From a7a6c8e3207954c39ac1c6fd9ca687164141c12f Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Wed, 2 Aug 2023 20:28:22 +0200
Subject: [PATCH] re-enabled impermanence and secure boot

---
 flake.lock                                |  6 ++--
 hosts/thinkpad/default.nix                | 38 +++++++++++------------
 hosts/thinkpad/hardware-configuration.nix | 36 +++++++++++++--------
 3 files changed, 45 insertions(+), 35 deletions(-)

diff --git a/flake.lock b/flake.lock
index 5e985cb..93d514f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -171,11 +171,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1690970947,
-        "narHash": "sha256-7vOE9NFsNhe3+cpgGZ9ZLuSIzE+b8oNutezmr8tI60w=",
+        "lastModified": 1690982105,
+        "narHash": "sha256-32AzoLuwhtxBItcULRiCnxRfJcbVXbPZSH9TDVg21mU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "484a1c94424d296b15af3e6858f08b576b842ec2",
+        "rev": "b2ac1d2c32ac11b8d231d23622cdc4b2f28d07d2",
         "type": "github"
       },
       "original": {
diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix
index c1d52a4..44ca38a 100755
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@@ -16,13 +16,12 @@
     # This setting is usually set to true in configuration.nix
     # generated at installation time. So we force it to false
     # for now.
-    # loader.systemd-boot.enable = lib.mkForce false;
-    loader.systemd-boot.enable = true;
-    # lanzaboote = {
-    #   enable = true;
-    #   pkiBundle = "/etc/secureboot";
-    #   configurationLimit = 10;
-    # };
+    loader.systemd-boot.enable = lib.mkForce false;
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+      configurationLimit = 10;
+    };
     extraModulePackages = [
       config.boot.kernelPackages.v4l2loopback.out
     ];
@@ -62,19 +61,19 @@
     # ];
   };
 
-  #environment.persistence."/nix/persist/system" = {
-  #  directories = [
-  #    "/etc/nixos" # bind mounted from /nix/persist/system/etc/nixos to /etc/nixos
-  #    "/etc/ssh"
-  #    "/etc/secureboot"
-  #    "/root/.ssh"
-  #  ];
-  #  files = [
-  #    "/etc/machine-id"
-  #  ];
-  #};
+  environment.persistence."/nix/persist/system" = {
+    directories = [
+      "/etc/nixos" # bind mounted from /nix/persist/system/etc/nixos to /etc/nixos
+      "/etc/ssh"
+      "/etc/secureboot"
+      "/root/.ssh"
+    ];
+    files = [
+      "/etc/machine-id"
+    ];
+  };
   # impermanence fixes
-  #sops.age.sshKeyPaths = lib.mkForce [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.sshKeyPaths = lib.mkForce [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
   sops.gnupg.sshKeyPaths = lib.mkForce [ ];
 
   time.timeZone = "Europe/Berlin";
@@ -158,6 +157,7 @@
       openFirewall = false;
     };
     fwupd.enable = true; # firmware updates
+    zfs.autoScrub.enable = true;
   };
 
   programs.steam.enable = true; # putting steam in here cause in home manager it doesn't work
diff --git a/hosts/thinkpad/hardware-configuration.nix b/hosts/thinkpad/hardware-configuration.nix
index eb94f35..f805473 100644
--- a/hosts/thinkpad/hardware-configuration.nix
+++ b/hosts/thinkpad/hardware-configuration.nix
@@ -9,17 +9,26 @@
       (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-  boot.initrd.systemd.enable = true;
-  boot.initrd.luks.devices."luksroot" = {
-    device = "/dev/disk/by-uuid/6b89181c-71e0-4e84-8523-2456d3e28400";
-    allowDiscards = true;
-  };
-  boot.initrd.luks.devices."luksswap" = {
-    device = "/dev/disk/by-uuid/4a5fd2d9-1b37-4895-a24b-835a9cd4063e";
+  boot = {
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
+      kernelModules = [ ];
+      systemd.enable = true;
+      luks.devices."luksroot" = {
+        device = "/dev/disk/by-uuid/6b89181c-71e0-4e84-8523-2456d3e28400";
+        allowDiscards = true;
+      };
+      luks.devices."luksswap" = {
+        device = "/dev/disk/by-uuid/4a5fd2d9-1b37-4895-a24b-835a9cd4063e";
+      };
+
+    };
+    kernelModules = [ "kvm-intel" ];
+    zfs = {
+      allowHibernation = true;
+      forceImportRoot = false;
+    };
+
   };
 
 
@@ -48,8 +57,9 @@
     };
   fileSystems."/" =
     {
-      device = "rpool/nixos/fixroot";
-      fsType = "zfs";
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = [ "mode=755" ];
     };
 
   fileSystems."/boot" =