diff --git a/common.nix b/common.nix index 36f7483..e51ce81 100644 --- a/common.nix +++ b/common.nix @@ -38,15 +38,89 @@ in # we want to be able to do a memtest boot.loader.systemd-boot.memtest86.enable = true; - # use systemd early - boot.initrd.systemd.enable = true; - # setup the console stuff early console.earlySetup = true; # swap to RAM zramSwap.enable = true; + # root file system from encrypted disk + fileSystems."/" = + { device = "/dev/mapper/crypt-system"; + fsType = "btrfs"; + neededForBoot = true; + options = [ "subvol=root" "noatime" "nodiratime" ]; + }; + + # nix store file system from encrypted disk + fileSystems."/nix" = + { device = "/dev/mapper/crypt-system"; + fsType = "btrfs"; + neededForBoot = true; + options = [ "subvol=nix" "noatime" "nodiratime" ]; + }; + + # data store file system from encrypted disk + fileSystems."/data" = + { device = "/dev/mapper/crypt-system"; + fsType = "btrfs"; + neededForBoot = true; + options = [ "subvol=data" "noatime" "nodiratime" ]; + }; + + # bind mount to have homes + fileSystems."/home" = + { device = "/data/home"; + fsType = "none"; + neededForBoot = true; + options = [ "bind" ]; + depends = [ "/data" ]; + }; + + # bind mount to have root home + fileSystems."/root" = + { device = "/data/root"; + fsType = "none"; + neededForBoot = true; + options = [ "bind" ]; + depends = [ "/data" ]; + }; + + # bind mount to have NixOS configuration, different per host + fileSystems."/etc/nixos" = + { device = "/data/nixos/${config.networking.hostName}"; + fsType = "none"; + neededForBoot = true; + options = [ "bind" ]; + depends = [ "/data" ]; + }; + + # impermanence root setup + boot.initrd.postDeviceCommands = pkgs.lib.mkAfter '' + mkdir /btrfs_tmp + mount /dev/mapper/crypt-system /btrfs_tmp + if [[ -e /btrfs_tmp/root ]]; then + mkdir -p /btrfs_tmp/old_roots + timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") + mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" + fi + + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/btrfs_tmp/$i" + done + btrfs subvolume delete "$1" + } + + for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do + delete_subvolume_recursively "$i" + done + + btrfs subvolume create /btrfs_tmp/root + umount /btrfs_tmp + ''; + # keep some stuff persistent environment.persistence."/nix/persistent" = { directories = [ diff --git a/mini/hardware-configuration.nix b/mini/hardware-configuration.nix index 6cef000..76fd0c0 100644 --- a/mini/hardware-configuration.nix +++ b/mini/hardware-configuration.nix @@ -13,60 +13,15 @@ # system boot.initrd.luks.devices."crypt-system".device = "/dev/disk/by-id/nvme-CT4000P3PSSD8_2325E6E63746-part2"; - # vms - boot.initrd.luks.devices."crypt-vms".device = "/dev/disk/by-id/ata-CT2000MX500SSD1_2138E5D5061F"; - - fileSystems."/" = - { device = "/dev/mapper/crypt-system"; - fsType = "btrfs"; - neededForBoot = true; - options = [ "subvol=root" "noatime" "nodiratime" ]; - }; - + # efi partition fileSystems."/boot" = { device = "/dev/disk/by-id/nvme-CT4000P3PSSD8_2325E6E63746-part1"; fsType = "vfat"; neededForBoot = true; }; - fileSystems."/nix" = - { device = "/dev/mapper/crypt-system"; - fsType = "btrfs"; - neededForBoot = true; - options = [ "subvol=nix" "noatime" "nodiratime" ]; - }; - - fileSystems."/data" = - { device = "/dev/mapper/crypt-system"; - fsType = "btrfs"; - neededForBoot = true; - options = [ "subvol=data" "noatime" "nodiratime" ]; - }; - - fileSystems."/home" = - { device = "/data/home"; - fsType = "none"; - neededForBoot = true; - options = [ "bind" ]; - depends = [ "/data" ]; - }; - - fileSystems."/root" = - { device = "/data/root"; - fsType = "none"; - neededForBoot = true; - options = [ "bind" ]; - depends = [ "/data" ]; - }; - - fileSystems."/etc/nixos" = - { device = "/data/nixos/mini"; - fsType = "none"; - neededForBoot = true; - options = [ "bind" ]; - depends = [ "/data" ]; - }; - + # vms + boot.initrd.luks.devices."crypt-vms".device = "/dev/disk/by-id/ata-CT2000MX500SSD1_2138E5D5061F"; fileSystems."/home/cullmann/vms" = { device = "/dev/mapper/crypt-vms"; fsType = "btrfs"; diff --git a/neko/hardware-configuration.nix b/neko/hardware-configuration.nix index b1109ef..b26f648 100644 --- a/neko/hardware-configuration.nix +++ b/neko/hardware-configuration.nix @@ -13,63 +13,15 @@ # system boot.initrd.luks.devices."crypt-system".device = "/dev/disk/by-id/nvme-Seagate_FireCuda_530_ZP4000GM30013_7VS01VBM-part2"; - # vms - boot.initrd.luks.devices."crypt-vms".device = "/dev/disk/by-id/nvme-CT2000P5PSSD8_213330E4ED05"; - - # projects - boot.initrd.luks.devices."crypt-projects".device = "/dev/disk/by-id/nvme-Samsung_SSD_980_PRO_2TB_S69ENF0R846614L"; - - fileSystems."/" = - { device = "/dev/mapper/crypt-system"; - fsType = "btrfs"; - neededForBoot = true; - options = [ "subvol=root" "noatime" "nodiratime" ]; - }; - + # efi partition fileSystems."/boot" = { device = "/dev/disk/by-id/nvme-Seagate_FireCuda_530_ZP4000GM30013_7VS01VBM-part1"; fsType = "vfat"; neededForBoot = true; }; - fileSystems."/nix" = - { device = "/dev/mapper/crypt-system"; - fsType = "btrfs"; - neededForBoot = true; - options = [ "subvol=nix" "noatime" "nodiratime" ]; - }; - - fileSystems."/data" = - { device = "/dev/mapper/crypt-system"; - fsType = "btrfs"; - neededForBoot = true; - options = [ "subvol=data" "noatime" "nodiratime" ]; - }; - - fileSystems."/home" = - { device = "/data/home"; - fsType = "none"; - neededForBoot = true; - options = [ "bind" ]; - depends = [ "/data" ]; - }; - - fileSystems."/root" = - { device = "/data/root"; - fsType = "none"; - neededForBoot = true; - options = [ "bind" ]; - depends = [ "/data" ]; - }; - - fileSystems."/etc/nixos" = - { device = "/data/nixos/neko"; - fsType = "none"; - neededForBoot = true; - options = [ "bind" ]; - depends = [ "/data" ]; - }; - + # vms + boot.initrd.luks.devices."crypt-vms".device = "/dev/disk/by-id/nvme-CT2000P5PSSD8_213330E4ED05"; fileSystems."/home/cullmann/vms" = { device = "/dev/mapper/crypt-vms"; fsType = "btrfs"; @@ -78,6 +30,8 @@ depends = [ "/home" ]; }; + # projects + boot.initrd.luks.devices."crypt-projects".device = "/dev/disk/by-id/nvme-Samsung_SSD_980_PRO_2TB_S69ENF0R846614L"; fileSystems."/home/cullmann/projects" = { device = "/dev/mapper/crypt-projects"; fsType = "btrfs";