From 4f29103fdbdab30cfb1da75d884796b23b01fa11 Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Thu, 28 Sep 2023 17:12:34 +0200 Subject: [PATCH 1/8] [#9] first impermanence config support --- flake.lock | 16 +++++++++++++ flake.nix | 3 +++ nixos/flake-module.nix | 1 + nixos/modules/impermanence.nix | 42 ++++++++++++++++++++++++++++++++++ nixos/roles/default.nix | 3 +++ 5 files changed, 65 insertions(+) create mode 100644 nixos/modules/impermanence.nix diff --git a/flake.lock b/flake.lock index 2ad8261..2a7be87 100644 --- a/flake.lock +++ b/flake.lock @@ -33,6 +33,21 @@ "type": "indirect" } }, + "impermanence": { + "locked": { + "lastModified": 1694622745, + "narHash": "sha256-z397+eDhKx9c2qNafL1xv75lC0Q4nOaFlhaU1TINqb8=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "e9643d08d0d193a2e074a19d4d90c67a874d932e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, "nixos-mailserver": { "inputs": { "blobs": "blobs", @@ -139,6 +154,7 @@ "root": { "inputs": { "flake-parts": "flake-parts", + "impermanence": "impermanence", "nixos-mailserver": "nixos-mailserver", "nixpkgs": "nixpkgs", "sops-nix": "sops-nix" diff --git a/flake.nix b/flake.nix index 727dd91..0c61327 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,9 @@ url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + impermanence = { + url = "github:nix-community/impermanence"; + }; }; outputs = inputs@{ flake-parts, ... }: diff --git a/nixos/flake-module.nix b/nixos/flake-module.nix index d82fbd4..a995aff 100644 --- a/nixos/flake-module.nix +++ b/nixos/flake-module.nix @@ -21,6 +21,7 @@ imports = [ (import (./. + "/machines/${name}/configuration.nix") inputs) inputs.sops-nix.nixosModules.sops + inputs.impermanence.nixosModules.impermanence ]; }; in lib.genAttrs machines makeSystem); diff --git a/nixos/modules/impermanence.nix b/nixos/modules/impermanence.nix new file mode 100644 index 0000000..0f955fd --- /dev/null +++ b/nixos/modules/impermanence.nix @@ -0,0 +1,42 @@ +{lib, config, ...} : + +let + inherit (lib) + mkEnableOption + mkIf + mkOption + types + ; + cfg = config.impermanence; +in + +{ +imports = [ ]; + +options.impermanence = { + enable = mkEnableOption "impermanence"; + storagePath = mkOption { + type = types.path; + default = "/persist/persist"; + description = "The path where persistent data is stored"; + }; + name = mkOption { + type = types.str; + default = "persist"; + description = "the name of the persistent data store"; + }; +}; + +config = mkIf cfg.enable { + environment.persistence.${cfg.name} = { + persistentStoragePath = cfg.storagePath; + directories = [ + "/var/log" + "/etc/ssh" + "/var/lib/nixos" + ]; + }; + environment.etc.machine-id.source = "${cfg.storagePath}/machine-id"; +}; + +} diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index de4eb17..d540660 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -3,6 +3,7 @@ imports = [ ./admins.nix ./nix_keys.nix + ../modules/impermanence.nix ]; nix = { extraOptions = '' @@ -25,6 +26,8 @@ users = { mutableUsers = false; }; +impermanence.enable = true; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; environment = { From 08f06f3a92c7e4e5d9cf4bc9b70d3fbc00018dd8 Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Thu, 28 Sep 2023 17:47:00 +0200 Subject: [PATCH 2/8] changed nyarlathotep disk layout for impermanence --- .../nyarlathotep/hardware-configuration.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/nixos/machines/nyarlathotep/hardware-configuration.nix b/nixos/machines/nyarlathotep/hardware-configuration.nix index d75ae28..83a6dcc 100644 --- a/nixos/machines/nyarlathotep/hardware-configuration.nix +++ b/nixos/machines/nyarlathotep/hardware-configuration.nix @@ -2,8 +2,23 @@ imports = [ ]; fileSystems."/" = { + device = "nya-root"; + fsType = "tmpfs"; + }; + fileSystems."/persist" = { device = "/dev/disk/by-uuid/a72da670-f631-49b1-bcb3-6d378cc1f2d0"; fsType = "ext4"; + neededForBoot = true; + }; + fileSystems."/boot" = { + device = "/persist/boot"; + fsType = "none"; + options = [ "bind" ]; + }; + fileSystems."/nix" = { + device = "/persist/nix"; + fsType = "none"; + options = [ "bind" ]; }; fileSystems."/var/vmail" = { device = "/dev/disk/by-uuid/23c44c93-5035-4e29-9e46-75c1c08f4cea"; From 889d0a8736e59e1f00f8a85c00376fca18aa5690 Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Thu, 28 Sep 2023 23:34:34 +0200 Subject: [PATCH 3/8] changed impermanence config for subvolumes --- nixos/modules/impermanence.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/impermanence.nix b/nixos/modules/impermanence.nix index 0f955fd..9fe8998 100644 --- a/nixos/modules/impermanence.nix +++ b/nixos/modules/impermanence.nix @@ -17,7 +17,7 @@ options.impermanence = { enable = mkEnableOption "impermanence"; storagePath = mkOption { type = types.path; - default = "/persist/persist"; + default = "/persist"; description = "The path where persistent data is stored"; }; name = mkOption { From 2ffe242e8f0ba8cbe48fd7c5c99ea29eabc999a2 Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Fri, 29 Sep 2023 00:03:06 +0200 Subject: [PATCH 4/8] changed nyarlathotep disk config for impermanence --- .../nyarlathotep/hardware-configuration.nix | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/nixos/machines/nyarlathotep/hardware-configuration.nix b/nixos/machines/nyarlathotep/hardware-configuration.nix index 83a6dcc..9f0307e 100644 --- a/nixos/machines/nyarlathotep/hardware-configuration.nix +++ b/nixos/machines/nyarlathotep/hardware-configuration.nix @@ -7,18 +7,18 @@ }; fileSystems."/persist" = { device = "/dev/disk/by-uuid/a72da670-f631-49b1-bcb3-6d378cc1f2d0"; - fsType = "ext4"; - neededForBoot = true; + fsType = "btrfs"; + options = [ "subvol=persist" ]; }; fileSystems."/boot" = { - device = "/persist/boot"; - fsType = "none"; - options = [ "bind" ]; + device = "/dev/disk/by-uuid/a72da670-f631-49b1-bcb3-6d378cc1f2d0"; + fsType = "btrfs"; + options = [ "subvol=boot" ]; }; fileSystems."/nix" = { - device = "/persist/nix"; - fsType = "none"; - options = [ "bind" ]; + device = "/dev/disk/by-uuid/a72da670-f631-49b1-bcb3-6d378cc1f2d0"; + fsType = "btrfs"; + options = [ "subvol=nix" ]; }; fileSystems."/var/vmail" = { device = "/dev/disk/by-uuid/23c44c93-5035-4e29-9e46-75c1c08f4cea"; From 6e4469fa8ff901668145e6111a5046f2e115000d Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Fri, 29 Sep 2023 01:13:30 +0200 Subject: [PATCH 5/8] disable root login --- nixos/roles/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index d540660..874016a 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -24,6 +24,7 @@ networking = { users = { mutableUsers = false; + users.root.hashedPassword = "!"; }; impermanence.enable = true; From 377ff0141eeace6b9987f9226947200edf974f77 Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Fri, 29 Sep 2023 01:47:01 +0200 Subject: [PATCH 6/8] changed to seperate boot partition --- nixos/machines/nyarlathotep/hardware-configuration.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/nixos/machines/nyarlathotep/hardware-configuration.nix b/nixos/machines/nyarlathotep/hardware-configuration.nix index 9f0307e..f9bd476 100644 --- a/nixos/machines/nyarlathotep/hardware-configuration.nix +++ b/nixos/machines/nyarlathotep/hardware-configuration.nix @@ -4,16 +4,17 @@ fileSystems."/" = { device = "nya-root"; fsType = "tmpfs"; + options = [ "size=1G" "mode=755" ]; }; fileSystems."/persist" = { device = "/dev/disk/by-uuid/a72da670-f631-49b1-bcb3-6d378cc1f2d0"; fsType = "btrfs"; options = [ "subvol=persist" ]; + neededForBoot = true; }; fileSystems."/boot" = { - device = "/dev/disk/by-uuid/a72da670-f631-49b1-bcb3-6d378cc1f2d0"; - fsType = "btrfs"; - options = [ "subvol=boot" ]; + device = "/dev/disk/by-uuid/75b01f48-e159-4d72-b049-54b7af072076"; + fsType = "ext4"; }; fileSystems."/nix" = { device = "/dev/disk/by-uuid/a72da670-f631-49b1-bcb3-6d378cc1f2d0"; From 3b01487d1df675eb3fc14144adcd46e7caa2e20f Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Fri, 29 Sep 2023 13:11:20 +0200 Subject: [PATCH 7/8] set up hostname for nyarlathotep --- nixos/machines/nyarlathotep/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/machines/nyarlathotep/configuration.nix b/nixos/machines/nyarlathotep/configuration.nix index 05616fa..38f5dc3 100644 --- a/nixos/machines/nyarlathotep/configuration.nix +++ b/nixos/machines/nyarlathotep/configuration.nix @@ -11,5 +11,6 @@ imports = [ # System configuration here + networking.hostName = "nyarlathotep"; system.stateVersion = "23.11"; } From f6091a935a97ff28228d076c3cd8bbb4a3d0bf2a Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Sat, 30 Sep 2023 15:07:12 +0200 Subject: [PATCH 8/8] fixed ssh paths for impermanence --- nixos/modules/impermanence.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/nixos/modules/impermanence.nix b/nixos/modules/impermanence.nix index 9fe8998..267c9d1 100644 --- a/nixos/modules/impermanence.nix +++ b/nixos/modules/impermanence.nix @@ -32,9 +32,14 @@ config = mkIf cfg.enable { persistentStoragePath = cfg.storagePath; directories = [ "/var/log" - "/etc/ssh" "/var/lib/nixos" ]; + files = [ + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; }; environment.etc.machine-id.source = "${cfg.storagePath}/machine-id"; };