diff --git a/README.md b/README.md index 9a4290e..b310dd1 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,6 @@ This is my personal nix config. - `secrets.nix.age` Repository-wide local secrets. Decrypted on import via `builtins.extraBuiltins.rageImportEncrypted`. - `host.pub` This host's public key. Used for agenix rekeying. - `default.nix` The actual system definition. Follow the imports from there to see what it entails. - - `meta.nix` Determines the type and architecture of this system, and some other optional meta information. Used e.g. by `nix/colmena.nix` to know which hosts are real NixOS hosts, and which are VMs or some other type. - `fs.nix` Filesystem setup. - `net.nix` Networking setup. - `nom/` - My laptop and main development machine @@ -54,8 +53,8 @@ This is my personal nix config. ... incomplete. -- add hosts/ -- fill meta.nix +- add to `hosts` in `flake.nix` +- create hosts/ - fill net.nix - fill fs.nix (you need to know the device by-id paths in advance for formatting to work!) - generate-initrd-keys diff --git a/flake.lock b/flake.lock index 651a09d..11b5e69 100644 --- a/flake.lock +++ b/flake.lock @@ -28,11 +28,11 @@ ] }, "locked": { - "lastModified": 1682072804, - "narHash": "sha256-Y7Q7dUXzEwIxZ0a2iTDF7e/hv4GFmn7ejfSr5JWSPCI=", + "lastModified": 1682854491, + "narHash": "sha256-xFTgMA+whHZyRAAN6EQUX0gMAjSGi44+sFbIPOXVShw=", "owner": "oddlama", "repo": "agenix-rekey", - "rev": "d00eaa5c9bb71a0858fe7fd4a148445a428b311c", + "rev": "7096bf1e2acdbf8c6e8dda6f452d06d9d72fb3a7", "type": "github" }, "original": { @@ -116,11 +116,11 @@ ] }, "locked": { - "lastModified": 1682802069, - "narHash": "sha256-hctikxnF3AvHckQqzNa/4YLHbNNrdC733VsTZPWeyTo=", + "lastModified": 1682856014, + "narHash": "sha256-QkjneK3DH68IsEf2VnTkMesjsyHsVeVlr6TFxp97uIw=", "owner": "nix-community", "repo": "disko", - "rev": "c917cb9cdb621f3b60a7ccc77729cab52250da81", + "rev": "8b43938cf77bbeddec127a5398b5dba3578c4290", "type": "github" }, "original": { @@ -257,11 +257,11 @@ ] }, "locked": { - "lastModified": 1682097095, - "narHash": "sha256-ecIKDVpayjIDEdxWCSHmG4yJQ21/nKZkhFNlLzwttWU=", + "lastModified": 1682817142, + "narHash": "sha256-mkKUFwQq8Sgw+p82K5SoWO6lODFeJcr+SpzH3+Utye0=", "owner": "astro", "repo": "microvm.nix", - "rev": "b2627f159e8b54e4f6af7edc88b64fa3736819c9", + "rev": "15fb183b412619d27db227dcbaf959c63bdaba09", "type": "github" }, "original": { @@ -308,11 +308,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1680876084, - "narHash": "sha256-eP9yxP0wc7XuVaODugh+ajgbFGaile2O1ihxiLxOuvU=", + "lastModified": 1682836095, + "narHash": "sha256-PdzpJhuXBz71AgWNWMMYLbB8GMMce6QguhQY/6HOOcc=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "3006d2860a6ed5e01b0c3e7ffb730e9b293116e2", + "rev": "e4a21ddcb45ee5f5c85a5d9e9698debf77fb98c3", "type": "github" }, "original": { diff --git a/hosts/common/core/default.nix b/hosts/common/core/default.nix index 6d5df74..cd45342 100644 --- a/hosts/common/core/default.nix +++ b/hosts/common/core/default.nix @@ -8,6 +8,7 @@ }: { imports = [ ./inputrc.nix + ./impermanence.nix ./issue.nix ./net.nix ./nix.nix diff --git a/hosts/common/core/impermanence.nix b/hosts/common/core/impermanence.nix new file mode 100644 index 0000000..0b696d2 --- /dev/null +++ b/hosts/common/core/impermanence.nix @@ -0,0 +1,28 @@ +{ + # State that should be kept across reboots, but is otherwise + # NOT important information in any way that needs to be backed up. + #environment.persistence."/nix/state" = { + # hideMounts = true; + # files = [ + # "/etc/machine-id" + # "/etc/ssh/ssh_host_ed25519_key" + # "/etc/ssh/ssh_host_ed25519_key.pub" + # ]; + # directories = [ + # "/var/log" + # ]; + #}; + + # State that should be kept forever, and backed up accordingly. + environment.persistence."/persist" = { + hideMounts = true; + files = [ + "/etc/machine-id" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + ]; + directories = [ + "/var/log" + ]; + }; +} diff --git a/hosts/ward/fs.nix b/hosts/ward/fs.nix index b6f1579..c9c8c68 100644 --- a/hosts/ward/fs.nix +++ b/hosts/ward/fs.nix @@ -1,4 +1,5 @@ { + lib, extraLib, nodeSecrets, pkgs, @@ -39,6 +40,8 @@ }; }; + fileSystems."/persist".neededForBoot = true; + #environment.persistence."/persist".directories = [ # { directory = "/var/lib/acme"; user = "acme"; group = "acme"; } #]; diff --git a/nix/generate-node.nix b/nix/generate-node.nix index 8569950..271c660 100644 --- a/nix/generate-node.nix +++ b/nix/generate-node.nix @@ -5,7 +5,7 @@ colmena, disko, home-manager, - #impermanence, + impermanence, microvm, nixos-hardware, nixos-nftables-firewall, @@ -33,7 +33,7 @@ in agenix-rekey.nixosModules.default disko.nixosModules.disko home-manager.nixosModules.default - #impermanence.nixosModules.default + impermanence.nixosModules.impermanence nixos-nftables-firewall.nixosModules.default ] ++ optionals (nodeMeta.microVmHost or false) [ diff --git a/nix/lib.nix b/nix/lib.nix index 284a341..d5189e2 100644 --- a/nix/lib.nix +++ b/nix/lib.nix @@ -98,18 +98,15 @@ in rec { }; unmountable = {type = "zfs_fs";}; - filesystem = mountpoint: - { - type = "zfs_fs"; - options = { - canmount = "on"; - inherit mountpoint; - }; - } - // optionalAttrs (mountpoint == "/") { - # Required to add dependencies for initrd + filesystem = mountpoint: { + type = "zfs_fs"; + options = { + canmount = "on"; inherit mountpoint; }; + # Required to add dependencies for initrd + inherit mountpoint; + }; }; };