From 2a30c00ffbbcb1ac46a2fb41f7c489595294ccd8 Mon Sep 17 00:00:00 2001
From: Leyla Becker <git@jan-leila.com>
Date: Sat, 14 Sep 2024 09:19:08 -0500
Subject: [PATCH] got nixos-anywhere half working
---
README.md | 21 ++--
flake.lock | 21 ++++
flake.nix | 10 +-
hosts/defiant/configuration.nix | 30 +++++-
hosts/defiant/disko-config.nix | 120 +++++++++++++++++++++++
hosts/defiant/hardware-configuration.nix | 8 +-
6 files changed, 193 insertions(+), 17 deletions(-)
create mode 100644 hosts/defiant/disko-config.nix
diff --git a/README.md b/README.md
index 6783009..c3773c0 100644
--- a/README.md
+++ b/README.md
@@ -17,25 +17,31 @@
`./rebuild.sh`
# New machine setup
+
keys for decrypting password secrets for each users located at ~/.config/sops/age/keys.txt
+> TODO: `keys.txt`` should prob be readable by owning user only?
updating passwords: `sops secrets/secrets.yaml`
-TODO: keys.txt should prob be readable by owning user only?
+`nix run github:nix-community/nixos-anywhere/69ad3f4a50cfb711048f54013404762c9a8e201e -- --flake '.#defiant' nixos@192.168.1.130 --extra-files ~/.config/sops/age/`
> how the current config was set up https://www.youtube.com/watch?v=G5f6GC7SnhU
-> look into this? `https://technotim.live/posts/rotate-sops-encryption-keys/`
-
> something about ssh keys for remotes
+# Notes:
+- Look into this for fixing nixos-anywhere `https://github.com/lucidph3nx/nixos-config/tree/main`
+- Look into this for rotating sops keys `https://technotim.live/posts/rotate-sops-encryption-keys/`
+- Look into this for openssh known configurations https://search.nixos.org/options?channel=unstable&from=0&size=15&sort=alpha_asc&type=packages&query=services.openssh
+- Look into this for flake templates https://nix.dev/manual/nix/2.22/command-ref/new-cli/nix3-flake-init
+
# Updating
`nix flake update`
# Tasks:
## Tech Debt
-- allowUnfree should be dynamically enabled by the users whenever they need them
+- allowUnfree should be dynamically enabled by the users whenever they need them (this isnt enabled at all right now for some reason???)
- GNOME default monitors per hardware configuration?
- graphics driver things should prob be in the hardware-configuration.nix
- what does `boot.kernelModules = [ "sg" ]` do?
@@ -45,11 +51,12 @@ TODO: keys.txt should prob be readable by owning user only?
- DISKO for server
- STOP FROM SLEEPING
- VS code extensions should be installed declaratively
-- Flake templates - https://nix.dev/manual/nix/2.22/command-ref/new-cli/nix3-flake-init
+- Flake templates
- Install all the things on the NAS
- firefox declarative???
- figure out steam vr things?
- Open GL?
- util functions
-- openssh known hosts https://search.nixos.org/options?channel=unstable&from=0&size=15&sort=alpha_asc&type=packages&query=services.openssh
-- limit boot configurations to 2 on defiant
\ No newline at end of file
+- openssh known hosts
+- limit boot configurations to 2 on defiant
+- rotate sops encryption keys
\ No newline at end of file
diff --git a/flake.lock b/flake.lock
index 1e8ab51..1182330 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,25 @@
{
"nodes": {
+ "disko": {
+ "inputs": {
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1725377834,
+ "narHash": "sha256-tqoAO8oT6zEUDXte98cvA1saU9+1dLJQe3pMKLXv8ps=",
+ "owner": "nix-community",
+ "repo": "disko",
+ "rev": "e55f9a8678adc02024a4877c2a403e3f6daf24fe",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "repo": "disko",
+ "type": "github"
+ }
+ },
"home-manager": {
"inputs": {
"nixpkgs": [
@@ -86,6 +106,7 @@
},
"root": {
"inputs": {
+ "disko": "disko",
"home-manager": "home-manager",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
diff --git a/flake.nix b/flake.nix
index e75e133..ee87ab5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -8,6 +8,12 @@
# encrypt files that contain secreats that I would like to not encrypt
sops-nix.url = "github:Mic92/sops-nix";
+ # declairtive disk configuration
+ disko = {
+ url = "github:nix-community/disko";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+
# managment per user
home-manager = {
url = "github:nix-community/home-manager";
@@ -18,7 +24,7 @@
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
};
- outputs = { self, nixpkgs, nixos-hardware, ... }@inputs:
+ outputs = { self, nixpkgs, disko, nixos-hardware, ... }@inputs:
let
forEachSystem = nixpkgs.lib.genAttrs [
"aarch64-darwin"
@@ -53,6 +59,8 @@
defiant = nixpkgs.lib.nixosSystem {
specialArgs = { inherit inputs; };
modules = [
+ disko.nixosModules.disko
+ ./hosts/defiant/disko-config.nix
./hosts/defiant/configuration.nix
];
};
diff --git a/hosts/defiant/configuration.nix b/hosts/defiant/configuration.nix
index a80c520..bff81ea 100644
--- a/hosts/defiant/configuration.nix
+++ b/hosts/defiant/configuration.nix
@@ -11,19 +11,39 @@
../../enviroments/server
];
- sops.defaultSopsFile = ../../secrets/secrets.yaml;
- sops.defaultSopsFormat = "yaml";
+ sops = {
+ defaultSopsFile = ../../secrets/secrets.yaml;
+ defaultSopsFormat = "yaml";
- sops.age.keyFile = "/home/leyla/.config/sops/age/keys.txt";
+ age ={
+ keyFile = "/home/leyla/.config/sops/age/keys.txt";
+ # sshKeyPaths = ["${config.home.homeDirectory}/.ssh/nix-ed25519"];
+ # generateKey = true;
+ };
+ };
+
+ # home.sessionVariables = {
+ # SOPS_AGE_KEY_FILE = "${config.home.homeDirectory}/.config/sops-nix/key.txt";
+ # };
users.leyla.isThinUser = true;
boot.loader.grub = {
enable = true;
- device = "/dev/sda";
- useOSProber = true;
+ zfsSupport = true;
+ efiSupport = true;
+ efiInstallAsRemovable = true;
+ # devices = [ "/dev/disk/by-path/pci-0000:23:00.3-usb-0:1:1.0-scsi-0:0:0:0-part2" ];
+ # mirroredBoots = [
+ # { devices = [ "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXVEB-part1" ]; path = "/boot1"; efiSysMountPoint = "/boot"; }
+ # { devices = [ "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXWSC-part1" ]; path = "/boot2"; efiSysMountPoint = "/boot2"; }
+ # { devices = [ "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTD10EH-part1" ]; path = "/boot3"; efiSysMountPoint = "/boot3"; }
+ # ];
};
+ boot.supportedFilesystems = [ "zfs" ];
+
+ networking.hostId = "c8985fc5"; # TODO: populate this when I get home
networking.hostName = "defiant"; # Define your hostname.
nixpkgs.config.allowUnfree = true;
diff --git a/hosts/defiant/disko-config.nix b/hosts/defiant/disko-config.nix
new file mode 100644
index 0000000..3a113eb
--- /dev/null
+++ b/hosts/defiant/disko-config.nix
@@ -0,0 +1,120 @@
+{ lib, ... }:
+let
+ bootDisk = devicePath: {
+ type = "disk";
+ device = devicePath;
+ content = {
+ type = "gpt";
+
+ partitions = {
+ boot = {
+ size = "1M";
+ type = "EF02"; # for grub MBR
+ };
+ ESP = {
+ size = "1G";
+ type = "EF00";
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/boot";
+ };
+ };
+ root = {
+ size = "100%";
+ content = {
+ type = "filesystem";
+ format = "ext4";
+ mountpoint = "/";
+ };
+ };
+ };
+ };
+ };
+ zfsDisk = devicePath: {
+ type = "disk";
+ device = devicePath;
+ content = {
+ type = "gpt";
+ partitions = {
+ zfs = {
+ size = "100%";
+ content = {
+ type = "zfs";
+ pool = "zpool";
+ };
+ };
+ };
+ };
+ };
+in {
+ disko.devices = {
+ disk = {
+ boot = bootDisk "/dev/sda"; # "/dev/disk/by-path/pci-0000:23:00.3-usb-0:1:1.0-scsi-0:0:0:0";
+
+ # hd_13_tb_a = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXVEB";
+ # hd_13_tb_b = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXWSC";
+ # hd_13_tb_c = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTD10EH";
+
+ # ssd_2_tb_a = zfsDisk "/dev/disk/by-id/XXX";
+ };
+ # zpool = {
+ # zpool = {
+ # type = "zpool";
+ # mode = {
+ # topology = {
+ # type = "topology";
+ # vdev = [
+ # {
+ # # should this only mirror for this inital config with 3 drives we will used raidz2 for future configs???
+ # mode = "mirror";
+ # members = [
+ # "hd_13_tb_a" "hd_13_tb_b" "hd_13_tb_c"
+ # ];
+ # }
+ # ];
+ # cache = [ ];
+ # # cache = [ "ssd_2_tb_a" ];
+ # };
+ # };
+
+ # options = {
+ # ashift = "12";
+ # };
+
+ # rootFsOptions = {
+ # encryption = "on";
+ # keyformat = "hex";
+ # keylocation = "prompt";
+ # compression = "lz4";
+ # xattr = "sa";
+ # acltype = "posixacl";
+ # "com.sun:auto-snapshot" = "false";
+ # };
+
+ # datasets = {
+ # "root" = {
+ # type = "zfs_fs";
+ # mountpoint = "/";
+ # };
+ # "nix" = {
+ # type = "zfs_fs";
+ # mountpoint = "/nix";
+ # };
+ # "home" = {
+ # type = "zfs_fs";
+ # mountpoint = "/home";
+ # options = {
+ # "com.sun:auto-snapshot" = "true";
+ # };
+ # };
+ # "var" = {
+ # type = "zfs_fs";
+ # mountpoint = "/var";
+ # };
+ # };
+ # };
+ # };
+ };
+}
+
diff --git a/hosts/defiant/hardware-configuration.nix b/hosts/defiant/hardware-configuration.nix
index 575ae36..cd075ca 100644
--- a/hosts/defiant/hardware-configuration.nix
+++ b/hosts/defiant/hardware-configuration.nix
@@ -13,10 +13,10 @@
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
- fileSystems."/" =
- { device = "/dev/disk/by-uuid/dc6a9664-80f2-4988-afd7-fee5bd3ee2ca";
- fsType = "ext4";
- };
+ # fileSystems."/" =
+ # { device = "/dev/disk/by-uuid/dc6a9664-80f2-4988-afd7-fee5bd3ee2ca";
+ # fsType = "ext4";
+ # };
swapDevices = [ ];