diff --git a/.gitignore b/.gitignore index bd97393..8076b45 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,6 @@ result* *.qcow2 .nixie +*~ +.#* +\#*# diff --git a/NOTES b/NOTES index a2be083..28e5820 100644 --- a/NOTES +++ b/NOTES @@ -12,33 +12,43 @@ https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-common-operations-118g export SOPS_PGP_FP="D4BB42BE729AEFBD2EFEBF8822931AF7895E82DF" sops -e /etc/ssh/ssh_host_id > hosts/floki/ +* labels + * btrfs + * sudo btrfs filesystem label + * luks + * FAT + * sudo fatlabel + * swap (see: https://discourse.nixos.org/t/how-do-i-set-up-a-swap-file/8323/7) + * udevadm trigger INSTALL: export device=/dev/nvme0n1 +export hostname=floki +wipefs/shread/scrub ${device} printf "label: gpt\n,550M,U\n,,L\n" | sfdisk ${device} -mkfs.fat -F 32 ${device} -cryptsetup --verify-passphrase -v luksFormat "${device}p2" -cryptsetup open "${device}p2"enc -mkfs.btrfs /dev/mapper/enc -mount /dev/mapper/enc /mnt +mkfs.fat -L boot -F 32 ${device} +cryptsetup --verify-passphrase -v luksFormat --label "${hostname}_crypt" "${device}p2" +cryptsetup open "${device}p2" "${hostname}_crypt" +mkfs.btrfs -L ${hostname} /dev/mapper/"${hostname}_crypt" +mount -t btrfs -o subvol=/ /dev/disk/by-label/${hostname} /mnt btrfs subvolume create /mnt/root btrfs subvolume create /mnt/nix btrfs subvolume create /mnt/persist btrfs subvolume create /mnt/swap btrfs subvolume create /mnt/logs -mount -o compress=zstd,subvol=root /dev/mapper/enc /mnt +mount -o compress=zstd,subvol=root /dev/mapper/"${hostname}_crypt" /mnt mkdir /mnt/{nix,persist,swap,var/logs} -mount -o compress=zstd,noatime,subvol=nix /dev/mapper/enc /mnt/nix -mount -o compress=zstd,subvol=persist /dev/mapper/enc /mnt/persist -mount -o compress=zstd,noatime,subvol=logs /dev/mapper/enc /mnt/var/logs -mount -o noatime,subvol=swap /dev/mapper/enc /mnt/swap +mount -o compress=zstd,noatime,subvol=nix /dev/mapper/"${hostname}_crypt" /mnt/nix +mount -o compress=zstd,subvol=persist /dev/mapper/"${hostname}_crypt" /mnt/persist +mount -o compress=zstd,noatime,subvol=logs /dev/mapper/"${hostname}_crypt" /mnt/var/logs +mount -o noatime,subvol=swap /dev/mapper/"${hostname}_crypt" /mnt/swap mkdir /mnt/boot mount /dev/sda1 /mnt/boot nixos-generate-config --root /mnt -nano /mnt/etc/nixos/configuration.nix # manually add mount options +nano /mnt/etc/nixos/configuration.nix # manually add mount options or cp from USB nixos-install nixos-generate-config --show-hardware-config @@ -53,8 +63,10 @@ fileSystems = { user hashedPassword: mkpasswd -m sha-512 +SWAP file btrfs: https://discourse.nixos.org/t/how-do-i-set-up-a-swap-file/8323/7 btrfs filesystem mkswapfile --size 8g --uuid clear /swap/swapfile -swapDevices = [ { device = "/swap/swapfile"; } ]; +swapon? +swapDevices = [ { device = "/dev/disk/by-label/swap/swapfile"; } ]; nixos-rebulid switch export NIX_CONFIG="experimental-features = nix-command flakes" @@ -74,7 +86,7 @@ home-manager switch --flake .#username@hostname sudo nixos-rebuild switch --flake .#my-hostname -clear; sudo nixos-rebuild dry-activate --flake .#floki +clear; sudo nixos-rebuild dry-activate --flake .#${hostname} ------- services.pcscd.enable = true; diff --git a/hosts/common/optional/btrfs.nix b/hosts/common/optional/btrfs.nix new file mode 100644 index 0000000..2ca437d --- /dev/null +++ b/hosts/common/optional/btrfs.nix @@ -0,0 +1,46 @@ +{ lib, config, ... }: +{ + boot.initrd = { + supportedFilesystems = [ "btrfs" ]; +} + fileSystems."/" = + { device = "/dev/disk/by-uuid/bf75af76-49b0-41fa-a4e5-9a52a6a0a667"; + fsType = "btrfs"; + options = [ "subvol=root" "compress=zstd" ]; + }; + + boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/470152b6-16cc-4dcf-b1e9-c684c1589e33"; + + fileSystems."/nix" = + { device = "/dev/disk/by-uuid/bf75af76-49b0-41fa-a4e5-9a52a6a0a667"; + fsType = "btrfs"; + options = [ "subvol=nix" "noatime" "compress=zstd" ]; + }; + + fileSystems."/persist" = + { device = "/dev/disk/by-uuid/bf75af76-49b0-41fa-a4e5-9a52a6a0a667"; + fsType = "btrfs"; + options = [ "subvol=persist" "noatime" "compression=zstd" ]; + }; + + fileSystems."/var/logs" = + { device = "/dev/disk/by-uuid/bf75af76-49b0-41fa-a4e5-9a52a6a0a667"; + fsType = "btrfs"; + options = [ "subvol=logs" "noatime" "compress=zstd" ]; + neededForBoot = true; + }; + + fileSystems."/swap" = + { device = "/dev/disk/by-uuid/bf75af76-49b0-41fa-a4e5-9a52a6a0a667"; + fsType = "btrfs"; + options = [ "subvol=swap" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/3D04-3716"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + +} diff --git a/hosts/floki/hardware-configuration.nix b/hosts/floki/hardware-configuration.nix index 73e2b4b..041a6e1 100644 --- a/hosts/floki/hardware-configuration.nix +++ b/hosts/floki/hardware-configuration.nix @@ -1,7 +1,6 @@ { imports = [ - ../common/optional/ephemeral-btrfs.nix - ../common/optional/encrypted-root.nix + ../common/optional/btrfs.nix ]; boot = { @@ -17,6 +16,8 @@ efi.canTouchEfiVariables = true; }; }; + + boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/470152b6-16cc-4dcf-b1e9-c684c1589e33"; fileSystems = { "/boot" = { diff --git a/shell.nix b/shell.nix index 1ee6c7f..be24d02 100644 --- a/shell.nix +++ b/shell.nix @@ -19,6 +19,7 @@ vim emacs tig + ripgrep sops ssh-to-age