derped/nixos
1
0
Fork 0
Code Releases Activity

Lilim: fresh stateless installation

Browse source
This commit is contained in:
Kevin Baensch 2025-01-01 20:57:47 +01:00
parent ebd66cbfb4
commit 7b44675c02
Signed by: derped
GPG key ID: C0F1D326C7626543
6 changed files with 94 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -1,6 +1,6 @@
keys:
- &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
- &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4
- &lilim age1vwtr3vxmtde3354vswzqnglyhc23k5xhpfyjqgxf4u4d9z5qr3dsuj4v2d
- &marid age1uq4x5yqf92z343ycpf4jycv7fqwk2kk8t5gapzp0ayk8hay98fns5mwmt7
- &ophanim age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du
- &sheol age12uvysactuucun05nk8l3azpaclz9k04ygcurtlqqjg6dsvarvcqs0s9d2y

2
machines/Lilim/configuration.nix
View file

@ -7,7 +7,7 @@
services.cron.enable = false;
networking.dhcpcd.extraConfig = "noarp";
system.stateVersion = "19.09";
system.stateVersion = "25.05";
# low latency audio stuff
security.pam.loginLimits = [

87
machines/Lilim/hardware-configuration.nix
View file

@ -19,17 +19,19 @@ in
};
loader.efi.canTouchEfiVariables = true;
tmp = {
useTmpfs = true;
cleanOnBoot = true;
};
supportedFilesystems = [ "btrfs" ];
kernelPackages = pkgs.linuxPackages_latest;
initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"sd_mod"
"rtsx_pci_sdmmc"
];
initrd = {
availableKernelModules = [
"xhci_pci"
"ahci"
"sd_mod"
"rtsx_pci_sdmmc"
];
luks.devices."btrfs-crypt".device = "/dev/disk/by-uuid/10435741-b864-453d-ab18-4dc710db1378";
};
kernelModules = [
"acpi_call"
"i915"
@ -52,14 +54,67 @@ in
};
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/b37b48a8-5dcb-4f4d-ad71-1b26500b3e5f";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/546A-A3D1";
fsType = "vfat";
fileSystems = {
"/" = {
device = "none";
fsType = "tmpfs";
options = [
"defaults"
"size=6G"
"mode=755"
"noexec"
];
};
"/tmp" = {
device = "/dev/mapper/btrfs-crypt";
fsType = "btrfs";
options = [
"subvol=tmp"
"noatime"
"compress=zstd"
];
neededForBoot = true;
};
"/persist" = {
device = "/dev/mapper/btrfs-crypt";
fsType = "btrfs";
options = [
"subvol=persist"
"noatime"
"compress=zstd"
"noexec"
];
neededForBoot = true;
};
"/nix" = {
device = "/dev/mapper/btrfs-crypt";
fsType = "btrfs";
options = [
"subvol=nix"
"noatime"
"compress=zstd"
];
neededForBoot = true;
};
"/snapshots" = {
device = "/dev/mapper/btrfs-crypt";
fsType = "btrfs";
options = [
"subvol=snapshots"
"noatime"
"compress=zstd"
"noexec"
];
neededForBoot = false;
};
"/boot" = {
device = "/dev/disk/by-uuid/546A-A3D1";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
};
hardware = {

15
machines/Lilim/options.nix
View file

@ -1,13 +1,7 @@
{
pkgs,
lib,
...
}:
with lib;
{
imports = [
../../options/copySysConf.nix
];
config.machine = {
allowUnfree = true;
hostName = "Lilim";
@ -25,6 +19,7 @@ with lib;
"etcfiles"
"etcvars"
"fonts"
"networkmanager"
"zsh"
];
pkgs = [
@ -69,9 +64,12 @@ with lib;
"xpkgs"
];
services = [
"btrbk"
"btrfs"
"cups"
"desktop"
"desktop::sway"
"impermanence"
"mariaDB"
"mullvad"
"pipewire"
@ -98,9 +96,4 @@ with lib;
];
};
};
config.system.copySysConf = {
enable = false;
addToNixPath = false;
};
}

28
machines/Lilim/secrets.yaml
View file

@ -8,28 +8,28 @@ sops:
azure_kv: []
hc_vault: []
age:
- recipient: age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4
- recipient: age1vwtr3vxmtde3354vswzqnglyhc23k5xhpfyjqgxf4u4d9z5qr3dsuj4v2d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRENMb3h6MmZTNzVqb2VV
ZXdzM2FTQWhBOTBrMmdDTFBkV0xRV1lFb0JZCi9HTzJkdGVwQVg5QllaTEorbFBM
VU93RWw3Rmo5RDljT1FDN2dVZDA4RFEKLS0tIG4vdTFVV3EzRWs3dWZCQWg3c2dQ
MFUvaVRNZGlnNzZaZUFhaXI1MDhXQ3cKJdzmxVMVpwe7UUZ7lQ9lHvGz3D8kdKVf
S0Sp9GygQtB0PqmCTjR7FqgF+oD/nW3kBdNZPAnJ4jeRMgaZgi2TgA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuN1FiZHlEVS9KKzVCOXdo
UnBUb0pSTktPS096VituQVhISlNRMXBFUjJrCm8rNlRINHNTOWZIQWo0U1YxdUdo
QVQ1QXcvbjVjQkVra2FBSmpOR1VSa0UKLS0tIGZJOG9Jbk41QURjUmZzU0k3c3Bs
c3ltVmlqME9QNXdUangyUkF0QlRxdVkKxkDSD7e6WLtsP+aQWNElxAgTMcgP+fe+
za8X8rsmnZOzfueWH1/1fiVatpeciDcSmr+oEmbUGgw2stuvRJXx6g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-16T08:54:15Z"
mac: ENC[AES256_GCM,data:hiRA+VeF+MZfO8WaKju675Z6j4UeVZRe8JU11soZaaZ05R4FHtHJOfZWCrpUHniUTxp+lHFLkgSTH342g2LXEsIcTMPqtFTw87sxE8aPzReviO+b6EtAF3G88GMUI6qRdKi4RnD9msrfG18fU7VUvZ8xssX9Sxq1qB9KYnhC8tQ=,iv:y4Z8JqZrlN6BlpzRK+ayLsLTz9ZUYT98XlyR7XvmEtg=,tag:bWFEvstTkp3RCMwut97TEg==,type:str]
pgp:
- created_at: "2023-04-16T11:36:28Z"
enc: |
- created_at: "2024-12-31T17:38:24Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DVbZwA9DOvl8SAQdAb3WEdeAdU7FDiAh2ilXcMd620+nq0byAYt5NLG+crQ4w
SoSqyKkd+oHRqv3Yty5s1eD7a2JlGxzpoPfAE6jlMTPVgevIidId3TN2vXi5MsNo
1GgBCQIQLxr5DWEkeSUN2UMez0+t/jfPv0/iQ5hxj/aNNXyBH8np4JXU18KT7LQL
Im/SlwUk+AhX8XTWeU94q5FTR1zEBQnZu0hCKCeeaHXyIwlXGgL/EuO7WddBRhVx
Id/w9ez1/+cpfA==
=seBV
hF4DVbZwA9DOvl8SAQdA3E04yctnHp/3E19h+xl/VrvjG3Je+zFrSStPnqYr4mow
AVOTRDNIXyO0P72Pl4hWj/SYDiHRKpZRAKpCEJqktAE8hz4ces68xn7a+H5O1Aks
1GgBCQIQqkUHP+A/lzfrWnkCqE8ZvWm3fl7eCWlnL+DaBVUNsYwByq3hrgInGmgX
CWMQ7toncWwmMdx+fMeFO0vOKnvTLByQ4gJOIORRSgLIEiIsFa+tliyaOGdpveJk
BzHiguoqH6sUcQ==
=GPOK
-----END PGP MESSAGE-----
fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
unencrypted_suffix: _unencrypted

9
machines/Lilim/sops.nix
View file

@ -1,13 +1,10 @@
{
config,
lib,
...
}:
_:
{
sops = {
defaultSopsFile = ./secrets.yaml;
age = {
keyFile = "/var/lib/sops-nix/key.txt";
keyFile = "/persist/var/lib/sops-nix/key.txt";
generateKey = true;
};
};