120 lines
3.1 KiB
Nix
120 lines
3.1 KiB
Nix
{ lib, pkgs, ... }:
|
|
|
|
{
|
|
# needed for zfs pool
|
|
networking.hostId = "1f8b8073";
|
|
disko.devices = {
|
|
disk = {
|
|
main = {
|
|
type = "disk";
|
|
device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_500GB_S2RBNX0J351943M";
|
|
content = {
|
|
type = "gpt";
|
|
partitions = {
|
|
ESP = {
|
|
size = "512M";
|
|
type = "EF00";
|
|
content = {
|
|
type = "filesystem";
|
|
format = "vfat";
|
|
mountpoint = "/boot";
|
|
};
|
|
};
|
|
encryptedSwap = {
|
|
size = "8G";
|
|
content = {
|
|
type = "swap";
|
|
randomEncryption = true;
|
|
};
|
|
};
|
|
zfs = {
|
|
size = "100%";
|
|
content = {
|
|
type = "zfs";
|
|
pool = "zroot";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
zpool = {
|
|
zroot = {
|
|
type = "zpool";
|
|
rootFsOptions = {
|
|
compression = "zstd";
|
|
"com.sun:auto-snapshot" = "false";
|
|
"acltype" = "posixacl"; # NOTE: needed for systemd https://github.com/NixOS/nixpkgs/issues/16954
|
|
};
|
|
mountpoint = null;
|
|
|
|
datasets = {
|
|
encrypted = {
|
|
type = "zfs_fs";
|
|
options = {
|
|
mountpoint = "none";
|
|
encryption = "aes-256-gcm";
|
|
keyformat = "passphrase";
|
|
};
|
|
# use this to read the key during boot
|
|
postCreateHook = ''
|
|
zfs set keylocation="prompt" "zroot/$name";
|
|
'';
|
|
};
|
|
"encrypted/root" = {
|
|
type = "zfs_fs";
|
|
options.mountpoint = "legacy";
|
|
mountpoint = "/";
|
|
postCreateHook = "zfs snapshot zroot/encrypted/root@blank";
|
|
};
|
|
"encrypted/nix" = {
|
|
type = "zfs_fs";
|
|
options.mountpoint = "legacy";
|
|
mountpoint = "/nix";
|
|
};
|
|
"encrypted/persist" = {
|
|
type = "zfs_fs";
|
|
options.mountpoint = "legacy";
|
|
mountpoint = "/persist";
|
|
options."com.sun:auto-snapshot" = "true";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
# rollback to blank
|
|
boot.initrd.systemd.services.rollback = {
|
|
description = "Rollback ZFS datasets to a pristine state";
|
|
wantedBy = [
|
|
"initrd.target"
|
|
];
|
|
after = [
|
|
"zfs-import-zroot.service"
|
|
];
|
|
before = [
|
|
"sysroot.mount"
|
|
];
|
|
path = with pkgs; [
|
|
zfs
|
|
];
|
|
unitConfig.DefaultDependencies = "no";
|
|
serviceConfig.Type = "oneshot";
|
|
script = ''
|
|
zfs rollback -r zroot/encrypted/root@blank && echo "rollback complete"
|
|
'';
|
|
};
|
|
boot.initrd.systemd.enable = true;
|
|
fileSystems."/persist".neededForBoot = true;
|
|
# HACK: to fix issue of agenix running before impermanence
|
|
age.identityPaths = [
|
|
"/etc/ssh/ssh_host_ed25519_key"
|
|
"/etc/ssh/ssh_host_rsa_key"
|
|
"/persist/etc/ssh/ssh_host_ed25519_key"
|
|
"/persist/etc/ssh/ssh_host_rsa_key"
|
|
];
|
|
services.zfs = {
|
|
autoScrub.enable = true;
|
|
trim.enable = true;
|
|
autoSnapshot.enable = true;
|
|
};
|
|
}
|