feat: change iso to btrfs

2025-08-07 12:08:19 +02:00
parent 1c9302c773
commit 541f9b3776
3 changed files with 109 additions and 10 deletions
--- a/iso/configuration.nix
+++ b/iso/configuration.nix
@@ -1,5 +1,9 @@
-{ config, lib, pkgs, ... }: {
+{ config, lib, pkgs, ... }:
+let
+  impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
+in {
 	imports = [
+    "${impermanence}/nixos.nix"
 		<nixpkgs/nixos/modules/profiles/all-hardware.nix>
 		<nixpkgs/nixos/modules/profiles/base.nix>
 		#installer-only ./hardware-configuration.nix
@@ -50,5 +54,34 @@
 		zip
 	];

+  environment.persistence."/nix/persist" = {
+    hideMounts = true;
+    directories = [
+      "/home"
+    ];
+  };
+  environment.persistence."/nix/persist/system" = {
+    hideMounts = true;
+    directories = [
+      "/etc/nixos"
+      "/root/.ssh"
+      "/var/bento"
+      "/var/log"
+      "/var/lib/bluetooth"
+      "/var/lib/docker"
+      "/var/lib/flatpak"
+      "/var/lib/fprint"
+      "/var/lib/nixos"
+      "/var/lib/mysql"
+      "/etc/NetworkManager/system-connections"
+    ];
+    files = [
+      { file = "/etc/ssh/ssh_host_ed25519_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
+      { file = "/etc/ssh/ssh_host_ed25519_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
+      { file = "/etc/ssh/ssh_host_rsa_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
+      { file = "/etc/ssh/ssh_host_rsa_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
+    ];
+  };
+
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/iso/default.nix
+++ b/iso/default.nix
@@ -44,10 +44,12 @@
 					wait-for mkfs.fat -F 32 -n boot /dev/disk/by-partlabel/BOOT

 					wait-for [ -b /dev/disk/by-partlabel/NIXOS ]
-					mkfs.btrfs -f -L nixos /dev/disk/by-partlabel/NIXOS
+					${cryptsetup}/bin/cryptsetup luksFormat --type=luks2 --label=root /dev/disk/by-partlabel/NIXOS /dev/zero --keyfile-size=1
+					${cryptsetup}/bin/cryptsetup luksOpen /dev/disk/by-partlabel/NIXOS root --key-file=/dev/zero --keyfile-size=1
+					mkfs.btrfs -f -L nixos /dev/mapper/root

 					sync
-          mount /dev/disk/by-partlabel/NIXOS /mnt
+          mount /dev/mapper/root /mnt

          btrfs subvolume create /mnt/@
          btrfs subvolume create /mnt/@nix-store
@@ -56,14 +58,56 @@
          umount /mnt

 					sync
-          mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@ /dev/disk/by-partlabel/NIXOS /mnt
+          mount -t tmpfs -o size=16G,mode=755 tmpfs /mnt
+          mkdir -p /mnt/nix
+          mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@ /dev/mapper/root /mnt/nix
          mkdir -p /mnt/nix/{store,persist}
-          mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-store /dev/disk/by-partlabel/NIXOS /mnt/nix/store
-          mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-persist /dev/disk/by-partlabel/NIXOS /mnt/nix/persist
+          mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-store /dev/mapper/root /mnt/nix/store
+          mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-persist /dev/mapper/root /mnt/nix/persist
+
+          mkdir -p /mnt/nix/persist/home
+
+          mkdir -p /mnt/etc/nixos
+          mkdir -p /mnt/nix/persist/system/etc/nixos
+          mount --bind /mnt/nix/persist/system/etc/nixos /mnt/etc/nixos
+          mkdir -p /mnt/root/.ssh
+          mkdir -p /mnt/nix/persist/system/root/.ssh
+          mount --bind /mnt/nix/persist/system/root/.ssh /mnt/root/.ssh
+          mkdir -p /mnt/var/bento
+          mkdir -p /mnt/nix/persist/system/var/bento
+          mount --bind /mnt/nix/persist/system/var/bento /mnt/var/bento
+          mkdir -p /mnt/var/log
+          mkdir -p /mnt/nix/persist/system/var/log
+          mount --bind /mnt/nix/persist/system/var/log /mnt/var/log
+          mkdir -p /mnt/var/lib/bluetooth
+          mkdir -p /mnt/nix/persist/system/var/lib/bluetooth
+          mount --bind /mnt/nix/persist/system/var/lib/bluetooth /mnt/var/lib/bluetooth
+          mkdir -p /mnt/var/lib/docker
+          mkdir -p /mnt/nix/persist/system/var/lib/docker
+          mount --bind /mnt/nix/persist/system/var/lib/docker /mnt/var/lib/docker
+          mkdir -p /mnt/var/lib/flatpak
+          mkdir -p /mnt/nix/persist/system/var/lib/flatpak
+          mount --bind /mnt/nix/persist/system/var/lib/flatpak /mnt/var/lib/flatpak
+          mkdir -p /mnt/var/lib/fprint
+          mkdir -p /mnt/nix/persist/system/var/lib/fprint
+          mount --bind /mnt/nix/persist/system/var/lib/fprint /mnt/var/lib/fprint
+          mkdir -p /mnt/var/lib/nixos
+          mkdir -p /mnt/nix/persist/system/var/lib/nixos
+          mount --bind /mnt/nix/persist/system/var/lib/nixos /mnt/var/lib/nixos
+          mkdir -p /mnt/var/lib/mysql
+          mkdir -p /mnt/nix/persist/system/var/lib/mysql
+          mount --bind /mnt/nix/persist/system/var/lib/mysql /mnt/var/lib/mysql
+          mkdir -p /mnt/etc/NetworkManager/system-connections
+          mkdir -p /mnt/nix/persist/system/etc/NetworkManager/system-connections
+          mount --bind /mnt/nix/persist/system/etc/NetworkManager/system-connections /mnt/etc/NetworkManager/system-connections

 					mkdir /mnt/boot
 					wait-for mount /dev/disk/by-label/boot /mnt/boot

+          mkdir -p /mnt/nix/persist/system/etc/ssh
+          ssh-keygen -t ed25519 -N "" -f /mnt/nix/persist/system/etc/ssh/ssh_host_ed25519_key
+          ssh-keygen -t rsa     -b 4096 -N "" -f /mnt/nix/persist/system/etc/ssh/ssh_host_rsa_key
+
 					install -D ${./configuration.nix} /mnt/etc/nixos/configuration.nix
 					install -D ${./hardware-configuration.nix} /mnt/etc/nixos/hardware-configuration.nix

--- a/iso/hardware-configuration.nix
+++ b/iso/hardware-configuration.nix
@@ -6,9 +6,29 @@
 		fsType = "vfat";
 	};

-  fileSystems."/"  = {
-    device = "/dev/disk/by-partlabel/NIXOS";
+  fileSystems."/" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [ "size=16G" "mode=755" ];
+  };
+
+	boot.initrd.luks.devices.root = {
+		device = "/dev/disk/by-label/root";
+
+		# WARNING: Leaks some metadata, see cryptsetup man page for --allow-discards.
+		allowDiscards = true;
+
+		# Set your own key with:
+		# cryptsetup luksChangeKey /dev/disk/by-label/root --key-file=/dev/zero --keyfile-size=1
+		# You can then delete the rest of this block.
+		keyFile = "/dev/zero";
+		keyFileSize = 1;
+	};
+
+  fileSystems."/nix"  = {
+    device = "/dev/mapper/root";
    fsType = "btrfs";
+    neededForBoot = true;
    options = [
      "subvol=@"
      "ssd"
@@ -19,8 +39,9 @@
  };

  fileSystems."/nix/store" = {
-    device = "/dev/disk/by-uuid/…";
+    device = "/dev/mapper/root";
    fsType = "btrfs";
+    neededForBoot = true;
    options = [
      "subvol=@nix-store"
      "ssd"
@@ -31,8 +52,9 @@
  };

  fileSystems."/nix/persist"  = {
-    device = "/dev/disk/by-partlabel/NIXOS";
+    device = "/dev/mapper/root";
    fsType = "btrfs";
+    neededForBoot = true;
    options = [
      "subvol=@nix-persist"
      "ssd"