diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..13f3e54 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + # Replace with your actual GPG fingerprint: gpg --list-secret-keys --keyid-format LONG + - &sonja_gpg REPLACE_WITH_GPG_FINGERPRINT + +creation_rules: + - path_regex: secrets/.*\.yaml$ + key_groups: + - pgp: + - *sonja_gpg diff --git a/README.md b/README.md index f7b110d..ccf5f26 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,7 @@ System Software: - weekly GC, 30-day retention - pciutils - nodejs (nodejs_24) + - gqrx Userspace Software (home-manager): diff --git a/flake.lock b/flake.lock index b82509d..0ee4b8e 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "cmpkgs": { "locked": { - "lastModified": 1776169885, - "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=", + "lastModified": 1776548001, + "narHash": "sha256-ZSK0NL4a1BwVbbTBoSnWgbJy9HeZFXLYQizjb2DPF24=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9", + "rev": "b12141ef619e0a9c1c84dc8c684040326f27cdcc", "type": "github" }, "original": { @@ -16,99 +16,24 @@ "type": "github" } }, - "determinate": { + "disko": { "inputs": { - "determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin", - "determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux", - "determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux", - "nix": "nix", - "nixpkgs": "nixpkgs_2" - }, - "locked": { - "lastModified": 1775584659, - "narHash": "sha256-NA5oZRunqxD+4LNdU7ZKJHqwuazKyAmBjO4OHXL14X4=", - "owner": "DeterminateSystems", - "repo": "determinate", - "rev": "21dcaa011d3d35cf42a04e988eaac9b28c97a707", - "type": "github" - }, - "original": { - "owner": "DeterminateSystems", - "repo": "determinate", - "type": "github" - } - }, - "determinate-nixd-aarch64-darwin": { - "flake": false, - "locked": { - "narHash": "sha256-qLWfYk9qkb21wKCDWnhMfqBFjcdBBJkNUKBlvdHSLgA=", - "type": "file", - "url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/macOS" - }, - "original": { - "type": "file", - "url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/macOS" - } - }, - "determinate-nixd-aarch64-linux": { - "flake": false, - "locked": { - "narHash": "sha256-0BmprPIRTopvJ2QdImOMP+TujAPVgRdl0bUL3vhqGIY=", - "type": "file", - "url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/aarch64-linux" - }, - "original": { - "type": "file", - "url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/aarch64-linux" - } - }, - "determinate-nixd-x86_64-linux": { - "flake": false, - "locked": { - "narHash": "sha256-+Q85cySxr0FB/cr97hk/WWYgeJY+iC4OH+FjGYygIbU=", - "type": "file", - "url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/x86_64-linux" - }, - "original": { - "type": "file", - "url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/x86_64-linux" - } - }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "determinate", - "nix", - "nixpkgs" + "nixpkgs": [ + "cmpkgs" ] }, "locked": { - "lastModified": 1748821116, - "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", - "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", - "revCount": 377, - "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz" + "lastModified": 1776613567, + "narHash": "sha256-gC9Cp5ibBmGD5awCA9z7xy6MW6iJufhazTYJOiGlCUI=", + "owner": "nix-community", + "repo": "disko", + "rev": "32f4236bfc141ae930b5ba2fb604f561fed5219d", + "type": "github" }, "original": { - "type": "tarball", - "url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1" + "owner": "nix-community", + "repo": "disko", + "type": "github" } }, "flake-utils": { @@ -129,32 +54,6 @@ "type": "github" } }, - "git-hooks-nix": { - "inputs": { - "flake-compat": "flake-compat", - "gitignore": [ - "determinate", - "nix" - ], - "nixpkgs": [ - "determinate", - "nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1747372754, - "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=", - "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46", - "revCount": 1026, - "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941" - } - }, "home-manager": { "inputs": { "nixpkgs": [ @@ -162,11 +61,11 @@ ] }, "locked": { - "lastModified": 1776184304, - "narHash": "sha256-No6QGBmIv5ChiwKCcbkxjdEQ/RO2ZS1gD7SFy6EZ7rc=", + "lastModified": 1777054018, + "narHash": "sha256-tTNS7V6xN/LX1KZ0TrdOnj375ZrsUlLoce4qxZwDN9U=", "owner": "nix-community", "repo": "home-manager", - "rev": "3c7524c68348ef79ce48308e0978611a050089b2", + "rev": "ffbd94a1c9d7d3e1258e51c084ab2109da04f2b1", "type": "github" }, "original": { @@ -182,11 +81,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1775999376, - "narHash": "sha256-p0ychd1iag2L0mYE3hnI82MfbvIWSrBEwmPPTuYtDLw=", + "lastModified": 1776604187, + "narHash": "sha256-rYAdN6wIB+li/dnF45di0ZplEzAbUr//r8T4TgTDMK4=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "2a998a6095a007e037d9a382a27991580be56c56", + "rev": "ca6dd228fe3daf2f4bd08a46717d68aa44490b48", "type": "github" }, "original": { @@ -195,34 +94,13 @@ "type": "github" } }, - "nix": { - "inputs": { - "flake-parts": "flake-parts", - "git-hooks-nix": "git-hooks-nix", - "nixpkgs": "nixpkgs", - "nixpkgs-23-11": "nixpkgs-23-11", - "nixpkgs-regression": "nixpkgs-regression" - }, - "locked": { - "lastModified": 1775583600, - "narHash": "sha256-/shs/3GA4R3rxhhqpPbEMnDZKbCvf3VpwnHB75nkTcI=", - "rev": "e9b4735be7b90cf49767faf5c36f770ac1bdc586", - "revCount": 24880, - "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.17.3/019d6913-e8c2-7128-ba76-3dc4f6b58158/source.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A" - } - }, "nixos-hardware": { "locked": { - "lastModified": 1775490113, - "narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=", + "lastModified": 1776983936, + "narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7", + "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61", "type": "github" }, "original": { @@ -231,43 +109,13 @@ "type": "github" } }, - "nixpkgs": { - "locked": { - "lastModified": 1761597516, - "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=", - "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55", - "revCount": 811874, - "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505" - } - }, - "nixpkgs-23-11": { - "locked": { - "lastModified": 1717159533, - "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", - "type": "github" - } - }, "nixpkgs-lib": { "locked": { - "lastModified": 1775959049, - "narHash": "sha256-o2JFoAWll4ZuHnVKX2ld03ynKR2zkvTDxJ/ZTCDz2/I=", + "lastModified": 1776564050, + "narHash": "sha256-01CvP7g0lwWuB1ruUKUy/xZqorQYKaTd4iPdCAoToFk=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "ec2b7be3c0b3b764aa0380fa32aa304a5b680cf8", + "rev": "927c9af2765fead764f1a6b9557feef2a40201f5", "type": "github" }, "original": { @@ -276,29 +124,13 @@ "type": "github" } }, - "nixpkgs-regression": { - "locked": { - "lastModified": 1643052045, - "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", - "type": "github" - } - }, "nixpkgs-unstable": { "locked": { - "lastModified": 1776255774, - "narHash": "sha256-psVTpH6PK3q1htMJpmdz1hLF5pQgEshu7gQWgKO6t6Y=", + "lastModified": 1776949667, + "narHash": "sha256-GMSVw35Q+294GlrTUKlx087E31z7KurReQ1YHSKp5iw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "566acc07c54dc807f91625bb286cb9b321b5f42a", + "rev": "01fbdeef22b76df85ea168fbfe1bfd9e63681b30", "type": "github" }, "original": { @@ -308,24 +140,10 @@ "type": "github" } }, - "nixpkgs_2": { - "locked": { - "lastModified": 1775464765, - "narHash": "sha256-nex6TL2x1/sVHCyDWcvl1t/dbTedb9bAGC4DLf/pmYk=", - "rev": "83e29f2b8791f6dec20804382fcd9a666d744c07", - "revCount": 975711, - "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.975711%2Brev-83e29f2b8791f6dec20804382fcd9a666d744c07/019d6689-cde2-7061-b044-e0ef61ade488/source.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1" - } - }, "root": { "inputs": { "cmpkgs": "cmpkgs", - "determinate": "determinate", + "disko": "disko", "home-manager": "home-manager", "lib-aggregate": "lib-aggregate", "nixos-hardware": "nixos-hardware", @@ -340,11 +158,11 @@ ] }, "locked": { - "lastModified": 1776119890, - "narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=", + "lastModified": 1776771786, + "narHash": "sha256-DRFGPfFV6hbrfO9a1PH1FkCi7qR5FgjSqsQGGvk1rdI=", "owner": "Mic92", "repo": "sops-nix", - "rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd", + "rev": "bef289e2248991f7afeb95965c82fbcd8ff72598", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 8669df0..ff82d1f 100644 --- a/flake.nix +++ b/flake.nix @@ -19,7 +19,10 @@ inputs.nixpkgs.follows = "cmpkgs"; }; - determinate.url = "github:DeterminateSystems/determinate"; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "cmpkgs"; + }; }; outputs = inputs: @@ -42,8 +45,8 @@ mkSystem = n: _v: let defaults = { - npkgs = inputs.cmpkgs; - path = ./hosts/${n}/configuration.nix; + npkgs = inputs.cmpkgs; + path = ./hosts/${n}/configuration.nix; extraModules = [ ]; }; v = defaults // _v; @@ -52,10 +55,25 @@ modules = [ v.path inputs.home-manager.nixosModules.home-manager + inputs.disko.nixosModules.disko + inputs.sops-nix.nixosModules.sops ] ++ v.extraModules; specialArgs = { inherit inputs; }; }; + mkIso = n: _v: + let + defaults = { + npkgs = inputs.cmpkgs; + path = ./hosts/${n}/configuration.nix; + }; + v = defaults // _v; + in + v.npkgs.lib.nixosSystem { + modules = [ v.path ]; + specialArgs = { inherit inputs; }; + }; + ## Top-level nixos configs, keyed by system nixosConfigsEx = { "x86_64-linux" = { @@ -65,7 +83,9 @@ }; nixosConfigs = lib.foldl' (op: nul: nul // op) { } (lib.attrValues nixosConfigsEx); - nixosConfigurations = lib.mapAttrs (n: v: mkSystem n v) nixosConfigs; + nixosConfigurations = lib.mapAttrs (n: v: mkSystem n v) nixosConfigs // { + iso = mkIso "iso" { }; + }; toplevels = lib.mapAttrs (_: v: v.config.system.build.toplevel) nixosConfigurations; nixosModules = { }; diff --git a/home/sonja/home.nix b/home/sonja/home.nix index ea2dcd6..649fdfd 100644 --- a/home/sonja/home.nix +++ b/home/sonja/home.nix @@ -9,8 +9,6 @@ home.username = "sonja"; home.homeDirectory = "/home/sonja"; - nixpkgs.config.allowUnfree = true; - custom.pgp.enable = true; home.packages = [ diff --git a/hosts/coven/configuration.nix b/hosts/coven/configuration.nix index 560eed3..4357b14 100644 --- a/hosts/coven/configuration.nix +++ b/hosts/coven/configuration.nix @@ -3,7 +3,9 @@ { imports = [ ./hardware-configuration.nix + ./disk.nix ../../modules/nixos/garbage-collection.nix + inputs.nixos-hardware.nixosModules.framework-13th-gen-intel ]; hardware.graphics.enable32Bit = true; @@ -16,6 +18,25 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + # LUKS2 unlock via systemd-cryptenroll + FIDO2 (Yubikey). + # Enroll with: systemd-cryptenroll --fido2-device=auto /dev/disk/by-partlabel/disk-main-luks + # A recovery passphrase in slot 0 is kept as fallback by cryptenroll by default. + # initrdUnlock is false in disk.nix so we own the full device config here. + boot.initrd.systemd.fido2.enable = true; + boot.initrd.luks.devices."cryptroot" = { + device = "/dev/disk/by-partlabel/disk-main-luks"; + allowDiscards = true; + bypassWorkqueues = true; + crypttabExtraOpts = [ "fido2-device=auto" ]; + }; + + # zram swap — 8 GB on a 16 GB machine, no swap partition needed + zramSwap = { + enable = true; + memoryPercent = 50; + algorithm = "zstd"; + }; + # Use latest kernel boot.kernelPackages = pkgs.linuxPackages_latest; @@ -135,8 +156,32 @@ pinentry-curses ranger nodejs_24 + gqrx ]; programs.noisetorch.enable = true; + + # btrfs snapshots — timeline via snapper + services.snapper.configs.root = { + SUBVOLUME = "/"; + ALLOW_USERS = [ "sonja" ]; + TIMELINE_CREATE = true; + TIMELINE_CLEANUP = true; + TIMELINE_LIMIT_HOURLY = 24; + TIMELINE_LIMIT_DAILY = 7; + TIMELINE_LIMIT_WEEKLY = 4; + TIMELINE_LIMIT_MONTHLY = 6; + TIMELINE_LIMIT_YEARLY = 2; + }; + + # sops — dormant until .sops.yaml is populated with your GPG fingerprint + # and secrets/secrets.yaml is created and encrypted. + # sops.defaultSopsFile = ../../secrets/secrets.yaml; + # sops.gnupg.sshKeyPaths = []; + # sops.secrets.ssh_host_ed25519_key = { + # path = "/etc/ssh/ssh_host_ed25519_key"; + # mode = "0600"; + # }; + # Note: system.autoUpgrade with a channel URL does not apply to flake-managed # systems. Use `nixos-rebuild switch --flake .#coven` to upgrade instead. system.stateVersion = "25.11"; diff --git a/hosts/coven/disk.nix b/hosts/coven/disk.nix new file mode 100644 index 0000000..d8b2480 --- /dev/null +++ b/hosts/coven/disk.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + imports = [ ../../modules/nixos/disk.nix ]; + + disk.device = "/dev/nvme0n1"; +} diff --git a/hosts/coven/hardware-configuration.nix b/hosts/coven/hardware-configuration.nix index 1eca317..4cbef96 100644 --- a/hosts/coven/hardware-configuration.nix +++ b/hosts/coven/hardware-configuration.nix @@ -1,31 +1,15 @@ -# Do not modify this file! It was generated by 'nixos-generate-config' -# and may be overwritten by future invocations. Please make changes -# to hosts/coven/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ config, lib, modulesPath, ... }: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/2e49499a-0cf2-4c30-932f-1c0aec68cb15"; - fsType = "ext4"; - }; + # fileSystems and swapDevices are owned by disko (hosts/coven/disk.nix). - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/A6AE-6122"; - fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; - }; - - swapDevices = [ ]; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/hosts/iso/configuration.nix b/hosts/iso/configuration.nix new file mode 100644 index 0000000..b794359 --- /dev/null +++ b/hosts/iso/configuration.nix @@ -0,0 +1,82 @@ +{ pkgs, modulesPath, inputs, ... }: + +{ + imports = [ + (modulesPath + "/installer/cd-dvd/installation-cd-graphical-calamares-plasma6.nix") + ]; + + # Tools needed for the install process + environment.systemPackages = with pkgs; [ + # Disk setup + inputs.disko.packages.${pkgs.system}.disko + cryptsetup + # YubiKey enrollment (systemd-cryptenroll for FIDO2) + yubikey-personalization + yubikey-manager + libfido2 + # Misc + git + # Install script — available as `install-coven` in PATH + (pkgs.writeShellScriptBin "install-coven" '' + set -euo pipefail + + FLAKE="git+https://git.sassysalamander.net/wytch/nix-config?ref=main" + LUKS_PART="/dev/disk/by-partlabel/disk-main-luks" + + echo "======================================================" + echo " coven install script" + echo " Flake: ''${FLAKE}" + echo "======================================================" + echo "" + echo "WARNING: This will ERASE ALL DATA on /dev/nvme0n1" + echo "Press Enter to continue or Ctrl-C to abort." + read -r + + echo "" + echo "[1/5] Partitioning, formatting, and mounting via disko..." + echo "(You will be prompted to set a LUKS passphrase — this becomes your recovery key.)" + disko --mode disko --flake "''${FLAKE}#coven" + + echo "" + echo "[2/5] Enrolling YubiKey FIDO2 into LUKS container..." + echo " Insert your YubiKey and touch it when prompted." + systemd-cryptenroll --fido2-device=auto "''${LUKS_PART}" + + echo "" + echo "[3/5] Installing NixOS..." + nixos-install --flake "''${FLAKE}#coven" --no-root-password --root /mnt + + echo "" + echo "[4/5] Setting user password for sonja..." + nixos-enter --root /mnt -c 'passwd sonja' + + echo "" + echo "[5/5] Done!" + echo "" + echo "Next steps after first boot:" + echo " 1. Fill in your GPG fingerprint in .sops.yaml" + echo " 2. Create and encrypt secrets/secrets.yaml" + echo " 3. Uncomment sops config in hosts/coven/configuration.nix" + echo "" + echo "Remove the install media and reboot." + read -rp "Reboot now? [y/N] " yn + if [[ "''${yn}" =~ ^[Yy]$ ]]; then + reboot + fi + '') + ]; + + services.udev.packages = [ pkgs.yubikey-personalization ]; + services.pcscd.enable = true; + + # Enable SSH so the machine can be administered remotely during install + services.openssh.enable = true; + # Add your SSH public key here to allow passwordless remote access from the ISO + # users.users.nixos.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAA..." ]; + + nixpkgs.hostPlatform = "x86_64-linux"; + + isoImage.squashfsCompression = "zstd -Xcompression-level 6"; + + system.stateVersion = "25.11"; +} diff --git a/modules/nixos/disk.nix b/modules/nixos/disk.nix new file mode 100644 index 0000000..1a1b1d6 --- /dev/null +++ b/modules/nixos/disk.nix @@ -0,0 +1,74 @@ +{ config, lib, ... }: + +let + device = config.disk.device; +in +{ + options.disk.device = lib.mkOption { + type = lib.types.str; + description = "Block device to partition, e.g. /dev/nvme0n1"; + }; + + config = { + disko.devices = { + disk.main = { + inherit device; + type = "disk"; + content = { + type = "gpt"; + partitions = { + esp = { + size = "2G"; + type = "EF00"; + label = "esp"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + luks = { + size = "100%"; + label = "disk-main-luks"; + content = { + type = "luks"; + name = "cryptroot"; + # initrd unlock managed manually in configuration.nix to include + # YubiKey challenge-response settings. + initrdUnlock = false; + extraFormatArgs = [ "--type" "luks2" "--pbkdf" "argon2id" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "@" = { + mountpoint = "/"; + mountOptions = [ "compress=zstd:3" "noatime" "space_cache=v2" ]; + }; + "@home" = { + mountpoint = "/home"; + mountOptions = [ "compress=zstd:3" "noatime" "space_cache=v2" ]; + }; + "@nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd:3" "noatime" "space_cache=v2" ]; + }; + "@log" = { + mountpoint = "/var/log"; + mountOptions = [ "compress=zstd:3" "noatime" "space_cache=v2" ]; + }; + "@snapshots" = { + mountpoint = "/.snapshots"; + mountOptions = [ "compress=zstd:3" "noatime" "space_cache=v2" ]; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/secrets/.gitkeep b/secrets/.gitkeep new file mode 100644 index 0000000..e69de29