From 2026e3e40eb4ddc6ccfed295ca3c0a9753ff5e81 Mon Sep 17 00:00:00 2001 From: rayandrew Date: Sat, 26 Oct 2024 18:20:27 -0500 Subject: [PATCH] Apply patch --- flake.lock | 21 +++++ flake.nix | 4 +- src/home/impermanence.nix | 34 ++++++++ src/hosts/default.nix | 7 +- src/hosts/pickwick/default.nix | 78 +++++++++--------- src/hosts/pickwick/disko.nix | 9 ++- src/hosts/pickwick/hardware.nix | 6 +- src/lib.nix | 4 + src/nixos/default.nix | 13 +++ src/nixos/impermanence.nix | 135 ++++++++++++++++++++++++++++++++ src/nixos/users.nix | 35 +++++++++ 11 files changed, 295 insertions(+), 51 deletions(-) create mode 100644 src/home/impermanence.nix create mode 100644 src/lib.nix create mode 100644 src/nixos/default.nix create mode 100644 src/nixos/impermanence.nix create mode 100644 src/nixos/users.nix diff --git a/flake.lock b/flake.lock index ef81198..a4c1454 100644 --- a/flake.lock +++ b/flake.lock @@ -55,6 +55,26 @@ "type": "github" } }, + "nix-index-database": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729394935, + "narHash": "sha256-2ntUG+NJKdfhlrh/tF+jOU0fOesO7lm5ZZVSYitsvH8=", + "owner": "nix-community", + "repo": "nix-index-database", + "rev": "04f8a11f247ba00263b060fbcdc95484fd046104", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-index-database", + "type": "github" + } + }, "nixos-hardware": { "locked": { "lastModified": 1729742320, @@ -92,6 +112,7 @@ "disko": "disko", "home-manager": "home-manager", "impermanence": "impermanence", + "nix-index-database": "nix-index-database", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs" } diff --git a/flake.nix b/flake.nix index 6e30e20..60e2591 100644 --- a/flake.nix +++ b/flake.nix @@ -21,7 +21,7 @@ inherit system; config.allowUnfree = true; }; - lib = import ./lib.nix { + lib = import ./src/lib.nix { inherit (nixpkgs) lib; inherit pkgs; inherit (inputs) home-manager; @@ -52,7 +52,7 @@ in { inherit lib self; - nixosConfigurations = (import ./src/hosts/nixos.nix commonArgs); + nixosConfigurations = (import ./src/hosts/default.nix commonArgs); }; # outputs = {nixpkgs, ...} @ inputs: diff --git a/src/home/impermanence.nix b/src/home/impermanence.nix new file mode 100644 index 0000000..6407386 --- /dev/null +++ b/src/home/impermanence.nix @@ -0,0 +1,34 @@ +# note: this file exists just to define options for home-manager, +# impermanence is not actually used in standalone home-manager as +# it doesn't serve much utility on legacy distros +{ lib, ... }: +{ + options.custom = with lib; { + persist = { + home = { + directories = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "Directories to persist in home directory"; + }; + files = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "Files to persist in home directory"; + }; + cache = { + directories = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "Directories to persist, but not to snapshot"; + }; + files = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "Files to persist, but not to snapshot"; + }; + }; + }; + }; + }; +} diff --git a/src/hosts/default.nix b/src/hosts/default.nix index d45568e..bcb9292 100644 --- a/src/hosts/default.nix +++ b/src/hosts/default.nix @@ -27,10 +27,9 @@ let modules = [ inputs.disko.nixosModules.default - inputs.home-manager.nixosModules.home-manager - inputs.impermanence.nixosModules.impermanence ./${host} ./${host}/hardware.nix + ../nixos { home-manager = { useGlobalPkgs = true; @@ -44,7 +43,7 @@ let imports = [ inputs.nix-index-database.hmModules.nix-index # ./${host}/home.nix - ../../home + ../home ]; }; }; @@ -55,6 +54,8 @@ let "users" user ]) + inputs.home-manager.nixosModules.home-manager + inputs.impermanence.nixosModules.impermanence ]; }; in diff --git a/src/hosts/pickwick/default.nix b/src/hosts/pickwick/default.nix index 1fb381b..78e97d6 100644 --- a/src/hosts/pickwick/default.nix +++ b/src/hosts/pickwick/default.nix @@ -1,17 +1,15 @@ { config, lib, pkgs, inputs, ... }: { - imports = [ - ]; - - nixpkgs.config.allowUnfree = true; + imports = []; boot.kernelParams = [ "resume_offset=533760" ]; - boot.resumeDevice = "/dev/pool/root"; + # boot.resumeDevice = "/dev/pool/root"; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "pickwick"; + networking.hostId = builtins.substring 0 8 (builtins.hashString "md5" config.networking.hostName); networking.networkmanager.enable = true; time.timeZone = "America/Chicago"; @@ -24,7 +22,6 @@ services.xserver.desktopManager.gnome.enable = true; services.xserver.xkb.layout = "us"; - security.sudo.extraConfig = "Defaults lecture=never"; security.pam.services.login.fprintAuth = false; security.pam.services.sudo.fprintAuth = false; @@ -47,17 +44,17 @@ services.libinput.enable = true; - users.users.root.hashedPasswordFile = "/persist/passwords/root"; - users.users.rayandrew = { - isNormalUser = true; - # initialPassword = "12345"; - hashedPasswordFile = "/persist/passwords/rayandrew"; - extraGroups = [ "wheel" "audio" "keyd" ]; - packages = with pkgs; [ - firefox - tree - ]; - }; + # users.users.root.hashedPasswordFile = "/persist/passwords/root"; + # users.users.rayandrew = { + # isNormalUser = true; + # # initialPassword = "12345"; + # hashedPasswordFile = "/persist/passwords/rayandrew"; + # extraGroups = [ "wheel" "audio" "keyd" ]; + # packages = with pkgs; [ + # firefox + # tree + # ]; + # }; users.groups.keyd = {}; environment.systemPackages = with pkgs; [ @@ -99,32 +96,31 @@ programs.dconf.enable = true; - fileSystems."/persist".neededForBoot = true; - environment.persistence."/persist/system" = { - hideMounts = true; - directories = [ - "/var/log" - "/var/lib/fprint" - "/var/lib/nixos" - "/var/lib/bluetooth" - "/var/lib/systemd/coredump" - "/etc/NetworkManager/system-connections" - { directory = "/var/lib/colord"; user = "colord"; group = "colord"; mode = "u=rwx,g=rx,o="; } - ]; - files = [ - "/etc/machine-id" - ]; - }; + # environment.persistence."/persist/system" = { + # hideMounts = true; + # directories = [ + # "/var/log" + # "/var/lib/fprint" + # "/var/lib/nixos" + # "/var/lib/bluetooth" + # "/var/lib/systemd/coredump" + # "/etc/NetworkManager/system-connections" + # { directory = "/var/lib/colord"; user = "colord"; group = "colord"; mode = "u=rwx,g=rx,o="; } + # ]; + # files = [ + # "/etc/machine-id" + # ]; + # }; programs.fuse.userAllowOther = true; - home-manager = { - extraSpecialArgs = {inherit inputs pkgs;}; - users = { - "rayandrew" = import ./home.nix; - }; - useGlobalPkgs = true; - useUserPackages = true; - }; + # home-manager = { + # extraSpecialArgs = {inherit inputs pkgs;}; + # users = { + # "rayandrew" = import ./home.nix; + # }; + # useGlobalPkgs = true; + # useUserPackages = true; + # }; services.keyd = { enable = true; diff --git a/src/hosts/pickwick/disko.nix b/src/hosts/pickwick/disko.nix index a0ae040..2b796fb 100644 --- a/src/hosts/pickwick/disko.nix +++ b/src/hosts/pickwick/disko.nix @@ -71,23 +71,24 @@ zpool = { zroot = { type = "zpool"; - mode = "mirror"; + # mode = "mirror"; options = { cachefile = "none"; - ashift = 12; + ashift = "12"; autotrim = "on"; }; rootFsOptions = { compression = "zstd"; acltype = "posixacl"; xattr = "sa"; - "com.sun:auto-snapshot" = "false"; mountpoint = "none"; encryption = "aes-256-gcm"; keyformat = "passphrase"; keylocation = "prompt"; + normalization = "formD"; + "com.sun:auto-snapshot" = "false"; }; - mountpoint = "none"; + mountpoint = null; postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot@blank$' || zfs snapshot zroot@blank"; datasets = { nix = { diff --git a/src/hosts/pickwick/hardware.nix b/src/hosts/pickwick/hardware.nix index 71a87ed..4f09066 100644 --- a/src/hosts/pickwick/hardware.nix +++ b/src/hosts/pickwick/hardware.nix @@ -1,7 +1,7 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ input, config, lib, pkgs, modulesPath, ... }: +{ inputs, config, lib, pkgs, modulesPath, ... }: { imports = [ @@ -25,4 +25,8 @@ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + # filesystems + fileSystems."/cache".neededForBoot = true; + fileSystems."/persist".neededForBoot = true; } diff --git a/src/lib.nix b/src/lib.nix new file mode 100644 index 0000000..9fb4299 --- /dev/null +++ b/src/lib.nix @@ -0,0 +1,4 @@ +{ lib, pkgs, ... }: + +lib.extend (_: libprev: { +}) diff --git a/src/nixos/default.nix b/src/nixos/default.nix new file mode 100644 index 0000000..3fe9fb3 --- /dev/null +++ b/src/nixos/default.nix @@ -0,0 +1,13 @@ +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ + ./users.nix + ./impermanence.nix + ]; +} diff --git a/src/nixos/impermanence.nix b/src/nixos/impermanence.nix new file mode 100644 index 0000000..9956740 --- /dev/null +++ b/src/nixos/impermanence.nix @@ -0,0 +1,135 @@ +{ + config, + lib, + pkgs, + user, + ... +}: +let + cfg = config.custom.persist; + hmPersistCfg = config.hm.custom.persist; + assertNoHomeDirs = + paths: + assert (lib.assertMsg (!lib.any (lib.hasPrefix "/home") paths) "/home used in a root persist!"); + paths; +in +{ + options.custom = with lib; { + persist = { + root = { + directories = mkOption { + type = types.listOf types.str; + default = [ ]; + apply = assertNoHomeDirs; + description = "Directories to persist in root filesystem"; + }; + files = mkOption { + type = types.listOf types.str; + default = [ ]; + apply = assertNoHomeDirs; + description = "Files to persist in root filesystem"; + }; + cache = { + directories = mkOption { + type = types.listOf types.str; + default = [ ]; + apply = assertNoHomeDirs; + description = "Directories to persist, but not to snapshot"; + }; + files = mkOption { + type = types.listOf types.str; + default = [ ]; + apply = assertNoHomeDirs; + description = "Files to persist, but not to snapshot"; + }; + }; + }; + home = { + directories = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "Directories to persist in home directory"; + }; + files = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "Files to persist in home directory"; + }; + }; + }; + }; + + config = { + # clear /tmp on boot, since it's a zfs dataset + boot.tmp.cleanOnBoot = true; + + # root and home on tmpfs + # neededForBoot is required, so there won't be permission errors creating directories or symlinks + # https://github.com/nix-community/impermanence/issues/149#issuecomment-1806604102 + fileSystems."/" = lib.mkForce { + device = "tmpfs"; + fsType = "tmpfs"; + neededForBoot = true; + options = [ + "defaults" + "size=1G" + "mode=755" + ]; + }; + + # shut sudo up + security.sudo.extraConfig = "Defaults lecture=never"; + + # setup persistence + environment.persistence = { + "/persist" = { + hideMounts = true; + files = [ "/etc/machine-id" ] ++ cfg.root.files; + directories = [ + "/var/log" # systemd journal is stored in /var/log/journal + "/var/lib/nixos" # for persisting user uids and gids + "/etc/NetworkManager/system-connections" + ] ++ cfg.root.directories; + + # users.${user} = { + # files = cfg.home.files ++ hmPersistCfg.home.files; + # directories = [ + # "projects" + # ".cache/dconf" + # ".config/dconf" + # ] ++ cfg.home.directories ++ hmPersistCfg.home.directories; + # }; + }; + + # cache are files that should be persisted, but not to snapshot + # e.g. npm, cargo cache etc, that could always be redownloaded + "/cache" = { + hideMounts = true; + inherit (cfg.root.cache) directories files; + + users.${user} = { + inherit (hmPersistCfg.home.cache) directories files; + }; + }; + }; + + hm.xdg.stateFile."impermanence.json".text = + let + getDirPath = prefix: d: "${prefix}${d.dirPath}"; + getFilePath = prefix: f: "${prefix}${f.filePath}"; + persistCfg = config.environment.persistence."/persist"; + persistCacheCfg = config.environment.persistence."/cache"; + allDirectories = + map (getDirPath "/persist") (persistCfg.directories) + ++ map (getDirPath "/cache") (persistCacheCfg.directories); + allFiles = + map (getFilePath "/persist") (persistCfg.files) + ++ map (getFilePath "/cache") (persistCacheCfg.files); + sort-uniq = arr: lib.sort lib.lessThan (lib.unique arr); + in + lib.strings.toJSON { + directories = sort-uniq allDirectories; + files = sort-uniq allFiles; + }; + }; +} diff --git a/src/nixos/users.nix b/src/nixos/users.nix new file mode 100644 index 0000000..36aff4a --- /dev/null +++ b/src/nixos/users.nix @@ -0,0 +1,35 @@ +{ + config, + lib, + user, + ... +}: + +{ + config = lib.mkMerge [ + { + users = { + mutableUsers = false; + # setup users with persistent passwords + # https://reddit.com/r/NixOS/comments/o1er2p/tmpfs_as_root_but_without_hardcoding_your/h22f1b9/ + # create a password with for root and $user with: + # mkpasswd -m sha-512 'PASSWORD' | sudo tee -a /persist/etc/shadow/root + users = { + root = { + # initialPassword = "password"; + hashedPasswordFile = "/persist/etc/shadow/root"; + }; + ${user} = { + isNormalUser = true; + # initialPassword = "password"; + hashedPasswordFile = "/persist/etc/shadow/${user}"; + extraGroups = [ + "networkmanager" + "wheel" + ]; + }; + }; + }; + } + ]; +}