From 08290e5052f5d333e4ebd795c2eabacd2a280a72 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Sun, 30 Apr 2023 13:41:09 +0200
Subject: [PATCH] feat: move common disko functionality into lib

---
 README.md                          |   2 +-
 hosts/common/zfs.nix               |   4 ++
 hosts/nom/net.nix                  |   6 ++-
 hosts/ward/fs.nix                  |  58 +++++++++------------
 hosts/ward/secrets/secrets.nix.age | Bin 503 -> 658 bytes
 nix/lib.nix                        |  80 +++++++++++++++++------------
 6 files changed, 80 insertions(+), 70 deletions(-)

diff --git a/README.md b/README.md
index a0d096f..9a4290e 100644
--- a/README.md
+++ b/README.md
@@ -63,7 +63,7 @@ This is my personal nix config.
 
 #### Initial deploy
 
-- Create a iso disk image for the system by using `nix build --print-out-paths --no-link .#installer-image-<host>`
+- Create a iso disk image for the system with `nix build --print-out-paths --no-link .#installer-image-<host>`
 - dd the resulting image to a stick and boot from it on the target
 - (Optional) ssh into the target (keys are already set up)
 - Run `install-system` and reboot
diff --git a/hosts/common/zfs.nix b/hosts/common/zfs.nix
index c1dda8a..7f3df45 100644
--- a/hosts/common/zfs.nix
+++ b/hosts/common/zfs.nix
@@ -6,6 +6,10 @@
   boot.supportedFilesystems = ["zfs"];
   boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
 
+  # The root pool should never be imported forcefully.
+  # Failure to import is important to notice!
+  boot.zfs.forceImportRoot = false;
+
   environment.systemPackages = with pkgs; [zfs];
 
   services.zfs = {
diff --git a/hosts/nom/net.nix b/hosts/nom/net.nix
index 0723e58..32b38fa 100644
--- a/hosts/nom/net.nix
+++ b/hosts/nom/net.nix
@@ -1,4 +1,8 @@
-{nodeSecrets, ...}: {
+{
+  config,
+  nodeSecrets,
+  ...
+}: {
   networking = {
     inherit (nodeSecrets.networking) hostId;
     wireless.iwd.enable = true;
diff --git a/hosts/ward/fs.nix b/hosts/ward/fs.nix
index 0ea96fd..6d305dc 100644
--- a/hosts/ward/fs.nix
+++ b/hosts/ward/fs.nix
@@ -1,5 +1,6 @@
 {
   extraLib,
+  nodeSecrets,
   pkgs,
   ...
 }: {
@@ -7,49 +8,38 @@
     disk = {
       m2-ssd = {
         type = "disk";
-        device = "/dev/disk/by-id/nvme-Samsung_SSD_980_1TB_S649NL0TC36758M";
-        content = {
+        device = "/dev/disk/by-id/${nodeSecrets.disk.m2-ssd}";
+        content = with extraLib.disko.gpt; {
           type = "table";
           format = "gpt";
           partitions = [
-            {
-              name = "efi";
-              start = "0%";
-              end = "1GiB";
-              fs-type = "fat32";
-              bootable = true;
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot";
-              };
-            }
-            {
-              name = "swap";
-              start = "1GiB";
-              end = "17GiB";
-              fs-type = "linux-swap";
-              content = {
-                type = "swap";
-                randomEncryption = true;
-              };
-            }
-            {
-              name = "rpool";
-              start = "17GiB";
-              end = "100%";
-              content = {
-                type = "zfs";
-                pool = "rpool";
-              };
-            }
+            (partEfi "efi" "0%" "1GiB")
+            (partSwap "swap" "1GiB" "17GiB")
+            (partZfs "rpool" "17GiB" "100%")
           ];
         };
       };
     };
-    zpool = extraLib.disko.defineEncryptedZpool "rpool" {};
+    zpool = with extraLib.disko.zfs; {
+      rpool =
+        encryptedZpool
+        // {
+          datasets = {
+            "local" = unmountable;
+            "local/root" =
+              filesystem "/"
+              // {
+                postCreateHook = "zfs snapshot rpool/local/root@blank";
+              };
+            "local/nix" = filesystem "/nix";
+            "safe" = unmountable;
+            "safe/persist" = filesystem "/persist";
+          };
+        };
+    };
   };
 
+  # After importing the rpool, rollback the root system to be empty.
   boot.initrd.systemd.services = {
     impermanence-root = {
       wantedBy = ["initrd.target"];
diff --git a/hosts/ward/secrets/secrets.nix.age b/hosts/ward/secrets/secrets.nix.age
index 7990cb5b8f6d669cabccf436aa36e285b2af10c5..b2649156669be49cbff5f51ac1d6e226dc350e24 100644
GIT binary patch
delta 637
zcmV-@0)qYb1Cj-hAb&DLb~rO}LUcztMRP??Yi=@cc1ur6H(Ehvcu6^DHaBQcOl)j)
zFlu^3MG9$TF)&jyT5D@?Z%b2Sb#ggwVRbT1H8e~#G)hS}Sx{McNlkf1a4%*~FbXX`
zAaH4REpRe5HXwL$Q)M_&AVF+LST|T|P<LroXE-ovNi;cSYJXQRK}%IvP-{46SVl-?
zMqx8<Xi;xcZAA)NS87FMYHc}TPB&v>S1U$zD|&58Nl`{<P*FBYP<S(IL^o+lM`uxL
zcsL3zJ|Iy|T1QVUK5H#!a%Ew2Wgus7XC`biFL)p^NM3zjATd5s3PDA9Yc_ggG+}ml
zLpg3sQE@eIdVecwcy2IdHAG`^K}AwFXis4{S7=pFIB`}>G-Xh9OEp?lQgTI2ST=5H
zFK7yBD{4wMIZ<Roc1>YHbz(MYXIDd2W^7S(Q!h$FYB5YzLNp33EiE8XYEE)?ICFYy
zH8*c&adU1;VPiy1Z(>evFh*rdMS6E_c{f^YH&iw<Vt+IWC*2R*%tinAOtfyyjxY=w
zGq*!mFgZ?n70Ky#`q1x@ggj<Ah~c8W9jRzg0^dQph=ZwAsrZNwrOInN6Z-ZMy}Sni
z&^20Q?nN~vpCp}A0CfTH6~Ya?ces&_v-Szwhw6!uty{}(@n~9|{UPLubsKuMz%E*T
zK-?NQ!*)R4k6YT1e$Fw7Rk1UP<*#P01i7nT-|cH!KFlvMBBw-93!BRoav#s))ce-P
zR`r;+H9900GXH#YSUlCq#H`!Mo-Vt8=b0=@G6atNqkkHbh%%P=w{2<arCW1Qu$aey
XLRsue9RhlOZV1StZ$T51+U~o@JZ<?H

delta 481
zcmV<70UrL61@{AxAb)pvFj6s1XID2`LP>N>RbgUCS~X!sGEaAKL}YPMa#C(Dd2LH<
zHdRq*NeX8xNpxjxWOY?lZ!~%@G)6Z>P;o1HHhFbIGGsArML1_!Q&weqG;MNcFbXX`
zAaH4REpRe5HXwL$Q)M_&AVF_dWKu^^F<Ev)Xhd*jdS`AoRDU>9LUM3PYimR?N?K-k
zQFu;aLUuJTY)T4xGEZkmD`IkHdTvW*IX5y@VNp*-a6xTraC$IyaCI|5MpbQ4V^(iB
zOhpPUJ|ICYXL4m>b7df2S}6)QRa8}ZRdF*&HgHxnR#|#dXiYO_a5HXLXi*9+EiE8f
zH!)dLc3MeSSbsKXP)tcPM>b1#H&<9=YC>#RM_4dON>O!4bU{aLF?uixuW2?J;r_m4
z^Lnsfga<h_FIJ@x>?0*NbgqX2+s9RMTUi-Nb0`7zym)&tfXScy;mD%<W%-tVw8mzA
z0ISup@f)~Kvb3U$hoV$)k)Zt5^3Hb?EVv>|8@cTrl3Lw8_d8)A=2Z_&qD3V!SZp1q
zszVJ5<g0h-ziM#y5?(ZN4^4-6>sZe@>F99}!K%hKN8Sf~fLSj1X9!tCW1TC0-8IB_
XlY_9tuUA*`OJ@vlPiQw^#s^_aR1Uau

diff --git a/nix/lib.nix b/nix/lib.nix
index e1b3a2c..284a341 100644
--- a/nix/lib.nix
+++ b/nix/lib.nix
@@ -19,6 +19,7 @@
     mapAttrs'
     mergeAttrs
     nameValuePair
+    optionalAttrs
     partition
     recursiveUpdate
     removeSuffix
@@ -48,11 +49,36 @@ in rec {
   # True if the path or string starts with /
   isAbsolutePath = x: substring 0 1 x == "/";
 
-  # Defines a simple encrypted and compressed pool
-  # with datasets necessary datasets for use with impermanence
-  disko.defineEncryptedZpool = name:
-    recursiveUpdate {
-      ${name} = {
+  disko = {
+    gpt = {
+      partEfi = name: start: end: {
+        inherit name start end;
+        fs-type = "fat32";
+        bootable = true;
+        content = {
+          type = "filesystem";
+          format = "vfat";
+          mountpoint = "/boot";
+        };
+      };
+      partSwap = name: start: end: {
+        inherit name start end;
+        fs-type = "linux-swap";
+        content = {
+          type = "swap";
+          randomEncryption = true;
+        };
+      };
+      partZfs = name: start: end: {
+        inherit name start end;
+        content = {
+          type = "zfs";
+          pool = name;
+        };
+      };
+    };
+    zfs = {
+      encryptedZpool = {
         type = "zpool";
         mountRoot = "/mnt";
         rootFsOptions = {
@@ -69,37 +95,23 @@ in rec {
           keylocation = "prompt";
         };
         options.ashift = "12";
-        datasets = {
-          "local".type = "zfs_fs";
-          "local/root" = {
-            type = "zfs_fs";
-            postCreateHook = "zfs snapshot ${name}/local/root@blank";
-            options = {
-              canmount = "on";
-              mountpoint = "/";
-            };
-            mountpoint = "/";
-          };
-          "local/nix" = {
-            type = "zfs_fs";
-            options = {
-              canmount = "on";
-              mountpoint = "/nix";
-            };
-            mountpoint = "/nix";
-          };
-          "safe".type = "zfs_fs";
-          "safe/persist" = {
-            type = "zfs_fs";
-            options = {
-              canmount = "on";
-              mountpoint = "/persist";
-            };
-            mountpoint = "/persist";
-          };
-        };
       };
+
+      unmountable = {type = "zfs_fs";};
+      filesystem = mountpoint:
+        {
+          type = "zfs_fs";
+          options = {
+            canmount = "on";
+            inherit mountpoint;
+          };
+        }
+        // optionalAttrs (mountpoint == "/") {
+          # Required to add dependencies for initrd
+          inherit mountpoint;
+        };
     };
+  };
 
   rageMasterIdentityArgs = concatMapStrings (x: ''-i ${escapeShellArg x} '') self.secrets.masterIdentities;
   rageExtraEncryptionPubkeys =