derped/nixos
1
0
Fork 0
Code Releases Activity

Lilim: fresh stateless installation

Browse source
This commit is contained in:
Kevin Baensch 2025-01-01 20:57:47 +01:00
parent ebd66cbfb4
commit 7b44675c02
Signed by: derped
GPG key ID: C0F1D326C7626543
6 changed files with 94 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -1,6 +1,6 @@
keys: keys:
- &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2 - &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
- &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4 - &lilim age1vwtr3vxmtde3354vswzqnglyhc23k5xhpfyjqgxf4u4d9z5qr3dsuj4v2d
- &marid age1uq4x5yqf92z343ycpf4jycv7fqwk2kk8t5gapzp0ayk8hay98fns5mwmt7 - &marid age1uq4x5yqf92z343ycpf4jycv7fqwk2kk8t5gapzp0ayk8hay98fns5mwmt7
- &ophanim age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du - &ophanim age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du
- &sheol age12uvysactuucun05nk8l3azpaclz9k04ygcurtlqqjg6dsvarvcqs0s9d2y - &sheol age12uvysactuucun05nk8l3azpaclz9k04ygcurtlqqjg6dsvarvcqs0s9d2y

2
machines/Lilim/configuration.nix
View file

@ -7,7 +7,7 @@
services.cron.enable = false; services.cron.enable = false;
networking.dhcpcd.extraConfig = "noarp"; networking.dhcpcd.extraConfig = "noarp";
system.stateVersion = "19.09"; system.stateVersion = "25.05";
# low latency audio stuff # low latency audio stuff
security.pam.loginLimits = [ security.pam.loginLimits = [

87
machines/Lilim/hardware-configuration.nix
View file

@ -19,17 +19,19 @@ in
}; };
loader.efi.canTouchEfiVariables = true; loader.efi.canTouchEfiVariables = true;
tmp = { tmp = {
useTmpfs = true;
cleanOnBoot = true; cleanOnBoot = true;
}; };
supportedFilesystems = [ "btrfs" ];
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
initrd.availableKernelModules = [ initrd = {
"xhci_pci" availableKernelModules = [
"ahci" "xhci_pci"
"sd_mod" "ahci"
"rtsx_pci_sdmmc" "sd_mod"
]; "rtsx_pci_sdmmc"
];
luks.devices."btrfs-crypt".device = "/dev/disk/by-uuid/10435741-b864-453d-ab18-4dc710db1378";
};
kernelModules = [ kernelModules = [
"acpi_call" "acpi_call"
"i915" "i915"
@ -52,14 +54,67 @@ in
}; };
}; };
fileSystems."/" = { fileSystems = {
device = "/dev/disk/by-uuid/b37b48a8-5dcb-4f4d-ad71-1b26500b3e5f"; "/" = {
fsType = "ext4"; device = "none";
}; fsType = "tmpfs";
options = [
fileSystems."/boot" = { "defaults"
device = "/dev/disk/by-uuid/546A-A3D1"; "size=6G"
fsType = "vfat"; "mode=755"
"noexec"
];
};
"/tmp" = {
device = "/dev/mapper/btrfs-crypt";
fsType = "btrfs";
options = [
"subvol=tmp"
"noatime"
"compress=zstd"
];
neededForBoot = true;
};
"/persist" = {
device = "/dev/mapper/btrfs-crypt";
fsType = "btrfs";
options = [
"subvol=persist"
"noatime"
"compress=zstd"
"noexec"
];
neededForBoot = true;
};
"/nix" = {
device = "/dev/mapper/btrfs-crypt";
fsType = "btrfs";
options = [
"subvol=nix"
"noatime"
"compress=zstd"
];
neededForBoot = true;
};
"/snapshots" = {
device = "/dev/mapper/btrfs-crypt";
fsType = "btrfs";
options = [
"subvol=snapshots"
"noatime"
"compress=zstd"
"noexec"
];
neededForBoot = false;
};
"/boot" = {
device = "/dev/disk/by-uuid/546A-A3D1";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
}; };
hardware = { hardware = {

15
machines/Lilim/options.nix
View file

@ -1,13 +1,7 @@
{ {
pkgs,
lib,
... ...
}: }:
with lib;
{ {
imports = [
../../options/copySysConf.nix
];
config.machine = { config.machine = {
allowUnfree = true; allowUnfree = true;
hostName = "Lilim"; hostName = "Lilim";
@ -25,6 +19,7 @@ with lib;
"etcfiles" "etcfiles"
"etcvars" "etcvars"
"fonts" "fonts"
"networkmanager"
"zsh" "zsh"
]; ];
pkgs = [ pkgs = [
@ -69,9 +64,12 @@ with lib;
"xpkgs" "xpkgs"
]; ];
services = [ services = [
"btrbk"
"btrfs"
"cups" "cups"
"desktop" "desktop"
"desktop::sway" "desktop::sway"
"impermanence"
"mariaDB" "mariaDB"
"mullvad" "mullvad"
"pipewire" "pipewire"
@ -98,9 +96,4 @@ with lib;
]; ];
}; };
}; };
config.system.copySysConf = {
enable = false;
addToNixPath = false;
};
} }

28
machines/Lilim/secrets.yaml
View file

@ -8,28 +8,28 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4 - recipient: age1vwtr3vxmtde3354vswzqnglyhc23k5xhpfyjqgxf4u4d9z5qr3dsuj4v2d
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRENMb3h6MmZTNzVqb2VV YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuN1FiZHlEVS9KKzVCOXdo
ZXdzM2FTQWhBOTBrMmdDTFBkV0xRV1lFb0JZCi9HTzJkdGVwQVg5QllaTEorbFBM UnBUb0pSTktPS096VituQVhISlNRMXBFUjJrCm8rNlRINHNTOWZIQWo0U1YxdUdo
VU93RWw3Rmo5RDljT1FDN2dVZDA4RFEKLS0tIG4vdTFVV3EzRWs3dWZCQWg3c2dQ QVQ1QXcvbjVjQkVra2FBSmpOR1VSa0UKLS0tIGZJOG9Jbk41QURjUmZzU0k3c3Bs
MFUvaVRNZGlnNzZaZUFhaXI1MDhXQ3cKJdzmxVMVpwe7UUZ7lQ9lHvGz3D8kdKVf c3ltVmlqME9QNXdUangyUkF0QlRxdVkKxkDSD7e6WLtsP+aQWNElxAgTMcgP+fe+
S0Sp9GygQtB0PqmCTjR7FqgF+oD/nW3kBdNZPAnJ4jeRMgaZgi2TgA== za8X8rsmnZOzfueWH1/1fiVatpeciDcSmr+oEmbUGgw2stuvRJXx6g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-16T08:54:15Z" lastmodified: "2023-04-16T08:54:15Z"
mac: ENC[AES256_GCM,data:hiRA+VeF+MZfO8WaKju675Z6j4UeVZRe8JU11soZaaZ05R4FHtHJOfZWCrpUHniUTxp+lHFLkgSTH342g2LXEsIcTMPqtFTw87sxE8aPzReviO+b6EtAF3G88GMUI6qRdKi4RnD9msrfG18fU7VUvZ8xssX9Sxq1qB9KYnhC8tQ=,iv:y4Z8JqZrlN6BlpzRK+ayLsLTz9ZUYT98XlyR7XvmEtg=,tag:bWFEvstTkp3RCMwut97TEg==,type:str] mac: ENC[AES256_GCM,data:hiRA+VeF+MZfO8WaKju675Z6j4UeVZRe8JU11soZaaZ05R4FHtHJOfZWCrpUHniUTxp+lHFLkgSTH342g2LXEsIcTMPqtFTw87sxE8aPzReviO+b6EtAF3G88GMUI6qRdKi4RnD9msrfG18fU7VUvZ8xssX9Sxq1qB9KYnhC8tQ=,iv:y4Z8JqZrlN6BlpzRK+ayLsLTz9ZUYT98XlyR7XvmEtg=,tag:bWFEvstTkp3RCMwut97TEg==,type:str]
pgp: pgp:
- created_at: "2023-04-16T11:36:28Z" - created_at: "2024-12-31T17:38:24Z"
enc: | enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4DVbZwA9DOvl8SAQdAb3WEdeAdU7FDiAh2ilXcMd620+nq0byAYt5NLG+crQ4w hF4DVbZwA9DOvl8SAQdA3E04yctnHp/3E19h+xl/VrvjG3Je+zFrSStPnqYr4mow
SoSqyKkd+oHRqv3Yty5s1eD7a2JlGxzpoPfAE6jlMTPVgevIidId3TN2vXi5MsNo AVOTRDNIXyO0P72Pl4hWj/SYDiHRKpZRAKpCEJqktAE8hz4ces68xn7a+H5O1Aks
1GgBCQIQLxr5DWEkeSUN2UMez0+t/jfPv0/iQ5hxj/aNNXyBH8np4JXU18KT7LQL 1GgBCQIQqkUHP+A/lzfrWnkCqE8ZvWm3fl7eCWlnL+DaBVUNsYwByq3hrgInGmgX
Im/SlwUk+AhX8XTWeU94q5FTR1zEBQnZu0hCKCeeaHXyIwlXGgL/EuO7WddBRhVx CWMQ7toncWwmMdx+fMeFO0vOKnvTLByQ4gJOIORRSgLIEiIsFa+tliyaOGdpveJk
Id/w9ez1/+cpfA== BzHiguoqH6sUcQ==
=seBV =GPOK
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2 fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

9
machines/Lilim/sops.nix
View file

@ -1,13 +1,10 @@
{ _:
config,
lib,
...
}:
{ {
sops = { sops = {
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
age = { age = {
keyFile = "/var/lib/sops-nix/key.txt"; keyFile = "/persist/var/lib/sops-nix/key.txt";
generateKey = true; generateKey = true;
}; };
}; };