remote install config

2026-04-24 14:48:12 -05:00
parent 015e786e23
commit 613e37d58b
11 changed files with 283 additions and 245 deletions
--- a/hosts/coven/configuration.nix
+++ b/hosts/coven/configuration.nix
@@ -3,7 +3,9 @@
 {
  imports = [
    ./hardware-configuration.nix
+    ./disk.nix
    ../../modules/nixos/garbage-collection.nix
+    inputs.nixos-hardware.nixosModules.framework-13th-gen-intel
  ];

  hardware.graphics.enable32Bit = true;
@@ -16,6 +18,25 @@
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

+  # LUKS2 unlock via systemd-cryptenroll + FIDO2 (Yubikey).
+  # Enroll with: systemd-cryptenroll --fido2-device=auto /dev/disk/by-partlabel/disk-main-luks
+  # A recovery passphrase in slot 0 is kept as fallback by cryptenroll by default.
+  # initrdUnlock is false in disk.nix so we own the full device config here.
+  boot.initrd.systemd.fido2.enable = true;
+  boot.initrd.luks.devices."cryptroot" = {
+    device           = "/dev/disk/by-partlabel/disk-main-luks";
+    allowDiscards    = true;
+    bypassWorkqueues = true;
+    crypttabExtraOpts = [ "fido2-device=auto" ];
+  };
+
+  # zram swap — 8 GB on a 16 GB machine, no swap partition needed
+  zramSwap = {
+    enable        = true;
+    memoryPercent = 50;
+    algorithm     = "zstd";
+  };
+
  # Use latest kernel
  boot.kernelPackages = pkgs.linuxPackages_latest;

@@ -135,8 +156,32 @@
    pinentry-curses
    ranger
    nodejs_24
+    gqrx
  ];
  programs.noisetorch.enable = true;
+
+  # btrfs snapshots — timeline via snapper
+  services.snapper.configs.root = {
+    SUBVOLUME              = "/";
+    ALLOW_USERS            = [ "sonja" ];
+    TIMELINE_CREATE        = true;
+    TIMELINE_CLEANUP       = true;
+    TIMELINE_LIMIT_HOURLY  = 24;
+    TIMELINE_LIMIT_DAILY   = 7;
+    TIMELINE_LIMIT_WEEKLY  = 4;
+    TIMELINE_LIMIT_MONTHLY = 6;
+    TIMELINE_LIMIT_YEARLY  = 2;
+  };
+
+  # sops — dormant until .sops.yaml is populated with your GPG fingerprint
+  # and secrets/secrets.yaml is created and encrypted.
+  # sops.defaultSopsFile = ../../secrets/secrets.yaml;
+  # sops.gnupg.sshKeyPaths = [];
+  # sops.secrets.ssh_host_ed25519_key = {
+  #   path = "/etc/ssh/ssh_host_ed25519_key";
+  #   mode = "0600";
+  # };
+
  # Note: system.autoUpgrade with a channel URL does not apply to flake-managed
  # systems. Use `nixos-rebuild switch --flake .#coven` to upgrade instead.
  system.stateVersion = "25.11";
--- a/hosts/coven/disk.nix
+++ b/hosts/coven/disk.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  imports = [ ../../modules/nixos/disk.nix ];
+
+  disk.device = "/dev/nvme0n1";
+}
--- a/hosts/coven/hardware-configuration.nix
+++ b/hosts/coven/hardware-configuration.nix
@@ -1,31 +1,15 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
-# and may be overwritten by future invocations.  Please make changes
-# to hosts/coven/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, lib, modulesPath, ... }:

 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];

  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
+  boot.initrd.kernelModules          = [ ];
+  boot.kernelModules                 = [ "kvm-intel" ];
+  boot.extraModulePackages           = [ ];

-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/2e49499a-0cf2-4c30-932f-1c0aec68cb15";
-      fsType = "ext4";
-    };
+  # fileSystems and swapDevices are owned by disko (hosts/coven/disk.nix).

-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/A6AE-6122";
-      fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
-    };
-
-  swapDevices = [ ];
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  nixpkgs.hostPlatform          = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/iso/configuration.nix
+++ b/hosts/iso/configuration.nix
@@ -0,0 +1,82 @@
+{ pkgs, modulesPath, inputs, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/installation-cd-graphical-calamares-plasma6.nix")
+  ];
+
+  # Tools needed for the install process
+  environment.systemPackages = with pkgs; [
+    # Disk setup
+    inputs.disko.packages.${pkgs.system}.disko
+    cryptsetup
+    # YubiKey enrollment (systemd-cryptenroll for FIDO2)
+    yubikey-personalization
+    yubikey-manager
+    libfido2
+    # Misc
+    git
+    # Install script — available as `install-coven` in PATH
+    (pkgs.writeShellScriptBin "install-coven" ''
+      set -euo pipefail
+
+      FLAKE="git+https://git.sassysalamander.net/wytch/nix-config?ref=main"
+      LUKS_PART="/dev/disk/by-partlabel/disk-main-luks"
+
+      echo "======================================================"
+      echo "  coven install script"
+      echo "  Flake: ''${FLAKE}"
+      echo "======================================================"
+      echo ""
+      echo "WARNING: This will ERASE ALL DATA on /dev/nvme0n1"
+      echo "Press Enter to continue or Ctrl-C to abort."
+      read -r
+
+      echo ""
+      echo "[1/5] Partitioning, formatting, and mounting via disko..."
+      echo "(You will be prompted to set a LUKS passphrase — this becomes your recovery key.)"
+      disko --mode disko --flake "''${FLAKE}#coven"
+
+      echo ""
+      echo "[2/5] Enrolling YubiKey FIDO2 into LUKS container..."
+      echo "      Insert your YubiKey and touch it when prompted."
+      systemd-cryptenroll --fido2-device=auto "''${LUKS_PART}"
+
+      echo ""
+      echo "[3/5] Installing NixOS..."
+      nixos-install --flake "''${FLAKE}#coven" --no-root-password --root /mnt
+
+      echo ""
+      echo "[4/5] Setting user password for sonja..."
+      nixos-enter --root /mnt -c 'passwd sonja'
+
+      echo ""
+      echo "[5/5] Done!"
+      echo ""
+      echo "Next steps after first boot:"
+      echo "  1. Fill in your GPG fingerprint in .sops.yaml"
+      echo "  2. Create and encrypt secrets/secrets.yaml"
+      echo "  3. Uncomment sops config in hosts/coven/configuration.nix"
+      echo ""
+      echo "Remove the install media and reboot."
+      read -rp "Reboot now? [y/N] " yn
+      if [[ "''${yn}" =~ ^[Yy]$ ]]; then
+        reboot
+      fi
+    '')
+  ];
+
+  services.udev.packages = [ pkgs.yubikey-personalization ];
+  services.pcscd.enable  = true;
+
+  # Enable SSH so the machine can be administered remotely during install
+  services.openssh.enable = true;
+  # Add your SSH public key here to allow passwordless remote access from the ISO
+  # users.users.nixos.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAA..." ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  isoImage.squashfsCompression = "zstd -Xcompression-level 6";
+
+  system.stateVersion = "25.11";
+}