diff --git a/.sops.yaml b/.sops.yaml index cb62838..a235dc6 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,6 @@ keys: - &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2 - - &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4 + - &lilim age1vwtr3vxmtde3354vswzqnglyhc23k5xhpfyjqgxf4u4d9z5qr3dsuj4v2d - &marid age1uq4x5yqf92z343ycpf4jycv7fqwk2kk8t5gapzp0ayk8hay98fns5mwmt7 - &ophanim age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du - &sheol age12uvysactuucun05nk8l3azpaclz9k04ygcurtlqqjg6dsvarvcqs0s9d2y diff --git a/machines/Lilim/configuration.nix b/machines/Lilim/configuration.nix index db49a1a..47ddcfe 100644 --- a/machines/Lilim/configuration.nix +++ b/machines/Lilim/configuration.nix @@ -7,7 +7,7 @@ services.cron.enable = false; networking.dhcpcd.extraConfig = "noarp"; - system.stateVersion = "19.09"; + system.stateVersion = "25.05"; # low latency audio stuff security.pam.loginLimits = [ diff --git a/machines/Lilim/hardware-configuration.nix b/machines/Lilim/hardware-configuration.nix index f52b648..09e5b28 100644 --- a/machines/Lilim/hardware-configuration.nix +++ b/machines/Lilim/hardware-configuration.nix @@ -19,17 +19,19 @@ in }; loader.efi.canTouchEfiVariables = true; tmp = { - useTmpfs = true; cleanOnBoot = true; }; - + supportedFilesystems = [ "btrfs" ]; kernelPackages = pkgs.linuxPackages_latest; - initrd.availableKernelModules = [ - "xhci_pci" - "ahci" - "sd_mod" - "rtsx_pci_sdmmc" - ]; + initrd = { + availableKernelModules = [ + "xhci_pci" + "ahci" + "sd_mod" + "rtsx_pci_sdmmc" + ]; + luks.devices."btrfs-crypt".device = "/dev/disk/by-uuid/10435741-b864-453d-ab18-4dc710db1378"; + }; kernelModules = [ "acpi_call" "i915" @@ -52,14 +54,67 @@ in }; }; - fileSystems."/" = { - device = "/dev/disk/by-uuid/b37b48a8-5dcb-4f4d-ad71-1b26500b3e5f"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/546A-A3D1"; - fsType = "vfat"; + fileSystems = { + "/" = { + device = "none"; + fsType = "tmpfs"; + options = [ + "defaults" + "size=6G" + "mode=755" + "noexec" + ]; + }; + "/tmp" = { + device = "/dev/mapper/btrfs-crypt"; + fsType = "btrfs"; + options = [ + "subvol=tmp" + "noatime" + "compress=zstd" + ]; + neededForBoot = true; + }; + "/persist" = { + device = "/dev/mapper/btrfs-crypt"; + fsType = "btrfs"; + options = [ + "subvol=persist" + "noatime" + "compress=zstd" + "noexec" + ]; + neededForBoot = true; + }; + "/nix" = { + device = "/dev/mapper/btrfs-crypt"; + fsType = "btrfs"; + options = [ + "subvol=nix" + "noatime" + "compress=zstd" + ]; + neededForBoot = true; + }; + "/snapshots" = { + device = "/dev/mapper/btrfs-crypt"; + fsType = "btrfs"; + options = [ + "subvol=snapshots" + "noatime" + "compress=zstd" + "noexec" + ]; + neededForBoot = false; + }; + "/boot" = { + device = "/dev/disk/by-uuid/546A-A3D1"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; }; hardware = { diff --git a/machines/Lilim/options.nix b/machines/Lilim/options.nix index 4b90552..a0e4359 100644 --- a/machines/Lilim/options.nix +++ b/machines/Lilim/options.nix @@ -1,13 +1,7 @@ { - pkgs, - lib, ... }: -with lib; { - imports = [ - ../../options/copySysConf.nix - ]; config.machine = { allowUnfree = true; hostName = "Lilim"; @@ -25,6 +19,7 @@ with lib; "etcfiles" "etcvars" "fonts" + "networkmanager" "zsh" ]; pkgs = [ @@ -69,9 +64,12 @@ with lib; "xpkgs" ]; services = [ + "btrbk" + "btrfs" "cups" "desktop" "desktop::sway" + "impermanence" "mariaDB" "mullvad" "pipewire" @@ -98,9 +96,4 @@ with lib; ]; }; }; - - config.system.copySysConf = { - enable = false; - addToNixPath = false; - }; } diff --git a/machines/Lilim/secrets.yaml b/machines/Lilim/secrets.yaml index 9d79a99..a49c626 100644 --- a/machines/Lilim/secrets.yaml +++ b/machines/Lilim/secrets.yaml @@ -8,28 +8,28 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4 + - recipient: age1vwtr3vxmtde3354vswzqnglyhc23k5xhpfyjqgxf4u4d9z5qr3dsuj4v2d enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRENMb3h6MmZTNzVqb2VV - ZXdzM2FTQWhBOTBrMmdDTFBkV0xRV1lFb0JZCi9HTzJkdGVwQVg5QllaTEorbFBM - VU93RWw3Rmo5RDljT1FDN2dVZDA4RFEKLS0tIG4vdTFVV3EzRWs3dWZCQWg3c2dQ - MFUvaVRNZGlnNzZaZUFhaXI1MDhXQ3cKJdzmxVMVpwe7UUZ7lQ9lHvGz3D8kdKVf - S0Sp9GygQtB0PqmCTjR7FqgF+oD/nW3kBdNZPAnJ4jeRMgaZgi2TgA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuN1FiZHlEVS9KKzVCOXdo + UnBUb0pSTktPS096VituQVhISlNRMXBFUjJrCm8rNlRINHNTOWZIQWo0U1YxdUdo + QVQ1QXcvbjVjQkVra2FBSmpOR1VSa0UKLS0tIGZJOG9Jbk41QURjUmZzU0k3c3Bs + c3ltVmlqME9QNXdUangyUkF0QlRxdVkKxkDSD7e6WLtsP+aQWNElxAgTMcgP+fe+ + za8X8rsmnZOzfueWH1/1fiVatpeciDcSmr+oEmbUGgw2stuvRJXx6g== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-04-16T08:54:15Z" mac: ENC[AES256_GCM,data:hiRA+VeF+MZfO8WaKju675Z6j4UeVZRe8JU11soZaaZ05R4FHtHJOfZWCrpUHniUTxp+lHFLkgSTH342g2LXEsIcTMPqtFTw87sxE8aPzReviO+b6EtAF3G88GMUI6qRdKi4RnD9msrfG18fU7VUvZ8xssX9Sxq1qB9KYnhC8tQ=,iv:y4Z8JqZrlN6BlpzRK+ayLsLTz9ZUYT98XlyR7XvmEtg=,tag:bWFEvstTkp3RCMwut97TEg==,type:str] pgp: - - created_at: "2023-04-16T11:36:28Z" - enc: | + - created_at: "2024-12-31T17:38:24Z" + enc: |- -----BEGIN PGP MESSAGE----- - hF4DVbZwA9DOvl8SAQdAb3WEdeAdU7FDiAh2ilXcMd620+nq0byAYt5NLG+crQ4w - SoSqyKkd+oHRqv3Yty5s1eD7a2JlGxzpoPfAE6jlMTPVgevIidId3TN2vXi5MsNo - 1GgBCQIQLxr5DWEkeSUN2UMez0+t/jfPv0/iQ5hxj/aNNXyBH8np4JXU18KT7LQL - Im/SlwUk+AhX8XTWeU94q5FTR1zEBQnZu0hCKCeeaHXyIwlXGgL/EuO7WddBRhVx - Id/w9ez1/+cpfA== - =seBV + hF4DVbZwA9DOvl8SAQdA3E04yctnHp/3E19h+xl/VrvjG3Je+zFrSStPnqYr4mow + AVOTRDNIXyO0P72Pl4hWj/SYDiHRKpZRAKpCEJqktAE8hz4ces68xn7a+H5O1Aks + 1GgBCQIQqkUHP+A/lzfrWnkCqE8ZvWm3fl7eCWlnL+DaBVUNsYwByq3hrgInGmgX + CWMQ7toncWwmMdx+fMeFO0vOKnvTLByQ4gJOIORRSgLIEiIsFa+tliyaOGdpveJk + BzHiguoqH6sUcQ== + =GPOK -----END PGP MESSAGE----- fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2 unencrypted_suffix: _unencrypted diff --git a/machines/Lilim/sops.nix b/machines/Lilim/sops.nix index b6183b9..c0beee2 100644 --- a/machines/Lilim/sops.nix +++ b/machines/Lilim/sops.nix @@ -1,13 +1,10 @@ -{ - config, - lib, - ... -}: +_: + { sops = { defaultSopsFile = ./secrets.yaml; age = { - keyFile = "/var/lib/sops-nix/key.txt"; + keyFile = "/persist/var/lib/sops-nix/key.txt"; generateKey = true; }; };