1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
{
systemConfig ? null,
lib,
writeShellApplication,
writeScriptBin,
btrfs-progs,
parted,
openssh,
}:
if systemConfig != null then
writeShellApplication {
name = "setup-disk-${systemConfig.networking.hostName}";
runtimeInputs = [
btrfs-progs
parted
openssh
];
text =
let
inherit (systemConfig.networking) hostName;
bootDisk = "/dev/disk/by-partlabel/${hostName}-boot";
rootDisk = "/dev/disk/by-partlabel/${hostName}-root";
subvolumes = lib.pipe systemConfig.fileSystems [
builtins.attrValues
(builtins.filter (element: element.device == "/dev/mapper/root"))
(builtins.map (element: element.options))
lib.flatten
(builtins.filter (value: (builtins.substring 0 6 value) == "subvol"))
(builtins.map (element: builtins.substring 7 (builtins.builtins.stringLength element) element))
];
in
''
set -euo pipefail
read -rp 'Disk: ' disk
read -srp "LUKS passphrase: " pass1
echo ""
read -srp 'LUKS passphrase (repeat): ' pass2
echo ""
if [[ "$pass1" != "$pass2" ]]
then
echo "Passphrases don't match"
exit
fi
parted --script --align optimal --fix "$disk" -- mklabel gpt \
mkpart ${hostName}-boot fat32 1M 1024M \
mkpart ${hostName}-root btrfs 1025M 100% \
set 1 esp on \
type 2 C12A7328-F81F-11D2-BA4B-00A0C93EC93B \
type 2 6523f8ae-3eb1-4e2a-a05a-18b695ae656f
echo "$pass1" | cryptsetup -q luksFormat "${rootDisk}"
echo "$pass1" | cryptsetup -q luksOpen "${rootDisk}" root
mkfs.vfat "${bootDisk}"
mkfs.btrfs /dev/mapper/root
mount --verbose /dev/mapper/root /mnt
${lib.optionalString systemConfig.common.configure.persist.system.enable ''
btrfs subvolume create /mnt/nixos-root-1
btrfs subvolume create /mnt/nixos-root-2
btrfs subvolume create /mnt/nixos-root-3
btrfs subvolume create /mnt/nixos-root-4
btrfs subvolume set-default /mnt/nixos-root-1
''}
${lib.optionalString (systemConfig.common.configure.persist.system.enable == false) ''
btrfs subvolume create /mnt/nixos-root
btrfs subvolume set-default /mnt/nixos-root
''}
${lib.optionalString (builtins.elem "swap" subvolumes) ''
btrfs subvolume create /mnt/swap
btrfs filesystem mkswapfile --size ${systemConfig.common.configure.rootDisk.swap.size} --uuid clear /mnt/swap/swapfile
''}
${lib.pipe subvolumes [
(lib.remove "nixos-root-1")
(lib.remove "nixos-root")
(lib.remove "swap")
(builtins.map (element: "btrfs subvolume create /mnt/${element}"))
(builtins.concatStringsSep "\n")
]}
umount --verbose /mnt
${lib.pipe systemConfig.fileSystems [
(lib.filterAttrs (name: value: value.device == "/dev/mapper/root"))
(lib.concatMapAttrsStringSep "\n" (
name: value:
"mount --verbose --mkdir --options ${
lib.pipe value.options [
(builtins.filter (value: value != "x-initrd.mount"))
(builtins.concatStringsSep ",")
]
} ${value.device} ${lib.strings.normalizePath "/mnt${lib.removeSuffix "/" name}"}"
))
]}
# generate ssh hostkey
mkdir -p /mnt${lib.removeSuffix "ssh_host_ed25519_key" (lib.last systemConfig.sops.age.sshKeyPaths)}
ssh-keygen -t ed25519 -f /mnt${lib.last systemConfig.sops.age.sshKeyPaths}
cat /mnt${lib.last systemConfig.sops.age.sshKeyPaths}.pub
'';
}
else
writeScriptBin "setup-disk-none" "echo 'No system config given!'"