diff --git a/iso/configuration.nix b/iso/configuration.nix index a9a2fa5..d6e7164 100644 --- a/iso/configuration.nix +++ b/iso/configuration.nix @@ -1,5 +1,9 @@ -{ config, lib, pkgs, ... }: { +{ config, lib, pkgs, ... }: +let + impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz"; +in { imports = [ + "${impermanence}/nixos.nix" #installer-only ./hardware-configuration.nix @@ -50,5 +54,34 @@ zip ]; + environment.persistence."/nix/persist" = { + hideMounts = true; + directories = [ + "/home" + ]; + }; + environment.persistence."/nix/persist/system" = { + hideMounts = true; + directories = [ + "/etc/nixos" + "/root/.ssh" + "/var/bento" + "/var/log" + "/var/lib/bluetooth" + "/var/lib/docker" + "/var/lib/flatpak" + "/var/lib/fprint" + "/var/lib/nixos" + "/var/lib/mysql" + "/etc/NetworkManager/system-connections" + ]; + files = [ + { file = "/etc/ssh/ssh_host_ed25519_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; } + { file = "/etc/ssh/ssh_host_ed25519_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; } + { file = "/etc/ssh/ssh_host_rsa_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; } + { file = "/etc/ssh/ssh_host_rsa_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; } + ]; + }; + system.stateVersion = "23.05"; # Did you read the comment? } diff --git a/iso/default.nix b/iso/default.nix index 6cc200d..367cc98 100644 --- a/iso/default.nix +++ b/iso/default.nix @@ -44,10 +44,12 @@ wait-for mkfs.fat -F 32 -n boot /dev/disk/by-partlabel/BOOT wait-for [ -b /dev/disk/by-partlabel/NIXOS ] - mkfs.btrfs -f -L nixos /dev/disk/by-partlabel/NIXOS + ${cryptsetup}/bin/cryptsetup luksFormat --type=luks2 --label=root /dev/disk/by-partlabel/NIXOS /dev/zero --keyfile-size=1 + ${cryptsetup}/bin/cryptsetup luksOpen /dev/disk/by-partlabel/NIXOS root --key-file=/dev/zero --keyfile-size=1 + mkfs.btrfs -f -L nixos /dev/mapper/root sync - mount /dev/disk/by-partlabel/NIXOS /mnt + mount /dev/mapper/root /mnt btrfs subvolume create /mnt/@ btrfs subvolume create /mnt/@nix-store @@ -56,14 +58,56 @@ umount /mnt sync - mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@ /dev/disk/by-partlabel/NIXOS /mnt + mount -t tmpfs -o size=16G,mode=755 tmpfs /mnt + mkdir -p /mnt/nix + mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@ /dev/mapper/root /mnt/nix mkdir -p /mnt/nix/{store,persist} - mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-store /dev/disk/by-partlabel/NIXOS /mnt/nix/store - mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-persist /dev/disk/by-partlabel/NIXOS /mnt/nix/persist + mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-store /dev/mapper/root /mnt/nix/store + mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-persist /dev/mapper/root /mnt/nix/persist + + mkdir -p /mnt/nix/persist/home + + mkdir -p /mnt/etc/nixos + mkdir -p /mnt/nix/persist/system/etc/nixos + mount --bind /mnt/nix/persist/system/etc/nixos /mnt/etc/nixos + mkdir -p /mnt/root/.ssh + mkdir -p /mnt/nix/persist/system/root/.ssh + mount --bind /mnt/nix/persist/system/root/.ssh /mnt/root/.ssh + mkdir -p /mnt/var/bento + mkdir -p /mnt/nix/persist/system/var/bento + mount --bind /mnt/nix/persist/system/var/bento /mnt/var/bento + mkdir -p /mnt/var/log + mkdir -p /mnt/nix/persist/system/var/log + mount --bind /mnt/nix/persist/system/var/log /mnt/var/log + mkdir -p /mnt/var/lib/bluetooth + mkdir -p /mnt/nix/persist/system/var/lib/bluetooth + mount --bind /mnt/nix/persist/system/var/lib/bluetooth /mnt/var/lib/bluetooth + mkdir -p /mnt/var/lib/docker + mkdir -p /mnt/nix/persist/system/var/lib/docker + mount --bind /mnt/nix/persist/system/var/lib/docker /mnt/var/lib/docker + mkdir -p /mnt/var/lib/flatpak + mkdir -p /mnt/nix/persist/system/var/lib/flatpak + mount --bind /mnt/nix/persist/system/var/lib/flatpak /mnt/var/lib/flatpak + mkdir -p /mnt/var/lib/fprint + mkdir -p /mnt/nix/persist/system/var/lib/fprint + mount --bind /mnt/nix/persist/system/var/lib/fprint /mnt/var/lib/fprint + mkdir -p /mnt/var/lib/nixos + mkdir -p /mnt/nix/persist/system/var/lib/nixos + mount --bind /mnt/nix/persist/system/var/lib/nixos /mnt/var/lib/nixos + mkdir -p /mnt/var/lib/mysql + mkdir -p /mnt/nix/persist/system/var/lib/mysql + mount --bind /mnt/nix/persist/system/var/lib/mysql /mnt/var/lib/mysql + mkdir -p /mnt/etc/NetworkManager/system-connections + mkdir -p /mnt/nix/persist/system/etc/NetworkManager/system-connections + mount --bind /mnt/nix/persist/system/etc/NetworkManager/system-connections /mnt/etc/NetworkManager/system-connections mkdir /mnt/boot wait-for mount /dev/disk/by-label/boot /mnt/boot + mkdir -p /mnt/nix/persist/system/etc/ssh + ssh-keygen -t ed25519 -N "" -f /mnt/nix/persist/system/etc/ssh/ssh_host_ed25519_key + ssh-keygen -t rsa -b 4096 -N "" -f /mnt/nix/persist/system/etc/ssh/ssh_host_rsa_key + install -D ${./configuration.nix} /mnt/etc/nixos/configuration.nix install -D ${./hardware-configuration.nix} /mnt/etc/nixos/hardware-configuration.nix diff --git a/iso/hardware-configuration.nix b/iso/hardware-configuration.nix index 9ccd886..bb35b73 100644 --- a/iso/hardware-configuration.nix +++ b/iso/hardware-configuration.nix @@ -6,9 +6,29 @@ fsType = "vfat"; }; - fileSystems."/" = { - device = "/dev/disk/by-partlabel/NIXOS"; + fileSystems."/" = { + device = "none"; + fsType = "tmpfs"; + options = [ "size=16G" "mode=755" ]; + }; + + boot.initrd.luks.devices.root = { + device = "/dev/disk/by-label/root"; + + # WARNING: Leaks some metadata, see cryptsetup man page for --allow-discards. + allowDiscards = true; + + # Set your own key with: + # cryptsetup luksChangeKey /dev/disk/by-label/root --key-file=/dev/zero --keyfile-size=1 + # You can then delete the rest of this block. + keyFile = "/dev/zero"; + keyFileSize = 1; + }; + + fileSystems."/nix" = { + device = "/dev/mapper/root"; fsType = "btrfs"; + neededForBoot = true; options = [ "subvol=@" "ssd" @@ -19,8 +39,9 @@ }; fileSystems."/nix/store" = { - device = "/dev/disk/by-uuid/…"; + device = "/dev/mapper/root"; fsType = "btrfs"; + neededForBoot = true; options = [ "subvol=@nix-store" "ssd" @@ -31,8 +52,9 @@ }; fileSystems."/nix/persist" = { - device = "/dev/disk/by-partlabel/NIXOS"; + device = "/dev/mapper/root"; fsType = "btrfs"; + neededForBoot = true; options = [ "subvol=@nix-persist" "ssd"