:
Leyla Becker 2024-12-08 21:58:11 -06:00
parent d2b3f0116e
commit 848c57caa0
10 changed files with 281 additions and 234 deletions
Download patch file Download diff file Expand all files Collapse all files

1
configurations/home-manager/leyla/default.nix
View file

@ -6,6 +6,7 @@
imports = [ imports = [
./i18n.nix ./i18n.nix
./packages.nix ./packages.nix
./impermanence.nix
]; ];
config = { config = {

21
configurations/home-manager/leyla/impermanence.nix Normal file
View file

@ -0,0 +1,21 @@
{...}: {
home.persistence."/persistent/home/leyla" = {
directories = [
"desktop"
"downloads"
"documents"
".ssh"
".nixops"
".local/share/keyrings"
".local/share/direnv"
{
directory = ".local/share/Steam";
method = "symlink";
}
];
# files = [
# ".screenrc"
# ];
allowOther = true;
};
}

57
configurations/nixos/defiant/configuration.nix
View file

@ -6,7 +6,7 @@
}: { }: {
imports = [ imports = [
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
./services.nix # ./services.nix
]; ];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
@ -23,37 +23,30 @@
}; };
}; };
boot.loader.grub = { # apps = {
enable = true; # base_domain = "jan-leila.com";
zfsSupport = true; # macvlan = {
efiSupport = true; # subnet = "192.168.1.0/24";
efiInstallAsRemovable = true; # gateway = "192.168.1.1";
}; # networkInterface = "bond0";
# };
apps = { # pihole = {
base_domain = "jan-leila.com"; # image = "pihole/pihole:2024.07.0";
macvlan = { # ip = "192.168.1.201";
subnet = "192.168.1.0/24"; # };
gateway = "192.168.1.1"; # headscale = {
networkInterface = "bond0"; # subdomain = "vpn";
}; # };
pihole = { # jellyfin = {
image = "pihole/pihole:2024.07.0"; # subdomain = "media";
ip = "192.168.1.201"; # };
}; # forgejo = {
headscale = { # subdomain = "git";
subdomain = "vpn"; # };
}; # nextcloud = {
jellyfin = { # subdomain = "drive";
subdomain = "media"; # };
}; # };
forgejo = {
subdomain = "git";
};
nextcloud = {
subdomain = "drive";
};
};
services = { services = {
zfs = { zfs = {

3
configurations/nixos/defiant/default.nix
View file

@ -1,8 +1,9 @@
# server nas # server nas
{...}: { {...}: {
imports = [ imports = [
./configuration.nix
./disko-config.nix ./disko-config.nix
./hardware-configuration.nix ./hardware-configuration.nix
./impermanence.nix
./configuration.nix
]; ];
} }

196
configurations/nixos/defiant/disko-config.nix
View file

@ -1,26 +1,4 @@
{...}: let {lib, ...}: let
bootDisk = devicePath: {
type = "disk";
device = devicePath;
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for grub MBR
};
ESP = {
size = "1G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
};
};
};
zfsDisk = devicePath: { zfsDisk = devicePath: {
type = "disk"; type = "disk";
device = devicePath; device = devicePath;
@ -37,41 +15,41 @@
}; };
}; };
}; };
# cacheDisk = devicePath: swapSize: { cacheDisk = devicePath: {
# type = "disk"; type = "disk";
# device = devicePath; device = devicePath;
# content = { content = {
# type = "gpt"; type = "gpt";
# partitions = { partitions = {
# encryptedSwap = { # We are having to boot off of the nvm cache drive because I cant figure out how to boot via the HBA
# size = swapSize; ESP = {
# content = { size = "64M";
# type = "swap"; type = "EF00";
# randomEncryption = true; content = {
# discardPolicy = "both"; type = "filesystem";
# resumeDevice = true; format = "vfat";
# }; mountpoint = "/boot";
# }; mountOptions = ["umask=0077"];
# zfs = { };
# size = "100%"; };
# content = { zfs = {
# type = "zfs"; size = "100%";
# pool = "rpool"; content = {
# }; type = "zfs";
# }; pool = "rpool";
# }; };
# }; };
# }; };
};
};
in { in {
disko.devices = { disko.devices = {
disk = { disk = {
boot = bootDisk "/dev/disk/by-path/pci-0000:23:00.3-usb-0:1:1.0-scsi-0:0:0:0"; hd_18_tb_a = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXVEB";
hd_18_tb_b = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXWSC";
hd_18_tb_c = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTD10EH";
hd_13_tb_a = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXVEB"; ssd_4_tb_a = cacheDisk "/dev/disk/by-id/nvme-Samsung_SSD_990_PRO_4TB_S7KGNU0X907881F";
hd_13_tb_b = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXWSC";
hd_13_tb_c = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTD10EH";
# ssd_2_tb_a = cacheDisk "64G" "/dev/disk/by-id/XXX";
}; };
zpool = { zpool = {
rpool = { rpool = {
@ -84,58 +62,106 @@ in {
# should this only mirror for this inital config with 3 drives we will used raidz2 for future configs??? # should this only mirror for this inital config with 3 drives we will used raidz2 for future configs???
mode = "mirror"; mode = "mirror";
members = [ members = [
"hd_13_tb_a" "hd_18_tb_a"
"hd_13_tb_b" "hd_18_tb_b"
"hd_13_tb_c" "hd_18_tb_c"
]; ];
} }
]; ];
cache = []; cache = ["ssd_4_tb_a"];
# cache = [ "ssd_2_tb_a" ];z
}; };
}; };
options = { options = {
ashift = "12"; ashift = "12";
autotrim = "on";
}; };
rootFsOptions = { rootFsOptions =
# encryption = "on"; {
# keyformat = "hex"; canmount = "off";
# keylocation = "prompt"; mountpoint = "none";
compression = "lz4";
xattr = "sa"; xattr = "sa";
acltype = "posixacl"; acltype = "posixacl";
canmount = "off"; relatime = "on";
"com.sun:auto-snapshot" = "false";
}; compression = "lz4";
"com.sun:auto-snapshot" = "false";
}
# TODO: have an option to enable encryption
// lib.attrsets.optionalAttrs false {
encryption = "on";
keyformat = "hex";
keylocation = "prompt";
};
datasets = { datasets = {
root = { # local datasets are for data that should be considered ephemeral
"local" = {
type = "zfs_fs"; type = "zfs_fs";
mountpoint = "/"; options.canmount = "off";
options.mountpoint = "legacy";
postCreateHook = "zfs snapshot rpool/root@blank";
}; };
home = { # the nix directory is local because its all generable from our configuration
type = "zfs_fs"; "local/system/nix" = {
options.mountpoint = "legacy";
mountpoint = "/home";
postCreateHook = "zfs snapshot rpool/home@blank";
};
nix = {
type = "zfs_fs"; type = "zfs_fs";
mountpoint = "/nix"; mountpoint = "/nix";
};
persistent = {
type = "zfs_fs";
mountpoint = "/persistent";
options = { options = {
"com.sun:auto-snapshot" = "true"; atime = "off";
relatime = "off";
canmount = "on";
}; };
}; };
"local/system/root" = {
type = "zfs_fs";
mountpoint = "/";
options = {
canmount = "on";
};
postCreateHook = ''
zfs snapshot rpool/local/system/root@blank
'';
};
"local/home/leyla" = {
type = "zfs_fs";
mountpoint = "/home/leyla";
options = {
canmount = "on";
};
postCreateHook = ''
zfs snapshot rpool/local/home/leyla@blank
'';
};
# persist datasets are datasets that contain information that we would like to keep around
"persist" = {
type = "zfs_fs";
options.canmount = "off";
};
"persist/system/root" = {
type = "zfs_fs";
mountpoint = "/persist/system/root";
options = {
"com.sun:auto-snapshot" = "true";
mountpoint = "/persist/system/root";
};
};
"persist/home/leyla" = {
type = "zfs_fs";
mountpoint = "/persist/home/leyla";
options = {
"com.sun:auto-snapshot" = "true";
mountpoint = "/persist/home/leyla";
};
};
# TODO: separate dataset for logs that wont participate in snapshots and rollbacks with the rest of the system
}; };
}; };
}; };
}; };
networking = {
hostId = "c51763d6";
};
} }

122
configurations/nixos/defiant/hardware-configuration.nix
View file

@ -11,136 +11,32 @@
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
security.sudo.extraConfig = "Defaults lecture=never";
boot = { boot = {
initrd = { initrd = {
availableKernelModules = ["xhci_pci" "aacraid" "ahci" "usbhid" "usb_storage" "sd_mod"]; availableKernelModules = ["xhci_pci" "aacraid" "ahci" "usbhid" "nvme" "usb_storage" "sd_mod"];
kernelModules = []; kernelModules = [];
# TODO: figure out some kind of snapshotting before rollbacks
# postDeviceCommands = lib.mkAfter ''
# zfs rollback -r rpool/root@blank
# zfs rollback -r rpool/home@blank
# '';
# systemd = {
# enable = lib.mkDefault true;
# services.rollback = {
# description = "Rollback root filesystem to a pristine state on boot";
# wantedBy = [
# "zfs.target"
# "initrd.target"
# ];
# after = [
# "zfs-import-rpool.service"
# ];
# before = [
# "sysroot.mount"
# "fs.target"
# ];
# path = with pkgs; [
# zfs
# ];
# unitConfig.DefaultDependencies = "no";
# # serviceConfig = {
# # Type = "oneshot";
# # ExecStart =
# # "${config.boot.zfs.package}/sbin/zfs rollback -r rpool/home@blank";
# # };
# serviceConfig.Type = "oneshot";
# script = ''
# zfs list -t snapshot || echo
# zfs rollback -r rpool/root@blank
# zfs rollback -r rpool/home@blank
# '';
# };
# };
}; };
kernelModules = ["kvm-amd"]; kernelModules = ["kvm-amd"];
kernelParams = ["quiet"];
extraModulePackages = []; extraModulePackages = [];
# Bootloader.
loader = {
systemd-boot.enable = true;
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
};
supportedFilesystems = ["zfs"]; supportedFilesystems = ["zfs"];
zfs.extraPools = ["rpool"]; zfs.extraPools = ["rpool"];
}; };
swapDevices = [];
# fileSystems = {
# "/" = {
# neededForBoot = true;
# };
# "/home" = {
# neededForBoot = true;
# };
# "/persistent" = {
# neededForBoot = true;
# };
# };
networking = { networking = {
hostId = "c51763d6";
hostName = "defiant"; # Define your hostname. hostName = "defiant"; # Define your hostname.
useNetworkd = true; useNetworkd = true;
}; };
# environment.persistence."/persistent" = {
# enable = true;
# hideMounts = true;
# directories = [
# # "/run/secrets"
# "/etc/ssh"
# "/var/log"
# "/var/lib/nixos"
# "/var/lib/systemd/coredump"
# # config.apps.pihole.directory.root
# # config.apps.jellyfin.mediaDirectory
# # config.services.jellyfin.configDir
# # config.services.jellyfin.cacheDir
# # config.services.jellyfin.dataDir
# # "/var/hass" # config.users.users.hass.home
# # "/var/postgresql" # config.users.users.postgresql.home
# # "/var/forgejo" # config.users.users.forgejo.home
# # "/var/nextcloud" # config.users.users.nextcloud.home
# # "/var/headscale" # config.users.users.headscale.home
# ];
# files = [
# "/etc/machine-id"
# # config.environment.sessionVariables.SOPS_AGE_KEY_FILE
# ];
# users.leyla = {
# directories = [
# "documents"
# ".ssh"
# ];
# files = [];
# };
# };
# systemd.services = {
# # https://github.com/openzfs/zfs/issues/10891
# systemd-udev-settle.enable = false;
# # Snapshots are not accessible on boot for some reason this should fix it
# # https://github.com/NixOS/nixpkgs/issues/257505
# zfs-mount = {
# serviceConfig = {
# # ExecStart = [ "${lib.getExe' pkgs.util-linux "mount"} -a -t zfs -o remount" ];
# ExecStart = [
# "${lib.getExe' pkgs.util-linux "mount"} -t zfs rpool/root -o remount"
# "${lib.getExe' pkgs.util-linux "mount"} -t zfs rpool/home -o remount"
# "${lib.getExe' pkgs.util-linux "mount"} -t zfs rpool/persistent -o remount"
# ];
# };
# };
# };
systemd.network = { systemd.network = {
enable = true; enable = true;

87
configurations/nixos/defiant/impermanence.nix Normal file
View file

@ -0,0 +1,87 @@
{
lib,
config,
...
}: {
boot.initrd.postResumeCommands = lib.mkAfter ''
zfs rollback -r rpool/local/system/root@blank
zfs rollback -r rpool/local/home/leyla@blank
'';
# systemd.services = {
# # https://github.com/openzfs/zfs/issues/10891
# systemd-udev-settle.enable = false;
# # Snapshots are not accessible on boot for some reason this should fix it
# # https://github.com/NixOS/nixpkgs/issues/257505
# zfs-mount = {
# serviceConfig = {
# ExecStart = ["zfs mount -a -o remount"];
# # ExecStart = [
# # "${lib.getExe' pkgs.util-linux "mount"} -t zfs rpool/local -o remount"
# # "${lib.getExe' pkgs.util-linux "mount"} -t zfs rpool/persistent -o remount"
# # ];
# };
# };
# };
# boot.initrd.systemd.services.rollback = {
# description = "Rollback filesystem to a pristine state on boot";
# wantedBy = [
# "initrd.target"
# ];
# after = [
# "zfs-import-rpool.service"
# ];
# before = [
# "sysroot.mount"
# ];
# requiredBy = [
# "sysroot.mount"
# ];
# serviceConfig = {
# Type = "oneshot";
# ExecStart = ''
# zfs rollback -r rpool/local/system/root@blank
# zfs rollback -r rpool/local/home@blank
# '';
# };
# };
fileSystems."/".neededForBoot = true;
fileSystems."/home/leyla".neededForBoot = true;
fileSystems."/persist/system/root".neededForBoot = true;
fileSystems."/persist/home/leyla".neededForBoot = true;
environment.persistence."/persist/system/root" = {
enable = true;
hideMounts = true;
directories = [
"/run/secrets"
"/etc/ssh"
"/var/log"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
# config.apps.pihole.directory.root
# config.apps.jellyfin.mediaDirectory
# config.services.jellyfin.configDir
# config.services.jellyfin.cacheDir
# config.services.jellyfin.dataDir
# "/var/hass" # config.users.users.hass.home
# "/var/postgresql" # config.users.users.postgresql.home
# "/var/forgejo" # config.users.users.forgejo.home
# "/var/nextcloud" # config.users.users.nextcloud.home
# "/var/headscale" # config.users.users.headscale.home
];
files = [
"/etc/machine-id"
config.environment.sessionVariables.SOPS_AGE_KEY_FILE
];
};
security.sudo.extraConfig = "Defaults lecture=never";
}

16
flake.lock generated
View file

@ -127,6 +127,21 @@
"type": "github" "type": "github"
} }
}, },
"impermanence": {
"locked": {
"lastModified": 1731242966,
"narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"nix-darwin": { "nix-darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -207,6 +222,7 @@
"firefox-addons": "firefox-addons", "firefox-addons": "firefox-addons",
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"home-manager": "home-manager", "home-manager": "home-manager",
"impermanence": "impermanence",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nix-vscode-extensions": "nix-vscode-extensions", "nix-vscode-extensions": "nix-vscode-extensions",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",

9
flake.nix
View file

@ -24,9 +24,9 @@
}; };
# delete your darlings # delete your darlings
# impermanence = { impermanence = {
# url = "github:nix-community/impermanence"; url = "github:nix-community/impermanence";
# }; };
nix-darwin = { nix-darwin = {
url = "github:LnL7/nix-darwin"; url = "github:LnL7/nix-darwin";
@ -65,6 +65,9 @@
outputs = { outputs = {
self, self,
nixpkgs, nixpkgs,
sops-nix,
home-manager,
impermanence,
... ...
} @ inputs: let } @ inputs: let
util = import ./util {inherit inputs;}; util = import ./util {inherit inputs;};

3
util/default.nix
View file

@ -7,6 +7,7 @@
home-manager = inputs.home-manager; home-manager = inputs.home-manager;
nix-darwin = inputs.nix-darwin; nix-darwin = inputs.nix-darwin;
sops-nix = inputs.sops-nix; sops-nix = inputs.sops-nix;
impermanence = inputs.impermanence;
systems = [ systems = [
"aarch64-darwin" "aarch64-darwin"
@ -25,6 +26,7 @@
common-modules common-modules
++ [ ++ [
sops-nix.homeManagerModules.sops sops-nix.homeManagerModules.sops
impermanence.homeManagerModules.impermanence
../modules/home-manager-modules ../modules/home-manager-modules
]; ];
@ -70,6 +72,7 @@ in {
system-modules system-modules
++ [ ++ [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
impermanence.nixosModules.impermanence
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
../modules/nixos-modules ../modules/nixos-modules
../configurations/nixos/${host} ../configurations/nixos/${host}