From 085e064e465e5ffe05b792c1dc58971840dca1c1 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 2 Aug 2023 18:04:26 +0200 Subject: [PATCH] switched the thinkpad to zfs again --- .sops.yaml | 2 +- hosts/thinkpad/default.nix | 45 ++++++++++----------- hosts/thinkpad/hardware-configuration.nix | 38 ++++++++--------- hosts/thinkpad/modules/backup/default.nix | 10 +++-- hosts/thinkpad/modules/networks/default.nix | 1 + secrets/thinkpad.yaml | 42 +++++++++---------- 6 files changed, 67 insertions(+), 71 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index d2de99b..a9eb777 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,7 +1,7 @@ keys: - &yubi 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09 - &rouven age1l80slr486r82csm758q2a32j2e2qdxdyxgh46um6thsjv08la9sq7475p6 - - &thinkpad age1pwdahgk2yty9w8cw5ht90mral76h0ndp3vkp93xm4g0cttjlsvgqn8vlys + - &thinkpad age1ejusm7c5smk5r0lcu7yynudrqc6j63pcyk9m4uh23f8kqd84cfqs88hjl6 - &nuc age18z4z5pgw8eluu32xe3krg4sxd2rncsnjw6e2axcun7x3vrj62vhq8eyz00 - &falkenstein-1 age1de938w6hzpv4cuzss7v3pt0chv4d0t220ue5n9d93ffuak7u949sumnhz3 creation_rules: diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index de4260e..c1d52a4 100755 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -16,20 +16,21 @@ # This setting is usually set to true in configuration.nix # generated at installation time. So we force it to false # for now. - loader.systemd-boot.enable = lib.mkForce false; - lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; - configurationLimit = 10; - }; + # loader.systemd-boot.enable = lib.mkForce false; + loader.systemd-boot.enable = true; + # lanzaboote = { + # enable = true; + # pkiBundle = "/etc/secureboot"; + # configurationLimit = 10; + # }; extraModulePackages = [ config.boot.kernelPackages.v4l2loopback.out ]; - loader.systemd-boot.editor = false; + #loader.systemd-boot.editor = false; loader.efi.canTouchEfiVariables = true; - kernelPackages = pkgs.linuxPackages_latest; + kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; tmp.useTmpfs = true; }; @@ -61,19 +62,19 @@ # ]; }; - environment.persistence."/nix/persist/system" = { - directories = [ - "/etc/nixos" # bind mounted from /nix/persist/system/etc/nixos to /etc/nixos - "/etc/ssh" - "/etc/secureboot" - "/root/.ssh" - ]; - files = [ - "/etc/machine-id" - ]; - }; + #environment.persistence."/nix/persist/system" = { + # directories = [ + # "/etc/nixos" # bind mounted from /nix/persist/system/etc/nixos to /etc/nixos + # "/etc/ssh" + # "/etc/secureboot" + # "/root/.ssh" + # ]; + # files = [ + # "/etc/machine-id" + # ]; + #}; # impermanence fixes - sops.age.sshKeyPaths = lib.mkForce [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ]; + #sops.age.sshKeyPaths = lib.mkForce [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ]; sops.gnupg.sshKeyPaths = lib.mkForce [ ]; time.timeZone = "Europe/Berlin"; @@ -118,8 +119,6 @@ security = { polkit.enable = true; - audit.enable = true; - auditd.enable = true; }; services.pipewire = { @@ -158,7 +157,6 @@ enable = true; openFirewall = false; }; - btrfs.autoScrub.enable = true; # periodically check filesystem and repair it fwupd.enable = true; # firmware updates }; @@ -195,7 +193,6 @@ environment.systemPackages = with pkgs; [ # hardware utilities - btdu nvme-cli intel-gpu-tools diff --git a/hosts/thinkpad/hardware-configuration.nix b/hosts/thinkpad/hardware-configuration.nix index d87923b..eb94f35 100644 --- a/hosts/thinkpad/hardware-configuration.nix +++ b/hosts/thinkpad/hardware-configuration.nix @@ -22,45 +22,39 @@ device = "/dev/disk/by-uuid/4a5fd2d9-1b37-4895-a24b-835a9cd4063e"; }; - fileSystems."/" = - { - device = "tmpfs"; - fsType = "tmpfs"; - options = [ "mode=755" ]; - }; - - fileSystems."/home" = + fileSystems."/nix" = { - device = "/dev/disk/by-uuid/3d44cde5-17a2-4023-b9ae-3a02ae68aa81"; - fsType = "btrfs"; - options = [ "subvol=home" "compress=zstd" "discard=async" "noatime" ]; + device = "rpool/nixos/nix"; + fsType = "zfs"; }; fileSystems."/var/lib" = { - device = "/dev/disk/by-uuid/3d44cde5-17a2-4023-b9ae-3a02ae68aa81"; - fsType = "btrfs"; - options = [ "subvol=lib" "compress=zstd" "discard=async" "noatime" "x-mount.mkdir" ]; + device = "rpool/nixos/var/lib"; + fsType = "zfs"; }; fileSystems."/var/log" = { - device = "/dev/disk/by-uuid/3d44cde5-17a2-4023-b9ae-3a02ae68aa81"; - fsType = "btrfs"; - options = [ "subvol=log" "compress=zstd" "discard=async" "noatime" "x-mount.mkdir" ]; + device = "rpool/nixos/var/log"; + fsType = "zfs"; }; - fileSystems."/nix" = + fileSystems."/home" = { - device = "/dev/disk/by-uuid/3d44cde5-17a2-4023-b9ae-3a02ae68aa81"; - fsType = "btrfs"; - options = [ "subvol=nix" "compress=zstd" "discard=async" "noatime" ]; + device = "rpool/nixos/home"; + fsType = "zfs"; + }; + fileSystems."/" = + { + device = "rpool/nixos/fixroot"; + fsType = "zfs"; }; fileSystems."/boot" = { - device = "/dev/disk/by-uuid/B174-4DAE"; + device = "/dev/disk/by-uuid/DF86-7611"; fsType = "vfat"; }; diff --git a/hosts/thinkpad/modules/backup/default.nix b/hosts/thinkpad/modules/backup/default.nix index 52be67c..aa70d7e 100644 --- a/hosts/thinkpad/modules/backup/default.nix +++ b/hosts/thinkpad/modules/backup/default.nix @@ -21,9 +21,13 @@ "/home/*/.cache" "/home/*/.zcomp*" "/home/*/.zcomp*" - "/home/*/.local/share/Steam" - "/home/*/.local/share/Trash" - "/home/*/.local/share/vifm/Trash" + "/home/*/.gradle*" + "/home/*/.java*" + "/home/*/.m2*" + "/home/*/.wine*" + "/home/*/.mypy_cache*" + "/home/*/.local/share" + "/home/*/.local/share" "/home/*/Linux/Isos" ]; }; diff --git a/hosts/thinkpad/modules/networks/default.nix b/hosts/thinkpad/modules/networks/default.nix index 3e44e61..da1d3b8 100644 --- a/hosts/thinkpad/modules/networks/default.nix +++ b/hosts/thinkpad/modules/networks/default.nix @@ -14,6 +14,7 @@ networking = { useNetworkd = true; hostName = "thinkpad"; + hostId = "d8d34032"; enableIPv6 = true; wireless = { enable = true; diff --git a/secrets/thinkpad.yaml b/secrets/thinkpad.yaml index ca90b33..c17a2e5 100644 --- a/secrets/thinkpad.yaml +++ b/secrets/thinkpad.yaml @@ -14,36 +14,36 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1pwdahgk2yty9w8cw5ht90mral76h0ndp3vkp93xm4g0cttjlsvgqn8vlys + - recipient: age1ejusm7c5smk5r0lcu7yynudrqc6j63pcyk9m4uh23f8kqd84cfqs88hjl6 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQ243byszWm45UmpialpS - OVVsTEFQNDZrS3NRdUc1aFBOcTFyclZkenpzCmtXcnlsZGNBOTBhZVJSNFdrck9i - MHI0WjA4dy9DTFk3cWwydkJvR0h3RmsKLS0tIGxsM0hzUmg4RVBUOTI3QTZMZG4x - d1J5UHJDYjlZWEV1aEVDSmxhWDB0anMKMNzyd465AdMyX0o9NxF+hcLyROcd8xoJ - 39K5xIDzcqpu6HfoZk1kZ/TT1DS2Xiw0rDuJHWdfpnS8zNe6DL3a7Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZ3BTZ1ZiMGozVUhFUDYx + UFhUV1Q5YzVuR1N1V25WckpMV3Fod2hmejJVCmRnQjRUMmhVbll6b0N2TmJOSFVF + cHNiK3NVSkJyUjAzMkNXWTNYejBsbUkKLS0tIFRMWXRac1lzZ3dvb1BxTExucDNh + YW1scVZDOUFaNUJ4UkFNT2U4eFh6VGsKfv6BaEvr0ibn1cSqE9GeUe4BrYwY9RTB + PNnqxnwBX01rCitKFfpNe1rBHazp+DDh9Dw2N+m/hH6gXvu7LjcwGQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-30T13:44:51Z" mac: ENC[AES256_GCM,data:kddokPxPpClyToDm6a3Iu0UfTFxqN2oRsGYLBgzW3iuScz0NpOJXYfHyOXmzTLyj7LSFr4xuE86/KsaWeGxse8CCqnbnbsj2Ok7nEjWqT26L7fUDklBkTb3EZQqgz1v+rl35mlto+GfsA5kskwwUOiQGuwxqWPZTznf3WqWq6pI=,iv:8qaKsXRh9O57zeWVJQqW4m4U6OgRjMaEQKclnt8jrIQ=,tag:rrC1JqCZH8br3hYlxBCRYA==,type:str] pgp: - - created_at: "2023-02-16T20:53:51Z" + - created_at: "2023-08-02T14:13:52Z" enc: |- -----BEGIN PGP MESSAGE----- - wcFMAzUXo8ZPJwGLAQ/+NB4eFL48UlOgU36c4fo5eGFAFCx54wovfOq33S3yc5tx - UewzA5DZ9FECG8vl/CvxDNZdDZcdHWdF8r0MEKtToMMuDgcw4c1oDyZsKPCycWJm - /vzVnmQDD1TfS1FoZNLU+IHm1VZ6c51s1A24KhIZc4fre0U4jA9JXv2ZelCJzzOm - 5PqOdItIl/avnDH7Q5iBBsHkebM3exrpq0VzUABaiiR6mjcn8uhh5T11oxgMZgvD - AzP+IsBHh1dkuhy5tV0eUtzD95aYvofuszIFSe6Aj/HX7Iod/C70M5KWQNMQhqXI - d2YRZc9VGcrZ0RgYnUyoC15h7k91tO9UHhAbR9IG3j7px5QLs8/JjaUi64wIRbDd - EiT+vbmpv3V2aqAdwRGOOd5buWrrdLIyk+2BdmtVqOtI2kOrQr328J3uM7+z1c55 - iE5QlS8zZL8zY+5sSCpijmKNPGe4SsJxJ72PLyT+y9DwI4259uNW2fpt+ZsT4yWr - MWv/EvuPuIq774odk5B+ECvucUcufJ2j0R1XoVGVvNc6N8VZiMGpfYx7+w6soEQQ - GDaNJ1ETw4nYOvb19nF+ymKFhRz1fV7w6QRn6vI0tBO3UTGR1bx6+D5oM+OazzgA - HcQGrxn/sAVKm/zXri479VNw5w4T4F5qhXaYyYhQmssKGBEpqhm02jzy8NRaUmPS - UQEuypPFKDKZhGW5GeToRNYnlrd/txV8n/bvRN2OrhkgHN0D8HLn/X9AW3dd/KnT - FIL5dAFoBIC5GFu0xNGyuA/9MLNWRpwMF7tU3vr2726iTQ== - =3Wti + wcFMAzUXo8ZPJwGLAQ//VVEf2kjskLK9GCYh0d51LrosaUAutDYvG/QKUqO7o1HQ + vXYHjSo6A927Z3uWPCEgJBufMgAEen/VNOLC/3nZ94Qb18ORLpvWYr3xFL6uQuGF + /8l2r0MMCkulClJDkwEd/BR2wp/VEwVnlAk22EYuGqn1xbp7IO48YMpMG1qSNcZ0 + 4BaXgkVfe11fB4mv5FGN3D6EA1PvXNBt5Fx64AUv6AqJRlkpjOmrpm88gPOuKQ4a + vwcqZnP7ryWGTJ+IFeKYDxUFYMhq0Dm+xvkfER5py9qIy3D/5rcG4kl73I+5sN+2 + hN9/pmGEzi5EkHmkyRBSZ1oqLDlW/lXa3FcuAyjMRzU1sGesJLiDW7P8pTdVb63a + o+rVaj78V0dk7TZ3bIteJ/sMzZBM5z3h4hXIvyyhA5aiuw48FcPRqChdlbI6rDRJ + ZRlh0uYJdtGN1nqln24Do+Dp40pvceZCJbzxJjI9MZyQY3G3ilTTKSVt8V4+XRYr + 89jffQEYH1qA0HmPP8QvrW3dRHsPYRsZgLNco8yOqOj6wdL/QqTfQLI7uZKtNBOt + M7rVKpcmCBoMBlc95qALI+v6eh21AbTMYkblWAEf36ufjyOTwWqh1lfl9UI/MwMD + vLJ9Z+UxP1GLRwz2kh5vr3b+6FKIahUuWsNH+MhaTYqCo4rzzXpIFYeB9Gcut/XS + UQHQajWoKDl/Gd/VOZHZWZEuNKz+3TzJzhVIY/RoI7QvhZipAIH+/UflEUcSEHP2 + p20IEABHoFu38njZquAMRQoEljIl8T9bc4DxTrnWjoz4JA== + =1/wz -----END PGP MESSAGE----- fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09 unencrypted_suffix: _unencrypted