diff --git a/README.md b/README.md index 5f4848e..e94d8b3 100644 --- a/README.md +++ b/README.md @@ -60,4 +60,4 @@ to update passwords run: `nix shell nixpkgs#sops -c sops secrets/user-passwords. - mastodon server - tail scale clients - wake on LAN -- ISO target that contains authorized keys for nixos-anywhere \ No newline at end of file +- ISO target that contains authorized keys for nixos-anywhere https://github.com/diegofariasm/yggdrasil/blob/4acc43ebc7bcbf2e41376d14268e382007e94d78/hosts/bootstrap/default.nix \ No newline at end of file diff --git a/flake.lock b/flake.lock index 4d181fa..ed31d1e 100644 --- a/flake.lock +++ b/flake.lock @@ -74,6 +74,21 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1730403150, + "narHash": "sha256-W1FH5aJ/GpRCOA7DXT/sJHFpa5r8sq2qAUncWwRZ3Gg=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "0d09341beeaa2367bac5d718df1404bf2ce45e6f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, "nix-vscode-extensions": { "inputs": { "flake-compat": "flake-compat", @@ -146,6 +161,7 @@ "inputs": { "disko": "disko", "home-manager": "home-manager", + "impermanence": "impermanence", "nix-vscode-extensions": "nix-vscode-extensions", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", diff --git a/flake.nix b/flake.nix index aaf2266..7e716ec 100644 --- a/flake.nix +++ b/flake.nix @@ -23,6 +23,10 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + impermanence = { + url = "github:nix-community/impermanence"; + }; + # users home directories home-manager = { url = "github:nix-community/home-manager"; @@ -49,6 +53,7 @@ outputs = { nixpkgs, disko, + impermanence, nixos-hardware, home-manager, ... @@ -102,6 +107,7 @@ specialArgs = {inherit inputs lib;}; modules = [ ./overlays + impermanence.nixosModules.impermanence disko.nixosModules.disko home-manager.nixosModules.home-manager home-manager-config diff --git a/hosts/defiant/disko-config.nix b/hosts/defiant/disko-config.nix index a913aeb..0be19c4 100644 --- a/hosts/defiant/disko-config.nix +++ b/hosts/defiant/disko-config.nix @@ -1,10 +1,9 @@ -{lib, ...}: let +{...}: let bootDisk = devicePath: { type = "disk"; device = devicePath; content = { type = "gpt"; - partitions = { boot = { size = "1M"; @@ -32,37 +31,37 @@ size = "100%"; content = { type = "zfs"; - pool = "zroot"; - }; - }; - }; - }; - }; - cacheDisk = devicePath: swapSize: { - type = "disk"; - device = devicePath; - content = { - type = "gpt"; - partitions = { - encryptedSwap = { - size = swapSize; - content = { - type = "swap"; - randomEncryption = true; - discardPolicy = "both"; - resumeDevice = true; - }; - }; - zfs = { - size = "100%"; - content = { - type = "zfs"; - pool = "zroot"; + pool = "rpool"; }; }; }; }; }; + # cacheDisk = devicePath: swapSize: { + # type = "disk"; + # device = devicePath; + # content = { + # type = "gpt"; + # partitions = { + # encryptedSwap = { + # size = swapSize; + # content = { + # type = "swap"; + # randomEncryption = true; + # discardPolicy = "both"; + # resumeDevice = true; + # }; + # }; + # zfs = { + # size = "100%"; + # content = { + # type = "zfs"; + # pool = "rpool"; + # }; + # }; + # }; + # }; + # }; in { disko.devices = { disk = { @@ -75,7 +74,7 @@ in { # ssd_2_tb_a = cacheDisk "64G" "/dev/disk/by-id/XXX"; }; zpool = { - zroot = { + rpool = { type = "zpool"; mode = { topology = { @@ -92,7 +91,7 @@ in { } ]; cache = []; - # cache = [ "ssd_2_tb_a" ]; + # cache = [ "ssd_2_tb_a" ];z }; }; @@ -101,34 +100,40 @@ in { }; rootFsOptions = { - encryption = "on"; - keyformat = "hex"; - keylocation = "prompt"; + # encryption = "on"; + # keyformat = "hex"; + # keylocation = "prompt"; compression = "lz4"; xattr = "sa"; acltype = "posixacl"; + canmount = "off"; "com.sun:auto-snapshot" = "false"; }; - mountpoint = "/"; - postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot@blank$' || zfs snapshot zroot@blank"; - datasets = { - "nix" = { + root = { + type = "zfs_fs"; + mountpoint = "/"; + options.mountpoint = "legacy"; + postCreateHook = "zfs snapshot rpool/root@blank"; + }; + home = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/home"; + postCreateHook = "zfs snapshot rpool/home@blank"; + }; + nix = { type = "zfs_fs"; mountpoint = "/nix"; }; - "home" = { + persistent = { type = "zfs_fs"; - mountpoint = "/mnt/home"; + mountpoint = "/persistent"; options = { "com.sun:auto-snapshot" = "true"; }; }; - "var" = { - type = "zfs_fs"; - mountpoint = "/var"; - }; }; }; }; diff --git a/hosts/defiant/hardware-configuration.nix b/hosts/defiant/hardware-configuration.nix index edfaeee..0d345f2 100644 --- a/hosts/defiant/hardware-configuration.nix +++ b/hosts/defiant/hardware-configuration.nix @@ -2,9 +2,9 @@ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. { + pkgs, config, lib, - pkgs, modulesPath, ... }: { @@ -13,27 +13,136 @@ ../hardware-common.nix ]; + security.sudo.extraConfig = "Defaults lecture=never"; + boot = { initrd = { availableKernelModules = ["xhci_pci" "aacraid" "ahci" "usbhid" "usb_storage" "sd_mod"]; kernelModules = []; + # TODO: figure out some kind of snapshotting before rolebacks + # postDeviceCommands = lib.mkAfter '' + # zfs rollback -r rpool/root@blank + # zfs rollback -r rpool/home@blank + # ''; + systemd = { + enable = lib.mkDefault true; + services.rollback = { + description = "Rollback root filesystem to a pristine state on boot"; + wantedBy = [ + "zfs.target" + "initrd.target" + ]; + after = [ + "zfs-import-rpool.service" + ]; + before = [ + "sysroot.mount" + "fs.target" + ]; + path = with pkgs; [ + zfs + ]; + unitConfig.DefaultDependencies = "no"; + # serviceConfig = { + # Type = "oneshot"; + # ExecStart = + # "${config.boot.zfs.package}/sbin/zfs rollback -r rpool/home@blank"; + # }; + serviceConfig.Type = "oneshot"; + script = '' + zfs list -t snapshot || echo + zfs rollback -r rpool/root@blank + zfs rollback -r rpool/home@blank + ''; + }; + }; }; kernelModules = ["kvm-amd"]; + kernelParams = ["quiet"]; extraModulePackages = []; supportedFilesystems = ["zfs"]; - zfs.extraPools = ["zroot"]; + zfs.extraPools = ["rpool"]; }; swapDevices = []; + fileSystems = { + "/" = { + neededForBoot = true; + }; + + "/home" = { + neededForBoot = true; + }; + + "/persistent" = { + neededForBoot = true; + }; + }; + networking = { hostId = "c51763d6"; hostName = "defiant"; # Define your hostname. useNetworkd = true; }; + environment.persistence."/persistent" = { + enable = true; + hideMounts = true; + directories = [ + # "/run/secrets" + + "/etc/ssh" + + "/var/log" + "/var/lib/nixos" + "/var/lib/systemd/coredump" + + # config.apps.pihole.directory.root + + # config.apps.jellyfin.mediaDirectory + # config.services.jellyfin.configDir + # config.services.jellyfin.cacheDir + # config.services.jellyfin.dataDir + + # "/var/hass" # config.users.users.hass.home + # "/var/postgresql" # config.users.users.postgresql.home + # "/var/forgejo" # config.users.users.forgejo.home + # "/var/nextcloud" # config.users.users.nextcloud.home + # "/var/headscale" # config.users.users.headscale.home + ]; + files = [ + "/etc/machine-id" + # config.environment.sessionVariables.SOPS_AGE_KEY_FILE + ]; + users.leyla = { + directories = [ + "documents" + ".ssh" + ]; + files = []; + }; + }; + + # systemd.services = { + # # https://github.com/openzfs/zfs/issues/10891 + # systemd-udev-settle.enable = false; + # # Snapshots are not accessable on boot for some reason this should fix it + # # https://github.com/NixOS/nixpkgs/issues/257505 + # zfs-mount = { + # serviceConfig = { + # # ExecStart = [ "${lib.getExe' pkgs.util-linux "mount"} -a -t zfs -o remount" ]; + # ExecStart = [ + # "${lib.getExe' pkgs.util-linux "mount"} -t zfs rpool/root -o remount" + # "${lib.getExe' pkgs.util-linux "mount"} -t zfs rpool/home -o remount" + # "${lib.getExe' pkgs.util-linux "mount"} -t zfs rpool/persistent -o remount" + # ]; + # }; + # }; + # }; + systemd.network = { enable = true;