wytch/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

remote install config

Browse Source
This commit is contained in:
wytch
2026-04-24 14:48:12 -05:00
parent 015e786e23
commit 613e37d58b
11 changed files with 283 additions and 245 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
.sops.yaml Normal file
View File

@@ -0,0 +1,9 @@
keys:
# Replace with your actual GPG fingerprint: gpg --list-secret-keys --keyid-format LONG
- &sonja_gpg REPLACE_WITH_GPG_FINGERPRINT
creation_rules:
- path_regex: secrets/.*\.yaml$
key_groups:
- pgp:
- *sonja_gpg

1
README.md
View File

@@ -59,6 +59,7 @@ System Software:
- weekly GC, 30-day retention - weekly GC, 30-day retention
- pciutils - pciutils
- nodejs (nodejs_24) - nodejs (nodejs_24)
- gqrx
Userspace Software (home-manager): Userspace Software (home-manager):

250
flake.lock generated
View File

@@ -2,11 +2,11 @@
"nodes": { "nodes": {
"cmpkgs": { "cmpkgs": {
"locked": { "locked": {
"lastModified": 1776169885, "lastModified": 1776548001,
"narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=", "narHash": "sha256-ZSK0NL4a1BwVbbTBoSnWgbJy9HeZFXLYQizjb2DPF24=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9", "rev": "b12141ef619e0a9c1c84dc8c684040326f27cdcc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -16,99 +16,24 @@
"type": "github" "type": "github"
} }
}, },
"determinate": { "disko": {
"inputs": { "inputs": {
"determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin", "nixpkgs": [
"determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux", "cmpkgs"
"determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux",
"nix": "nix",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1775584659,
"narHash": "sha256-NA5oZRunqxD+4LNdU7ZKJHqwuazKyAmBjO4OHXL14X4=",
"owner": "DeterminateSystems",
"repo": "determinate",
"rev": "21dcaa011d3d35cf42a04e988eaac9b28c97a707",
"type": "github"
},
"original": {
"owner": "DeterminateSystems",
"repo": "determinate",
"type": "github"
}
},
"determinate-nixd-aarch64-darwin": {
"flake": false,
"locked": {
"narHash": "sha256-qLWfYk9qkb21wKCDWnhMfqBFjcdBBJkNUKBlvdHSLgA=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/macOS"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/macOS"
}
},
"determinate-nixd-aarch64-linux": {
"flake": false,
"locked": {
"narHash": "sha256-0BmprPIRTopvJ2QdImOMP+TujAPVgRdl0bUL3vhqGIY=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/aarch64-linux"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/aarch64-linux"
}
},
"determinate-nixd-x86_64-linux": {
"flake": false,
"locked": {
"narHash": "sha256-+Q85cySxr0FB/cr97hk/WWYgeJY+iC4OH+FjGYygIbU=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/x86_64-linux"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/x86_64-linux"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"determinate",
"nix",
"nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1748821116, "lastModified": 1776613567,
"narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", "narHash": "sha256-gC9Cp5ibBmGD5awCA9z7xy6MW6iJufhazTYJOiGlCUI=",
"rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", "owner": "nix-community",
"revCount": 377, "repo": "disko",
"type": "tarball", "rev": "32f4236bfc141ae930b5ba2fb604f561fed5219d",
"url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz" "type": "github"
}, },
"original": { "original": {
"type": "tarball", "owner": "nix-community",
"url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1" "repo": "disko",
"type": "github"
} }
}, },
"flake-utils": { "flake-utils": {
@@ -129,32 +54,6 @@
"type": "github" "type": "github"
} }
}, },
"git-hooks-nix": {
"inputs": {
"flake-compat": "flake-compat",
"gitignore": [
"determinate",
"nix"
],
"nixpkgs": [
"determinate",
"nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1747372754,
"narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
"rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
"revCount": 1026,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -162,11 +61,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1776184304, "lastModified": 1777054018,
"narHash": "sha256-No6QGBmIv5ChiwKCcbkxjdEQ/RO2ZS1gD7SFy6EZ7rc=", "narHash": "sha256-tTNS7V6xN/LX1KZ0TrdOnj375ZrsUlLoce4qxZwDN9U=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "3c7524c68348ef79ce48308e0978611a050089b2", "rev": "ffbd94a1c9d7d3e1258e51c084ab2109da04f2b1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -182,11 +81,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1775999376, "lastModified": 1776604187,
"narHash": "sha256-p0ychd1iag2L0mYE3hnI82MfbvIWSrBEwmPPTuYtDLw=", "narHash": "sha256-rYAdN6wIB+li/dnF45di0ZplEzAbUr//r8T4TgTDMK4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "lib-aggregate", "repo": "lib-aggregate",
"rev": "2a998a6095a007e037d9a382a27991580be56c56", "rev": "ca6dd228fe3daf2f4bd08a46717d68aa44490b48",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -195,34 +94,13 @@
"type": "github" "type": "github"
} }
}, },
"nix": {
"inputs": {
"flake-parts": "flake-parts",
"git-hooks-nix": "git-hooks-nix",
"nixpkgs": "nixpkgs",
"nixpkgs-23-11": "nixpkgs-23-11",
"nixpkgs-regression": "nixpkgs-regression"
},
"locked": {
"lastModified": 1775583600,
"narHash": "sha256-/shs/3GA4R3rxhhqpPbEMnDZKbCvf3VpwnHB75nkTcI=",
"rev": "e9b4735be7b90cf49767faf5c36f770ac1bdc586",
"revCount": 24880,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.17.3/019d6913-e8c2-7128-ba76-3dc4f6b58158/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A"
}
},
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1775490113, "lastModified": 1776983936,
"narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=", "narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7", "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -231,43 +109,13 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs": {
"locked": {
"lastModified": 1761597516,
"narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
"rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
"revCount": 811874,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505"
}
},
"nixpkgs-23-11": {
"locked": {
"lastModified": 1717159533,
"narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
"type": "github"
}
},
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1775959049, "lastModified": 1776564050,
"narHash": "sha256-o2JFoAWll4ZuHnVKX2ld03ynKR2zkvTDxJ/ZTCDz2/I=", "narHash": "sha256-01CvP7g0lwWuB1ruUKUy/xZqorQYKaTd4iPdCAoToFk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs.lib", "repo": "nixpkgs.lib",
"rev": "ec2b7be3c0b3b764aa0380fa32aa304a5b680cf8", "rev": "927c9af2765fead764f1a6b9557feef2a40201f5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -276,29 +124,13 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-regression": {
"locked": {
"lastModified": 1643052045,
"narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
}
},
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1776255774, "lastModified": 1776949667,
"narHash": "sha256-psVTpH6PK3q1htMJpmdz1hLF5pQgEshu7gQWgKO6t6Y=", "narHash": "sha256-GMSVw35Q+294GlrTUKlx087E31z7KurReQ1YHSKp5iw=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "566acc07c54dc807f91625bb286cb9b321b5f42a", "rev": "01fbdeef22b76df85ea168fbfe1bfd9e63681b30",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -308,24 +140,10 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": {
"locked": {
"lastModified": 1775464765,
"narHash": "sha256-nex6TL2x1/sVHCyDWcvl1t/dbTedb9bAGC4DLf/pmYk=",
"rev": "83e29f2b8791f6dec20804382fcd9a666d744c07",
"revCount": 975711,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.975711%2Brev-83e29f2b8791f6dec20804382fcd9a666d744c07/019d6689-cde2-7061-b044-e0ef61ade488/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1"
}
},
"root": { "root": {
"inputs": { "inputs": {
"cmpkgs": "cmpkgs", "cmpkgs": "cmpkgs",
"determinate": "determinate", "disko": "disko",
"home-manager": "home-manager", "home-manager": "home-manager",
"lib-aggregate": "lib-aggregate", "lib-aggregate": "lib-aggregate",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
@@ -340,11 +158,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1776119890, "lastModified": 1776771786,
"narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=", "narHash": "sha256-DRFGPfFV6hbrfO9a1PH1FkCi7qR5FgjSqsQGGvk1rdI=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd", "rev": "bef289e2248991f7afeb95965c82fbcd8ff72598",
"type": "github" "type": "github"
}, },
"original": { "original": {

28
flake.nix
View File

@@ -19,7 +19,10 @@
inputs.nixpkgs.follows = "cmpkgs"; inputs.nixpkgs.follows = "cmpkgs";
}; };
determinate.url = "github:DeterminateSystems/determinate"; disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "cmpkgs";
};
}; };
outputs = inputs: outputs = inputs:
@@ -42,8 +45,8 @@
mkSystem = n: _v: mkSystem = n: _v:
let let
defaults = { defaults = {
npkgs = inputs.cmpkgs; npkgs = inputs.cmpkgs;
path = ./hosts/${n}/configuration.nix; path = ./hosts/${n}/configuration.nix;
extraModules = [ ]; extraModules = [ ];
}; };
v = defaults // _v; v = defaults // _v;
@@ -52,10 +55,25 @@
modules = [ modules = [
v.path v.path
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
inputs.disko.nixosModules.disko
inputs.sops-nix.nixosModules.sops
] ++ v.extraModules; ] ++ v.extraModules;
specialArgs = { inherit inputs; }; specialArgs = { inherit inputs; };
}; };
mkIso = n: _v:
let
defaults = {
npkgs = inputs.cmpkgs;
path = ./hosts/${n}/configuration.nix;
};
v = defaults // _v;
in
v.npkgs.lib.nixosSystem {
modules = [ v.path ];
specialArgs = { inherit inputs; };
};
## Top-level nixos configs, keyed by system ## Top-level nixos configs, keyed by system
nixosConfigsEx = { nixosConfigsEx = {
"x86_64-linux" = { "x86_64-linux" = {
@@ -65,7 +83,9 @@
}; };
nixosConfigs = lib.foldl' (op: nul: nul // op) { } (lib.attrValues nixosConfigsEx); nixosConfigs = lib.foldl' (op: nul: nul // op) { } (lib.attrValues nixosConfigsEx);
nixosConfigurations = lib.mapAttrs (n: v: mkSystem n v) nixosConfigs; nixosConfigurations = lib.mapAttrs (n: v: mkSystem n v) nixosConfigs // {
iso = mkIso "iso" { };
};
toplevels = lib.mapAttrs (_: v: v.config.system.build.toplevel) nixosConfigurations; toplevels = lib.mapAttrs (_: v: v.config.system.build.toplevel) nixosConfigurations;
nixosModules = { }; nixosModules = { };

2
home/sonja/home.nix
View File

@@ -9,8 +9,6 @@
home.username = "sonja"; home.username = "sonja";
home.homeDirectory = "/home/sonja"; home.homeDirectory = "/home/sonja";
nixpkgs.config.allowUnfree = true;
custom.pgp.enable = true; custom.pgp.enable = true;
home.packages = [ home.packages = [

45
hosts/coven/configuration.nix
View File

@@ -3,7 +3,9 @@
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./disk.nix
../../modules/nixos/garbage-collection.nix ../../modules/nixos/garbage-collection.nix
inputs.nixos-hardware.nixosModules.framework-13th-gen-intel
]; ];
hardware.graphics.enable32Bit = true; hardware.graphics.enable32Bit = true;
@@ -16,6 +18,25 @@
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
# LUKS2 unlock via systemd-cryptenroll + FIDO2 (Yubikey).
# Enroll with: systemd-cryptenroll --fido2-device=auto /dev/disk/by-partlabel/disk-main-luks
# A recovery passphrase in slot 0 is kept as fallback by cryptenroll by default.
# initrdUnlock is false in disk.nix so we own the full device config here.
boot.initrd.systemd.fido2.enable = true;
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-partlabel/disk-main-luks";
allowDiscards = true;
bypassWorkqueues = true;
crypttabExtraOpts = [ "fido2-device=auto" ];
};
# zram swap — 8 GB on a 16 GB machine, no swap partition needed
zramSwap = {
enable = true;
memoryPercent = 50;
algorithm = "zstd";
};
# Use latest kernel # Use latest kernel
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
@@ -135,8 +156,32 @@
pinentry-curses pinentry-curses
ranger ranger
nodejs_24 nodejs_24
gqrx
]; ];
programs.noisetorch.enable = true; programs.noisetorch.enable = true;
# btrfs snapshots — timeline via snapper
services.snapper.configs.root = {
SUBVOLUME = "/";
ALLOW_USERS = [ "sonja" ];
TIMELINE_CREATE = true;
TIMELINE_CLEANUP = true;
TIMELINE_LIMIT_HOURLY = 24;
TIMELINE_LIMIT_DAILY = 7;
TIMELINE_LIMIT_WEEKLY = 4;
TIMELINE_LIMIT_MONTHLY = 6;
TIMELINE_LIMIT_YEARLY = 2;
};
# sops — dormant until .sops.yaml is populated with your GPG fingerprint
# and secrets/secrets.yaml is created and encrypted.
# sops.defaultSopsFile = ../../secrets/secrets.yaml;
# sops.gnupg.sshKeyPaths = [];
# sops.secrets.ssh_host_ed25519_key = {
# path = "/etc/ssh/ssh_host_ed25519_key";
# mode = "0600";
# };
# Note: system.autoUpgrade with a channel URL does not apply to flake-managed # Note: system.autoUpgrade with a channel URL does not apply to flake-managed
# systems. Use `nixos-rebuild switch --flake .#coven` to upgrade instead. # systems. Use `nixos-rebuild switch --flake .#coven` to upgrade instead.
system.stateVersion = "25.11"; system.stateVersion = "25.11";

7
hosts/coven/disk.nix Normal file
View File

@@ -0,0 +1,7 @@
{ ... }:
{
imports = [ ../../modules/nixos/disk.nix ];
disk.device = "/dev/nvme0n1";
}

30
hosts/coven/hardware-configuration.nix
View File

@@ -1,31 +1,15 @@
# Do not modify this file! It was generated by 'nixos-generate-config' { config, lib, modulesPath, ... }:
# and may be overwritten by future invocations. Please make changes
# to hosts/coven/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = # fileSystems and swapDevices are owned by disko (hosts/coven/disk.nix).
{ device = "/dev/disk/by-uuid/2e49499a-0cf2-4c30-932f-1c0aec68cb15";
fsType = "ext4";
};
fileSystems."/boot" = nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
{ device = "/dev/disk/by-uuid/A6AE-6122";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

82
hosts/iso/configuration.nix Normal file
View File

@@ -0,0 +1,82 @@
{ pkgs, modulesPath, inputs, ... }:
{
imports = [
(modulesPath + "/installer/cd-dvd/installation-cd-graphical-calamares-plasma6.nix")
];
# Tools needed for the install process
environment.systemPackages = with pkgs; [
# Disk setup
inputs.disko.packages.${pkgs.system}.disko
cryptsetup
# YubiKey enrollment (systemd-cryptenroll for FIDO2)
yubikey-personalization
yubikey-manager
libfido2
# Misc
git
# Install script — available as `install-coven` in PATH
(pkgs.writeShellScriptBin "install-coven" ''
set -euo pipefail
FLAKE="git+https://git.sassysalamander.net/wytch/nix-config?ref=main"
LUKS_PART="/dev/disk/by-partlabel/disk-main-luks"
echo "======================================================"
echo " coven install script"
echo " Flake: ''${FLAKE}"
echo "======================================================"
echo ""
echo "WARNING: This will ERASE ALL DATA on /dev/nvme0n1"
echo "Press Enter to continue or Ctrl-C to abort."
read -r
echo ""
echo "[1/5] Partitioning, formatting, and mounting via disko..."
echo "(You will be prompted to set a LUKS passphrase this becomes your recovery key.)"
disko --mode disko --flake "''${FLAKE}#coven"
echo ""
echo "[2/5] Enrolling YubiKey FIDO2 into LUKS container..."
echo " Insert your YubiKey and touch it when prompted."
systemd-cryptenroll --fido2-device=auto "''${LUKS_PART}"
echo ""
echo "[3/5] Installing NixOS..."
nixos-install --flake "''${FLAKE}#coven" --no-root-password --root /mnt
echo ""
echo "[4/5] Setting user password for sonja..."
nixos-enter --root /mnt -c 'passwd sonja'
echo ""
echo "[5/5] Done!"
echo ""
echo "Next steps after first boot:"
echo " 1. Fill in your GPG fingerprint in .sops.yaml"
echo " 2. Create and encrypt secrets/secrets.yaml"
echo " 3. Uncomment sops config in hosts/coven/configuration.nix"
echo ""
echo "Remove the install media and reboot."
read -rp "Reboot now? [y/N] " yn
if [[ "''${yn}" =~ ^[Yy]$ ]]; then
reboot
fi
'')
];
services.udev.packages = [ pkgs.yubikey-personalization ];
services.pcscd.enable = true;
# Enable SSH so the machine can be administered remotely during install
services.openssh.enable = true;
# Add your SSH public key here to allow passwordless remote access from the ISO
# users.users.nixos.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAA..." ];
nixpkgs.hostPlatform = "x86_64-linux";
isoImage.squashfsCompression = "zstd -Xcompression-level 6";
system.stateVersion = "25.11";
}

74
modules/nixos/disk.nix Normal file
View File

@@ -0,0 +1,74 @@
{ config, lib, ... }:
let
device = config.disk.device;
in
{
options.disk.device = lib.mkOption {
type = lib.types.str;
description = "Block device to partition, e.g. /dev/nvme0n1";
};
config = {
disko.devices = {
disk.main = {
inherit device;
type = "disk";
content = {
type = "gpt";
partitions = {
esp = {
size = "2G";
type = "EF00";
label = "esp";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
luks = {
size = "100%";
label = "disk-main-luks";
content = {
type = "luks";
name = "cryptroot";
# initrd unlock managed manually in configuration.nix to include
# YubiKey challenge-response settings.
initrdUnlock = false;
extraFormatArgs = [ "--type" "luks2" "--pbkdf" "argon2id" ];
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"@" = {
mountpoint = "/";
mountOptions = [ "compress=zstd:3" "noatime" "space_cache=v2" ];
};
"@home" = {
mountpoint = "/home";
mountOptions = [ "compress=zstd:3" "noatime" "space_cache=v2" ];
};
"@nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd:3" "noatime" "space_cache=v2" ];
};
"@log" = {
mountpoint = "/var/log";
mountOptions = [ "compress=zstd:3" "noatime" "space_cache=v2" ];
};
"@snapshots" = {
mountpoint = "/.snapshots";
mountOptions = [ "compress=zstd:3" "noatime" "space_cache=v2" ];
};
};
};
};
};
};
};
};
};
};
}

0
secrets/.gitkeep Normal file
View File