From 56d194f4542e746cf4313bdfbda9fbb624befea5 Mon Sep 17 00:00:00 2001 From: tux Date: Wed, 13 Nov 2024 22:31:10 +0530 Subject: [PATCH] feat(arcturus): add impermanence --- hosts/arcturus/default.nix | 113 +++++++++++++++------- hosts/arcturus/disko.nix | 53 ++++++++++ hosts/arcturus/hardware-configuration.nix | 40 -------- hosts/arcturus/home.nix | 17 +++- 4 files changed, 146 insertions(+), 77 deletions(-) create mode 100644 hosts/arcturus/disko.nix delete mode 100644 hosts/arcturus/hardware-configuration.nix diff --git a/hosts/arcturus/default.nix b/hosts/arcturus/default.nix index 33ec7a1..d18b7dc 100644 --- a/hosts/arcturus/default.nix +++ b/hosts/arcturus/default.nix @@ -1,12 +1,18 @@ { - pkgs, + modulesPath, + inputs, username, - config, + lib, email, + config, ... }: { imports = [ - ./hardware-configuration.nix + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + inputs.disko.nixosModules.default + (import ./disko.nix {device = "/dev/sda";}) + ../common ../../modules/nixos/postgresql.nix ../../modules/nixos/headscale.nix @@ -57,17 +63,57 @@ }; }; + nixpkgs = { + hostPlatform = "x86_64-linux"; + }; + boot = { kernel.sysctl = { "vm.swappiness" = 10; }; - kernelPackages = pkgs.linuxPackages_zen; - initrd.systemd.enable = true; + initrd.systemd = { + enable = lib.mkForce true; + + services.wipe-my-fs = { + wantedBy = ["initrd.target"]; + after = ["initrd-root-device.target"]; + before = ["sysroot.mount"]; + unitConfig.DefaultDependencies = "no"; + serviceConfig.Type = "oneshot"; + script = '' + mkdir /btrfs_tmp + mount /dev/disk/by-partlabel/disk-primary-root /btrfs_tmp + + if [[ -e /btrfs_tmp/root ]]; then + mkdir -p /btrfs_tmp/old_roots + timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") + mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" + fi + + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/btrfs_tmp/$i" + done + btrfs subvolume delete "$1" + } + + for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do + delete_subvolume_recursively "$i" + done + + btrfs subvolume create /btrfs_tmp/root + umount /btrfs_tmp + ''; + }; + }; loader = { - grub.device = "/dev/sda"; - timeout = 1; + grub = { + efiSupport = true; + efiInstallAsRemovable = true; + }; }; }; @@ -88,6 +134,7 @@ defaults.email = "${email}"; certs = { "tux.rs" = { + group = "nginx"; domain = "*.tux.rs"; extraDomainNames = ["tux.rs"]; dnsProvider = "cloudflare"; @@ -111,36 +158,32 @@ recommendedProxySettings = true; recommendedZstdSettings = true; }; - - borgbackup.jobs.arcturus-backup = { - paths = [ - "/var/lib/bitwarden_rs" - "/var/lib/gitea" - "/var/lib/headscale" - "/var/lib/grafana" - "/var/lib/loki" - "/var/lib/private/ntfy-sh" - ]; - encryption = { - mode = "repokey-blake2"; - passCommand = "cat ${config.sops.secrets.borg_encryption_key.path}"; - }; - environment.BORG_RSH = "ssh -i /home/${username}/.ssh/storagebox"; - repo = "ssh://u416910@u416910.your-storagebox.de:23/./arcturus-backups"; - compression = "auto,zstd"; - startAt = "daily"; - }; }; - programs = { - zsh.enable = true; - dconf.enable = true; - }; - - fonts.packages = with pkgs; [(nerdfonts.override {fonts = ["FiraCode" "JetBrainsMono"];})]; - + programs.fuse.userAllowOther = true; + fileSystems."/persist".neededForBoot = true; environment.persistence."/persist" = { - enable = false; + hideMounts = true; + directories = [ + "/var/log" + "/var/lib/nixos" + "/var/lib/acme" + "/var/lib/postgresql" + "/var/lib/headscale" + "/var/lib/vaultwarden" + "/var/lib/gitea" + "/var/lib/clickhouse" + "/var/lib/grafana" + "/var/lib/promtail" + "/var/lib/private" + "/var/lib/nextcloud" + ]; + files = [ + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; }; home-manager.users.${username} = { @@ -149,5 +192,5 @@ ]; }; - system.stateVersion = "23.11"; + system.stateVersion = "24.11"; } diff --git a/hosts/arcturus/disko.nix b/hosts/arcturus/disko.nix new file mode 100644 index 0000000..4a0c700 --- /dev/null +++ b/hosts/arcturus/disko.nix @@ -0,0 +1,53 @@ +{device ? throw "Set this to the disk device, e.g. /dev/nvme0n1", ...}: { + disko.devices.disk.primary = { + inherit device; + type = "disk"; + content = { + type = "gpt"; # GPT partitioning scheme + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + # EFI Partition + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = ["defaults" "umask=0077"]; + }; + }; + # Btrfs Root Partition + root = { + size = "100%"; # Use remaining space + type = "8300"; # Linux filesystem type + content = { + type = "btrfs"; + subvolumes = { + "/root" = { + mountOptions = ["compress=zstd"]; # Compression for better performance + mountpoint = "/"; # Root subvolume + }; + "/persist" = { + mountOptions = ["compress=zstd"]; # Compression for persistent data + mountpoint = "/persist"; # Persistent subvolume + }; + "/nix" = { + mountOptions = [ + "compress=zstd" + "noatime" + "noacl" + ]; # Optimize for Nix store + mountpoint = "/nix"; # Nix subvolume + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/arcturus/hardware-configuration.nix b/hosts/arcturus/hardware-configuration.nix deleted file mode 100644 index dd74a7b..0000000 --- a/hosts/arcturus/hardware-configuration.nix +++ /dev/null @@ -1,40 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"]; - boot.initrd.kernelModules = []; - boot.kernelModules = []; - boot.extraModulePackages = []; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/b5a9a9f6-be72-4520-b2ac-439d0479a34b"; - fsType = "ext4"; - }; - - fileSystems."/efi" = { - device = "systemd-1"; - fsType = "autofs"; - }; - - swapDevices = []; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/arcturus/home.nix b/hosts/arcturus/home.nix index 86ea8a7..e5a1e11 100644 --- a/hosts/arcturus/home.nix +++ b/hosts/arcturus/home.nix @@ -1,3 +1,16 @@ -{...}: { - home.stateVersion = "23.11"; +{username, ...}: { + home.persistence."/persist/home/${username}" = { + directories = [ + "Projects" + "Stuff" + ".ssh" + ]; + files = [ + ".zsh_history" + ".zcompdump" + ]; + allowOther = true; + }; + + home.stateVersion = "24.11"; }