feat: make live ISO a min config for bootstrapping

profiles/common/disks/btrfs-luks.nix

@@ -0,0 +1,89 @@
+# NOTE: ... is needed because dikso passes diskoFile
+{ lib
+, pkgs
+, disk ? "/dev/vda"
+, withSwap ? false
+, swapSize
+, config
+, ...
+}:
+{
+  disko.devices = {
+    disk = {
+      disk0 = {
+        type = "disk";
+        device = disk;
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              priority = 1;
+              name = "ESP";
+              size = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "defaults" ];
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "cryptroot";
+                passwordFile = "/tmp/disko-password"; # this is populated by bootstrap-nixos.sh
+                settings = {
+                  allowDiscards = true;
+                  # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
+                  crypttabExtraOpts = [
+                    "fido2-device=auto"
+                    "token-timeout=10"
+                  ];
+                };
+                # Subvolumes must set a mountpoint in order to be mounted,
+                # unless their parent is mounted
+                content = {
+                  type = "btrfs";
+                  extraArgs = [ "-f" ]; # force overwrite
+                  subvolumes = {
+                    "@root" = {
+                      mountpoint = "/";
+                      mountOptions = [
+                        "compress=zstd"
+                        "noatime"
+                      ];
+                    };
+                    "@persist" = {
+                      mountpoint = "${config.hostSpec.persistFolder}";
+                      mountOptions = [
+                        "compress=zstd"
+                        "noatime"
+                      ];
+                    };
+                    "@nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = [
+                        "compress=zstd"
+                        "noatime"
+                      ];
+                    };
+                    "@swap" = lib.mkIf withSwap {
+                      mountpoint = "/.swapvol";
+                      swap.swapfile.size = "${swapSize}G";
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  environment.systemPackages = [
+    pkgs.yubikey-manager # For luks fido2 enrollment before full install
+  ];
+}

profiles/common/nixos/packages.nix

@@ -28,6 +28,9 @@
 
     nix-index
 
+    # better make for general tasks
+    just
+
     # keyboards
     qmk
     vial

profiles/live/default.nix

@@ -1,76 +1,68 @@
-{ inputs, outputs, config, pkgs, lib, ... }:
+{ self, inputs, config, pkgs, lib, ... }:
+let
+  pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh";
+in
 {
 
   imports = [
 
-    # ../optional/nixos/steam.nix
-    # ../optional/nixos/virtualbox.nix
-    # ../optional/nixos/vmware.nix
-    ../optional/nixos/autologin.nix
-    ../optional/nixos/nswitch-rcm.nix
-    # ../optional/nixos/work.nix
+    inputs.lanzaboote.nixosModules.lanzaboote
+    inputs.disko.nixosModules.disko
+    inputs.impermanence.nixosModules.impermanence
+    inputs.sops-nix.nixosModules.sops
 
-    inputs.home-manager.nixosModules.home-manager
-    {
-      home-manager.users.swarsel.imports = outputs.mixedModules ++ [
-        ../optional/home/gaming.nix
-        # ../optional/home/work.nix
-      ] ++ (builtins.attrValues outputs.homeManagerModules);
-    }
-  ] ++ (builtins.attrValues outputs.nixosModules);
+    ../optional/nixos/minimal.nix
 
+  ];
+
+
+  isoImage = {
+    makeEfiBootable = true;
+    makeUsbBootable = true;
+    squashfsCompression = "zstd -Xcompression-level 3";
+  };
 
   nixpkgs = {
-    inherit (outputs) overlays;
-    config = {
-      allowUnfree = true;
-      allowBroken = true;
+    hostPlatform = lib.mkDefault "x86_64-linux";
+    config.allowUnfree = true;
+  };
+
+  services.getty.autologinUser = lib.mkForce "swarsel";
+
+  users = {
+    groups.swarsel = { };
+    users = {
+      swarsel = {
+        name = "swarsel";
+        group = "swarsel";
+        isNormalUser = true;
+        shell = pkgs.zsh;
+        password = "setup"; # this is overwritten after install
+        openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
+      };
+      root = {
+        shell = pkgs.zsh;
+        password = lib.mkForce config.users.users.swarsel.password; # this is overwritten after install
+        openssh.authorizedKeys.keys = config.users.users.swarsel.openssh.authorizedKeys.keys;
+      };
     };
   };
 
-  isoImage.makeEfiBootable = true;
-  isoImage.makeUsbBootable = true;
-
-  networking.networkmanager.wifi.scanRandMacAddress = false;
-
-  boot = {
-    loader.efi.canTouchEfiVariables = true;
-    kernelPackages = pkgs.linuxPackages_latest;
+  systemd = {
+    services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
+    targets = {
+      sleep.enable = false;
+      suspend.enable = false;
+      hibernate.enable = false;
+      hybrid-sleep.enable = false;
+    };
   };
 
   system.stateVersion = lib.mkForce "23.05";
-  services.getty.autologinUser = lib.mkForce "swarsel";
 
   networking = {
     hostName = "live";
-    wireless.enable = lib.mkForce false;
-    firewall.enable = true;
+    wireless.enable = false;
   };
 
-
-  swarselsystems = {
-    wallpaper = ../../wallpaper/lenovowp.png;
-    hasBluetooth = true;
-    hasFingerprint = true;
-    impermanence = false;
-    initialSetup = true;
-    isBtrfs = false;
-  };
-
-  home-manager.users.swarsel.swarselsystems = {
-    isLaptop = false;
-    isNixos = true;
-    isBtrfs = false;
-    startup = [
-      { command = "nextcloud --background"; }
-      { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; }
-      { command = "element-desktop --hidden  --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; }
-      { command = "ANKI_WAYLAND=1 anki"; }
-      { command = "OBSIDIAN_USE_WAYLAND=1 obsidian"; }
-      { command = "nm-applet"; }
-      { command = "teams-for-linux"; }
-      { command = "1password"; }
-      { command = "feishin"; }
-    ];
-  };
 }

profiles/optional/nixos/minimal.nix

@@ -0,0 +1,60 @@
+{ self, lib, pkgs, config, ... }:
+{
+
+  nix.settings = {
+    experimental-features = [ "nix-command" "flakes" ];
+    warn-dirty = false;
+  };
+
+  boot = {
+    # initrd.systemd.enable = true;
+    kernelPackages = pkgs.linuxPackages_latest;
+    supportedFilesystems = lib.mkForce [ "brtfs" "vfat" ];
+    loader = {
+      efi.canTouchEfiVariables = true;
+      systemd-boot = {
+        enable = true;
+        configurationLimit = lib.mkDefault 5;
+        consoleMode = lib.mkDefault "max";
+      };
+    };
+  };
+
+  services = {
+    qemuGuest.enable = true;
+    openssh = {
+      enable = true;
+      ports = lib.mkDefault [ 22 ];
+      settings.PermitRootLogin = "yes";
+      authorizedKeysFiles = lib.mkForce [
+        "/etc/ssh/authorized_keys.d/%u"
+      ];
+    };
+  };
+
+  security.pam = {
+    sshAgentAuth.enable = true;
+    services = {
+      sudo.u2fAuth = true;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    curl
+    rsync
+    ssh-to-age
+    sops
+    vim
+  ];
+
+  programs = {
+    git.enable = true;
+    zsh.enable = lib.mkDefault true;
+  };
+
+  fileSystems."/boot".options = [ "umask=0077" ];
+
+  networking.networkmanager.enable = true;
+
+
+}