diff --git a/SwarselSystems.org b/SwarselSystems.org index c8b9500..136a283 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -1981,7 +1981,7 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru #+begin_src nix :tangle hosts/nixos/chaostheatre/default.nix - { self, pkgs, lib, ... }: + { self, config, pkgs, lib, ... }: let profilesPath = "${self}/profiles"; in @@ -1989,6 +1989,10 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru imports = [ ./hardware-configuration.nix + ./disk-config.nix + { + _module.args.diskDevice = config.swarselsystems.rootDisk; + } "${profilesPath}/nixos/optional/autologin.nix" ]; @@ -2015,6 +2019,12 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru initialSetup = true; isPublic = true; isLinux = true; + isImpermanence = true; + isCrypted = true; + isSecureBoot = false; + isSwap = true; + swapSize = "4G"; + rootDisk = "/dev/vda"; }; home-manager.users.swarsel.swarselsystems = { @@ -3109,7 +3119,15 @@ This program builds a configuration locally. yellow "The ssh key for this configuration is not available." green "Adjusting flake.nix so that the configuration is buildable" sed -i '/nix-secrets = {/,/^[[:space:]]*};/d' flake.nix - git add flake.nix + sed -i '/vbc-nix = {/,/^[[:space:]]*};/d' flake.nix + sed -i '/[[:space:]]*\/\/ (inputs.vbc-nix.overlays.default final prev)/d' overlays/default.nix + rm profiles/home/common/env.nix + rm profiles/home/common/gammastep.nix + rm profiles/home/common/git.nix + rm profiles/home/common/mail.nix + rm profiles/nixos/common/home-manager-extra.nix + nix flake update vbc-nix + git add . else green "Valid SSH key found! Continuing with installation" fi @@ -3146,18 +3164,20 @@ This program sets up a new NixOS host locally. target_hostname="chaostheatre" target_user="swarsel" persist_dir="" + target_disk="/dev/vda" disk_encryption=0 function help_and_exit() { echo echo "Locally installs SwarselSystem on this machine." echo - echo "USAGE: $0 -n [OPTIONS]" + echo "USAGE: $0 -n -d [OPTIONS]" echo echo "ARGS:" echo " -n specify the nixos config to deploy." echo " Default: chaostheatre" - echo " Default: chaostheatre" + echo " -d specify disk to install on." + echo " Default: /dev/vda" echo " -u specify user to deploy for." echo " Default: swarsel" echo " -h | --help Print this help." @@ -3194,6 +3214,10 @@ This program sets up a new NixOS host locally. shift target_user=$1 ;; + -d) + shift + target_disk=$1 + ;; -h | --help) help_and_exit ;; ,*) echo "Invalid option detected." @@ -3209,7 +3233,7 @@ This program sets up a new NixOS host locally. } trap cleanup exit - green "~SwarselSystems~ remote installer" + green "~SwarselSystems~ local installer" cd /home/"$target_user" @@ -3220,9 +3244,31 @@ This program sets up a new NixOS host locally. green "Cloning repository from GitHub" git clone https://github.com/Swarsel/.dotfiles.git + local_keys=$(ssh-add -L || true) + pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub) + read -ra pub_arr <<< "$pub_key" + + cd .dotfiles + if [[ $local_keys != *"${pub_arr[1]}"* ]]; then + yellow "The ssh key for this configuration is not available." + green "Adjusting flake.nix so that the configuration is buildable ..." + sed -i '/nix-secrets = {/,/^[[:space:]]*};/d' flake.nix + sed -i '/vbc-nix = {/,/^[[:space:]]*};/d' flake.nix + sed -i '/[[:space:]]*\/\/ (inputs.vbc-nix.overlays.default final prev)/d' overlays/default.nix + rm profiles/home/common/env.nix + rm profiles/home/common/gammastep.nix + rm profiles/home/common/git.nix + rm profiles/home/common/mail.nix + rm profiles/nixos/common/home-manager-extra.nix + nix flake update vbc-nix + git add . + else + green "Valid SSH key found! Continuing with installation" + fi + green "Reading system information for $target_config ..." DISK="$(nix eval --raw ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.rootDisk)" - green "Root Disk: $DISK" + green "Root Disk in config: $DISK - Root Disk passed in cli: $target_disk" CRYPTED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isCrypted)" if [[ $CRYPTED == "true" ]]; then @@ -3256,25 +3302,6 @@ This program sets up a new NixOS host locally. red "Secure Boot: X" fi - local_keys=$(ssh-add -L || true) - pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub) - read -ra pub_arr <<< "$pub_key" - - cd .dotfiles - if [[ $local_keys != *"${pub_arr[1]}"* ]]; then - yellow "The ssh key for this configuration is not available." - green "Adjusting flake.nix so that the configuration is buildable" - sed -i '/nix-secrets = {/,/^[[:space:]]*};/d' flake.nix - rm profiles/home/common/env.nix - rm profiles/home/common/gammastep.nix - rm profiles/home/common/git.nix - rm profiles/home/common/mail.nix - rm profiles/nixos/common/home-manager-extra.nix - git add . - else - green "Valid SSH key found! Continuing with installation" - fi - if [ "$disk_encryption" -eq 1 ]; then while true; do green "Set disk encryption passphrase:" @@ -3290,16 +3317,20 @@ This program sets up a new NixOS host locally. done fi - green "Setting up disk" - sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount --flake .#"$target_config" --yes-wipe-all-disks + green "Setting up disk ..." + if [[ $target_config == "chaostheatre" ]]; then + sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/v1.10.0 -- --mode destroy,format,mount --flake .#"$target_config" --yes-wipe-all-disks --arg diskDevice "$target_disk" + else + sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount --flake .#"$target_config" --yes-wipe-all-disks + fi sudo mkdir -p /mnt/"$persist_dir"/home/"$target_user"/ sudo cp -r /home/"$target_user"/.dotfiles /mnt/"$persist_dir"/home/"$target_user"/ sudo chown -R 1000:100 /mnt/"$persist_dir"/home/"$target_user" - green "Generating hardware configuration" + green "Generating hardware configuration ..." sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/ - green "Injecting initialSetup" + green "Injecting initialSetup ..." sudo sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix @@ -8717,10 +8748,10 @@ This holds packages that I can use as provided, or with small modifications (as This is just a separate container for derivations defined in [[#h:64a5cc16-6b16-4802-b421-c67ccef853e1][Packages]]. This is a good idea so that I do not lose track of package names I have defined myself, as this was once a problem in the past already. #+begin_src nix :tangle profiles/home/common/custom-packages.nix - { pkgs, ... }: + { config, pkgs, ... }: { - home.packages = with pkgs; [ + home.packages = with pkgs; lib.mkIf (!config.swarselsystems.isPublic) [ pass-fuzzel cura5 cdw @@ -9678,7 +9709,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl # this is needed so that mbsync can use the passwords from sops systemd.user.services.mbsync.Unit.After = [ "sops-nix.service" ]; - accounts = { + accounts = lib.mkIf (!config.swarselsystems.isPublic) { email = { maildirBasePath = "Mail"; accounts = { diff --git a/hosts/nixos/chaostheatre/default.nix b/hosts/nixos/chaostheatre/default.nix index a4c228a..6ecd5b5 100644 --- a/hosts/nixos/chaostheatre/default.nix +++ b/hosts/nixos/chaostheatre/default.nix @@ -1,4 +1,4 @@ -{ self, pkgs, lib, ... }: +{ self, config, pkgs, lib, ... }: let profilesPath = "${self}/profiles"; in @@ -6,6 +6,10 @@ in imports = [ ./hardware-configuration.nix + ./disk-config.nix + { + _module.args.diskDevice = config.swarselsystems.rootDisk; + } "${profilesPath}/nixos/optional/autologin.nix" ]; @@ -32,6 +36,12 @@ in initialSetup = true; isPublic = true; isLinux = true; + isImpermanence = true; + isCrypted = true; + isSecureBoot = false; + isSwap = true; + swapSize = "4G"; + rootDisk = "/dev/vda"; }; home-manager.users.swarsel.swarselsystems = { diff --git a/hosts/nixos/chaostheatre/disk-config.nix b/hosts/nixos/chaostheatre/disk-config.nix new file mode 100644 index 0000000..5423b03 --- /dev/null +++ b/hosts/nixos/chaostheatre/disk-config.nix @@ -0,0 +1,128 @@ +# NOTE: ... is needed because dikso passes diskoFile +{ lib +, pkgs +, config +, diskDevice ? config.swarselsystem.rootDisk +, ... +}: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko.devices = { + disk = { + disk0 = { + type = "disk"; + device = diskDevice; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + + environment.systemPackages = [ + pkgs.yubikey-manager + ]; +} diff --git a/profiles/home/common/custom-packages.nix b/profiles/home/common/custom-packages.nix index b413b0e..b765461 100644 --- a/profiles/home/common/custom-packages.nix +++ b/profiles/home/common/custom-packages.nix @@ -1,7 +1,7 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: { - home.packages = with pkgs; [ + home.packages = with pkgs; lib.mkIf (!config.swarselsystems.isPublic) [ pass-fuzzel cura5 cdw diff --git a/profiles/home/common/mail.nix b/profiles/home/common/mail.nix index e02d484..a8bf830 100644 --- a/profiles/home/common/mail.nix +++ b/profiles/home/common/mail.nix @@ -26,7 +26,7 @@ in # this is needed so that mbsync can use the passwords from sops systemd.user.services.mbsync.Unit.After = [ "sops-nix.service" ]; - accounts = { + accounts = lib.mkIf (!config.swarselsystems.isPublic) { email = { maildirBasePath = "Mail"; accounts = { diff --git a/scripts/swarsel-install.sh b/scripts/swarsel-install.sh index 38f5e34..6a0f236 100644 --- a/scripts/swarsel-install.sh +++ b/scripts/swarsel-install.sh @@ -4,18 +4,20 @@ target_config="chaostheatre" target_hostname="chaostheatre" target_user="swarsel" persist_dir="" +target_disk="/dev/vda" disk_encryption=0 function help_and_exit() { echo echo "Locally installs SwarselSystem on this machine." echo - echo "USAGE: $0 -n [OPTIONS]" + echo "USAGE: $0 -n -d [OPTIONS]" echo echo "ARGS:" echo " -n specify the nixos config to deploy." echo " Default: chaostheatre" - echo " Default: chaostheatre" + echo " -d specify disk to install on." + echo " Default: /dev/vda" echo " -u specify user to deploy for." echo " Default: swarsel" echo " -h | --help Print this help." @@ -52,6 +54,10 @@ while [[ $# -gt 0 ]]; do shift target_user=$1 ;; + -d) + shift + target_disk=$1 + ;; -h | --help) help_and_exit ;; *) echo "Invalid option detected." @@ -67,7 +73,7 @@ function cleanup() { } trap cleanup exit -green "~SwarselSystems~ remote installer" +green "~SwarselSystems~ local installer" cd /home/"$target_user" @@ -78,9 +84,31 @@ sudo rm -rf .dotfiles green "Cloning repository from GitHub" git clone https://github.com/Swarsel/.dotfiles.git +local_keys=$(ssh-add -L || true) +pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub) +read -ra pub_arr <<< "$pub_key" + +cd .dotfiles +if [[ $local_keys != *"${pub_arr[1]}"* ]]; then + yellow "The ssh key for this configuration is not available." + green "Adjusting flake.nix so that the configuration is buildable ..." + sed -i '/nix-secrets = {/,/^[[:space:]]*};/d' flake.nix + sed -i '/vbc-nix = {/,/^[[:space:]]*};/d' flake.nix + sed -i '/[[:space:]]*\/\/ (inputs.vbc-nix.overlays.default final prev)/d' overlays/default.nix + rm profiles/home/common/env.nix + rm profiles/home/common/gammastep.nix + rm profiles/home/common/git.nix + rm profiles/home/common/mail.nix + rm profiles/nixos/common/home-manager-extra.nix + nix flake update vbc-nix + git add . +else + green "Valid SSH key found! Continuing with installation" +fi + green "Reading system information for $target_config ..." DISK="$(nix eval --raw ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.rootDisk)" -green "Root Disk: $DISK" +green "Root Disk in config: $DISK - Root Disk passed in cli: $target_disk" CRYPTED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isCrypted)" if [[ $CRYPTED == "true" ]]; then @@ -114,25 +142,6 @@ else red "Secure Boot: X" fi -local_keys=$(ssh-add -L || true) -pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub) -read -ra pub_arr <<< "$pub_key" - -cd .dotfiles -if [[ $local_keys != *"${pub_arr[1]}"* ]]; then - yellow "The ssh key for this configuration is not available." - green "Adjusting flake.nix so that the configuration is buildable" - sed -i '/nix-secrets = {/,/^[[:space:]]*};/d' flake.nix - rm profiles/home/common/env.nix - rm profiles/home/common/gammastep.nix - rm profiles/home/common/git.nix - rm profiles/home/common/mail.nix - rm profiles/nixos/common/home-manager-extra.nix - git add . -else - green "Valid SSH key found! Continuing with installation" -fi - if [ "$disk_encryption" -eq 1 ]; then while true; do green "Set disk encryption passphrase:" @@ -148,16 +157,20 @@ if [ "$disk_encryption" -eq 1 ]; then done fi -green "Setting up disk" -sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount --flake .#"$target_config" --yes-wipe-all-disks +green "Setting up disk ..." +if [[ $target_config == "chaostheatre" ]]; then + sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/v1.10.0 -- --mode destroy,format,mount --flake .#"$target_config" --yes-wipe-all-disks --arg diskDevice "$target_disk" +else + sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount --flake .#"$target_config" --yes-wipe-all-disks +fi sudo mkdir -p /mnt/"$persist_dir"/home/"$target_user"/ sudo cp -r /home/"$target_user"/.dotfiles /mnt/"$persist_dir"/home/"$target_user"/ sudo chown -R 1000:100 /mnt/"$persist_dir"/home/"$target_user" -green "Generating hardware configuration" +green "Generating hardware configuration ..." sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/ -green "Injecting initialSetup" +green "Injecting initialSetup ..." sudo sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix diff --git a/scripts/swarsel-rebuild.sh b/scripts/swarsel-rebuild.sh index 2a6ea54..83f3031 100644 --- a/scripts/swarsel-rebuild.sh +++ b/scripts/swarsel-rebuild.sh @@ -75,7 +75,15 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then yellow "The ssh key for this configuration is not available." green "Adjusting flake.nix so that the configuration is buildable" sed -i '/nix-secrets = {/,/^[[:space:]]*};/d' flake.nix - git add flake.nix + sed -i '/vbc-nix = {/,/^[[:space:]]*};/d' flake.nix + sed -i '/[[:space:]]*\/\/ (inputs.vbc-nix.overlays.default final prev)/d' overlays/default.nix + rm profiles/home/common/env.nix + rm profiles/home/common/gammastep.nix + rm profiles/home/common/git.nix + rm profiles/home/common/mail.nix + rm profiles/nixos/common/home-manager-extra.nix + nix flake update vbc-nix + git add . else green "Valid SSH key found! Continuing with installation" fi