diff options
| author | Alejandro Soto <alejandro@34project.org> | 2022-03-10 19:14:10 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2022-03-10 19:14:10 -0600 |
| commit | e287d00e96b5505da20399d073ae96458f841397 (patch) | |
| tree | 9b96ccde0fddf5c59aedf2fb29f577b6af46f18f | |
| parent | 65bbf5411d8d3e30bffcc278ccace65c7e75c70c (diff) | |
Track system configuration
Diffstat (limited to '')
| -rw-r--r-- | flake.nix | 12 | ||||
| -rw-r--r-- | home/default.nix | 2 | ||||
| -rw-r--r-- | platform/p-user.nix | 35 | ||||
| -rw-r--r-- | platform/user.nix | 46 | ||||
| -rw-r--r-- | sys/default.nix | 317 |
5 files changed, 410 insertions, 2 deletions
@@ -12,9 +12,11 @@ }; outputs = { self, nixpkgs, home-manager, nur, ... }: let + util = import ./util; + pkgSet = pkgs: import ./pkgs { inherit pkgs; - util = import ./util pkgs.lib; + util = util pkgs.lib; }; in { packages."x86_64-linux" = pkgSet nixpkgs.legacyPackages."x86_64-linux"; @@ -23,6 +25,14 @@ local = pkgSet super; }; + nixosConfigurations = with nixpkgs.lib; let + hostUtil = util nixpkgs.lib; + hostConfig = host: (makeOverridable nixosSystem) { + system = "x86_64-linux"; + modules = [ (import ./sys self) host ]; + }; + in mapAttrs (_: hostConfig) (hostUtil.importAll { root = ./platform; }); + homeConfigurations."ale@p-user" = home-manager.lib.homeManagerConfiguration { system = "x86_64-linux"; configuration = { diff --git a/home/default.nix b/home/default.nix index 10dbe18..b70ae6f 100644 --- a/home/default.nix +++ b/home/default.nix @@ -160,7 +160,7 @@ clock24 = true; escapeTime = 10; terminal = "xterm-256color"; - keyMode = "vi"; + keyMode = "vi"; extraConfig = '' set -g mouse on diff --git a/platform/p-user.nix b/platform/p-user.nix new file mode 100644 index 0000000..7625355 --- /dev/null +++ b/platform/p-user.nix @@ -0,0 +1,35 @@ +{ + config = { + hostname = "p-user"; + portable = true; + + dhcpInterface = "enp5s0"; + + canTouchEfiVariables = false; + initrdModules = [ "xhci_pci" "ahci" "usb_storage" "uas" "sd_mod" "r8169" ]; + + videoDrivers = [ "amdgpu" ]; + + crypt.toplevel = { + device = "/dev/hdd0/user.crypt"; + target = "user-portable"; + headerFromBoot = "tierra/trust/hdd0-user.luks-header"; + }; + + fs = { + boot.device = "/dev/disk/by-uuid/F8F9-1F8A"; + + sys = { + device = "/dev/mapper/user-portable"; + ssd = false; + root = "/run/nixroot"; + toplevel = "/run"; + }; + + hdd = { + device = "/dev/mapper/user-portable"; + home = "/run/home"; + }; + }; + }; +} diff --git a/platform/user.nix b/platform/user.nix new file mode 100644 index 0000000..dc5961a --- /dev/null +++ b/platform/user.nix @@ -0,0 +1,46 @@ +{ + config.local = { + hostname = "user"; + portable = false; + + dhcpInterface = "ens8"; + + canTouchEfiVariables = true; + initrdModules = ,[ "xhci_pci" "ahci" "usb_storage" "uas" "sd_mod" "r8169" ]; + + videoDrivers = [ "qxl" ]; + + crypt = { + toplevel = { + device = "/dev/disk/by-path/virtio-pci-0000:00:05.0"; + target = "user"; + headerFromBoot = "headers/toplevel0-user.luks-header"; + }; + + aux = [ + { + device = "/dev/disk/by-path/virtio-pci-0000:00:0b.0"; + target = "user-hdd"; + header = "/var/trust/headers/hdd1-user.luks-header"; + keyfile = "/var/trust/cryptkeys/hdd1-user.luks-key"; + } + ]; + }; + + fs = { + boot.device = "/dev/disk/by-uuid/"; + + sys = { + device = "/dev/mapper/user"; + ssd = true; + root = "/root"; + toplevel = "/"; + }; + + hdd = { + device = "/dev/mapper/user-hdd"; + home = "/home"; + }; + }; + }; +} diff --git a/sys/default.nix b/sys/default.nix new file mode 100644 index 0000000..3c3ab69 --- /dev/null +++ b/sys/default.nix @@ -0,0 +1,317 @@ +selfFlake: +{ lib, config, pkgs, modulesPath, ... }: +with lib; let + cfg = config.local; +in { + imports = [ "${modulesPath}/installer/scan/not-detected.nix" ]; + + options.local = with lib.types; { + hostname = mkOption { + type = str; + }; + + portable = mkOption { + type = bool; + }; + + canTouchEfiVariables = mkOption { + type = bool; + }; + + dhcpInterface = mkOption { + type = nullOr str; + default = null; + }; + + videoDrivers = mkOption { + type = listOf str; + }; + + initrdModules = mkOption { + type = str; + }; + + crypt = mkOption { + type = submodule { + options = { + toplevel = mkOption { + type = submodule { + options = { + device = mkOption { + type = str; + }; + + target = mkOption { + type = str; + }; + + headerFromBoot = mkOption { + type = str; + }; + }; + }; + }; + + aux = mkOption { + default = []; + type = listOf (submodule { + options = { + device = mkOption { + type = str; + }; + + target = mkOption { + type = str; + }; + + header = mkOption { + type = str; + }; + + keyfile = mkOption { + type = str; + }; + }; + }); + }; + }; + }; + }; + + fs = mkOption { + type = submodule { + options = { + boot = mkOption { + type = submodule { + options = { + device = mkOption { + type = str; + }; + }; + }; + }; + + sys = mkOption { + type = submodule { + options = { + device = mkOption { + type = str; + }; + + ssd = mkOption { + type = bool; + }; + + root = mkOption { + type = str; + }; + + toplevel = mkOption { + type = str; + }; + }; + }; + }; + + hdd = mkOption { + type = submodule { + options = { + device = mkOption { + type = str; + }; + + home = mkOption { + type = str; + }; + }; + }; + }; + }; + }; + }; + }; + + config = { + nixpkgs.overlays = [ selfFlake.overlay ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? + + nix = { + package = pkgs.nixFlakes; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + boot = { + # !!! + tmpOnTmpfs = true; + + loader = { + systemd-boot.enable = true; + efi = { + inherit (cfg) canTouchEfiVariables; + }; + }; + + initrd = let + crypt = cfg.crypt.toplevel; + headerPathEscaped = escapeShellArg "/initrd-boot/${crypt.headerFromBoot}"; + in { + availableKernelModules = cfg.initrdModules; + supportedFilesystems = [ "vfat" ]; + + preDeviceCommands = '' + mkdir -p `dirname ${headerPathEscaped}` + touch ${headerPathEscaped} + ''; + + preLVMCommands = optionalString cfg.portable '' + sleep 2 #TODO + ''; + + luks.devices."${crypt.target}" = { + inherit (crypt) device; + header = "/initrd-boot/${crypt.headerFromBoot}"; + preLVM = false; + + preOpenCommands = '' + mount -o ro -t vfat ${escapeShellArg cfg.fs.boot.device} /initrd-boot + ''; + + postOpenCommands = let + fromRoot = path: escapeShellArg "/mnt-root/${path}"; + auxOpen = aux: '' + cryptsetup open \ + --header ${fromRoot aux.header} \ + --key-file ${fromRoot aux.keyfile} \ + ${aux.device} ${aux.target} + ''; + in '' + umount /initrd-boot + '' + concatStringsSep "\n" (map auxOpen cfg.crypt.aux); + }; + + #network = { + # enable = true; + + # ssh = { + # enable = true; + # port = 2234; + # }; + #}; + }; + }; + + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + fileSystems = let + inherit (cfg) fs; + btrfs = { device, subvol, isSys }: { + inherit device; + fsType = "btrfs"; + options = let + ssd = optional (isSys && fs.sys.ssd) "ssd"; + in [ "noatime" "compress=zstd" "subvol=${subvol}" ] ++ ssd; + }; + in { + "/" = btrfs { + inherit (fs.sys) device; + subvol = fs.sys.root; + isSys = true; + }; + + "/toplevel" = btrfs { + inherit (fs.sys) device; + subvol = fs.sys.toplevel; + isSys = true; + }; + + "/hdd" = btrfs { + inherit (fs.hdd) device; + subvol = "/"; + isSys = false; + }; + + "/home" = btrfs { + inherit (fs.hdd) device; + subvol = fs.hdd.home; + isSys = false; + }; + + "/boot" = { + inherit (fs.boot) device; + fsType = "vfat"; + options = [ "noatime" "umask=027" ]; + }; + }; + + time.timeZone = "America/Costa_Rica"; + + networking = { + hostName = cfg.hostname; + useDHCP = false; + + interfaces = mkIf (cfg.dhcpInterface != null) { + "${cfg.dhcpInterface}".useDHCP = true; + }; + }; + + i18n.defaultLocale = "es_CR.UTF-8"; + + sound.enable = true; + hardware.pulseaudio.enable = true; + + services.xserver = { + enable = true; + videoDrivers = cfg.videoDrivers ++ [ "modesetting" "fbdev" ]; + libinput.enable = true; + displayManager.startx.enable = true; + }; + + services.openssh = { + enable = true; + openFirewall = false; + ports = [ 2234 ]; + forwardX11 = true; + }; + + networking.firewall.allowedTCPPorts = [ 2234 ]; + + programs = { + dconf.enable = true; + zsh.enable = true; + }; + + environment.pathsToLink = [ "/share/zsh" ]; + + users.users = { + ale = { + isNormalUser = true; + uid = 1000; + group = "ale"; + extraGroups = [ "users" "wheel" ]; + shell = pkgs.zsh; + }; + + tutorias = { + isNormalUser = true; + uid = 1004; + group = "tutorias"; + extraGroups = [ "users" ]; + shell = pkgs.zsh; + }; + }; + + users.groups = { + ale.gid = 1001; + tutorias.gid = 1007; + }; + }; +} |