commit d5ca291a68c452ce4108660455890ca79ee61f40
parent 3bff5623699c83a351d0af9ac8b5b8aa164983fb
Author: Katja (ctucx) <git@ctu.cx>
Date: Sat, 17 May 2025 17:10:23 +0200
parent 3bff5623699c83a351d0af9ac8b5b8aa164983fb
Author: Katja (ctucx) <git@ctu.cx>
Date: Sat, 17 May 2025 17:10:23 +0200
config/nixos/filesystem: implement `rootDisk` module
3 files changed, 313 insertions(+), 3 deletions(-)
A
|
294
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/config/nixos/modules/filesystem/rootDisk.nix b/config/nixos/modules/filesystem/rootDisk.nix @@ -0,0 +1,294 @@ +{ + povSelf, + config, + lib, + pkgs, + ... +}: + +let + inherit (lib) types; + cfg = lib.getAttrFromPath povSelf config; + part = + name: content: + if cfg.encrypt then + { + type = "luks"; + inherit name content; + } + else + content; +in +{ + + options = { + enable = { + type = types.bool; + default = false; + }; + type = { + type = types.enum [ + "btrfs" + "zfs" + "ext4" + ]; + }; + path = { + type = types.path; + }; + encrypt = { + type = types.bool; + default = false; + }; + swap = { + enable = { + type = types.bool; + default = false; + }; + size = { + type = lib.strMatching "[0-9]+[KMGTP]"; + }; + }; + }; + + config = lib.mkIf cfg.enable (lib.mkMerge [ + ( + lib.mkIf (cfg.type == "btrfs") { + services.btrfs.autoScrub = { + enable = true; + interval = "weekly"; + }; + } + ) + ( + lib.mkIf (cfg.type == "zfs") { + services.zfs.autoScrub.enable = true; + + boot = lib.mkIf cfg.encrypt { + initrd = { + luks.forceLuksSupportInInitrd = true; + supportedFilesystems = { + ext4 = true; + }; + systemd.services.decrypt-root = { + description = "Decrypt ZFS root pool"; + wantedBy = [ "initrd.target" ]; + after = [ "zfs-import.target" ]; + before = [ + "create-needed-for-boot-dirs.service" + "defenestrate.service" + "sysroot.mount" + ]; + onFailure = [ "emergency.target" ]; + unitConfig.DefaultDependencies = "no"; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + }; + script = '' + systemd-cryptsetup attach key /dev/zvol/${config.networking.hostName}/key || exit 1 + mount /dev/mapper/key /key --mkdir || exit 1 + zfs load-key -a || exit 1 + umount /key || exit 1 + systemd-cryptsetup detach key || exit 1 + ''; + }; + }; + zfs = { + forceImportRoot = false; + allowHibernation = true; + requestEncryptionCredentials = false; + }; + }; + + disko.devices.zpool = { + ${config.networking.hostName} = { + type = "zpool"; + options.ashift = "12"; + rootFsOptions = lib.mkMerge [ + { + acltype = "posixacl"; + canmount = "off"; + compression = "zstd-6"; + mountpoint = "none"; + xattr = "sa"; + } + ( + lib.mkIf config.modules.filesystem.encrypt { + encryption = "on"; + keyformat = "hex"; + keylocation = "file:///key/${config.networking.hostName}.key"; + } + ) + ]; + + datasets = lib.mkMerge (lib.flatten [ + { + data = { + type = "zfs_fs"; + options.canmount = "off"; + }; + "data/home" = { + type = "zfs_fs"; + options = { + canmount = "off"; + mountpoint = "none"; + }; + }; + "data/system" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/nix/persist/system"; + }; + nix = { + type = "zfs_fs"; + options = { + atime = "off"; + mountpoint = "legacy"; + }; + mountpoint = "/nix"; + }; + os = { + type = "zfs_fs"; + options.canmount = "off"; + }; + "os/nixos" = { + type = "zfs_fs"; + options.canmount = "off"; + }; + "os/nixos/root-1" = { + type = "zfs_fs"; + options = { + atime = "off"; + compression = "zstd-fast"; + mountpoint = "legacy"; + }; + mountpoint = "/"; + }; + reserved = { + type = "zfs_volume"; + size = "8G"; + options.readonly = "on"; + }; + } + ( + lib.mkIf config.modules.filesystem.encrypt { + key = { + type = "zfs_volume"; + size = "24M"; + options.encryption = "off"; + # TODO: luksFormat, add key and make readonly + }; + } + ) + ( + lib.map (user: { + "data/home/${user}" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountOptions = [ "nofail" ]; + mountpoint = + # if config.modules.filesystem.impermanence.persistHome then + if true then + "/home/${user}" + else + "/nix/persist/home/${user}"; + }; + }) (lib.attrNames (lib.filterAttrs (name: value: value.enable == true) config.modules.users)) + ) + ]); + }; + }; + } + ) + { + disko.devices.disk = { + ${config.networking.hostName} = { + type = "disk"; + device = "${cfg.path}"; + content = { + type = "gpt"; + partitions = lib.mkMerge [ + ( + lib.mkIf (config.modules.boot.type == "legacy") { + grub-mbr = { + size = "1M"; + type = "EF02"; + priority = 1; + }; + } + ) + { + boot = { + type = lib.mkIf (config.modules.boot.type == "uefi") "EF00"; + size = "1G"; + content = { + type = "filesystem"; + format = "vfat"; + mountOptions = [ + "nofail" + "umask=0077" + "dmask=0077" + ]; + mountpoint = "/boot"; + }; + }; + } + { + root.content = part "root" (lib.mkMerge [ + ( + lib.mkIf (cfg.type == "ext4") { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + } + ) + ( + lib.mkIf (cfg.type == "btrfs") { + type = "btrfs"; + subvolumes = { + "/nixos/@" = { + mountpoint = "/"; + }; + "/nixos/@home" = { + mountOptions = [ "compress=zstd" ]; + mountpoint = "/home"; + }; + "/nixos/@nix" = { + mountOptions = [ + "compress=zstd" + "noatime" + ]; + mountpoint = "/nix"; + }; + }; + } + ) + ( + lib.mkIf (cfg.type == "zfs") { + type = "zfs"; + pool = config.networking.hostName; + } + ) + ]); + } + ( + if cfg.swap.enable then + { + root.end = "-${cfg.swap.size}"; + swap = { + size = "100%"; + content = part "swap" { type = "swap"; }; + }; + } + else + { root.size = "100%"; } + ) + ]; + }; + }; + }; + } + ]); + +}
diff --git a/flake.nix b/flake.nix @@ -73,7 +73,7 @@ }; }; - modules = [ + modules = nixpkgsLib.flatten [ { nixpkgs.overlays = [ inputs.self.overlays.packages @@ -83,10 +83,13 @@ } ( - if !hostConfig.nixpkgsStable then + if !hostConfig.nixpkgsStable then [ inputs.homeManagerUnstable.nixosModules.default - else + inputs.diskoUnstable.nixosModules.default + ] else [ inputs.homeManager.nixosModules.default + inputs.disko.nixosModules.default + ] ) inputs.lixModule.nixosModules.default @@ -139,6 +142,12 @@ sopsNix.url = "github:Mic92/sops-nix"; sopsNix.inputs.nixpkgs.follows = "nixpkgs"; + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + + diskoUnstable.url = "github:nix-community/disko"; + diskoUnstable.inputs.nixpkgs.follows = "nixpkgsUnstable"; + homeManager.url = "github:nix-community/home-manager/release-24.11"; homeManager.inputs.nixpkgs.follows = "nixpkgs";
diff --git a/hosts/huntii/default.nix b/hosts/huntii/default.nix @@ -21,6 +21,13 @@ ]; modules = { + filesystem.rootDisk = { + enable = true; + encrypt = true; + type = "ext4"; + path = "/dev/disk/by-id/nvme-SKHynix_HFS512GDE9X081N_FYB8N034411508M5G"; + }; + hardware = { video.intel.enable = true; cpu.updateMicrocode = true;