From f7fe0becd118efef3157f27dd225ac34fb70d72b Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 18:04:02 +0000 Subject: [PATCH 01/21] Fix murk --- README.md | 5 ++- hosts/murk/configuration.nix | 9 ++--- hosts/murk/disk-config.nix | 6 +-- hosts/murk/hardware-configuration.nix | 57 ++++++++++++++++++++++++--- modules/home/impermanence.nix | 17 ++++---- 5 files changed, 71 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index ff58ed5..d213455 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,10 @@ ```sh git clone https://codeberg.org/muon/home && cd home sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount hosts/$(hostname)/disk-config.nix -sudo btrfs subvolume snapshot -r /mnt /mnt/root-blank +sudo mkdir /tmp/mnt +sudo mount /dev/mapper/crypted /tmp/mnt +sudo btrfs subvolume snapshot -r /tmp/mnt/root /tmp/mnt/root-blank +sudo umount /tmp/mnt sudo nixos-generate-config --root /mnt cp /mnt/etc/nixos/hardware-configuration.nix hosts/$(hostname)/hardware-configuration.nix sudo nixos-install --root /mnt --no-root-passwd --flake .#$(hostname) diff --git a/hosts/murk/configuration.nix b/hosts/murk/configuration.nix index a500b4a..5f9f24c 100644 --- a/hosts/murk/configuration.nix +++ b/hosts/murk/configuration.nix @@ -5,10 +5,9 @@ in { # Hardware imports = [ ./hardware-configuration.nix - ./disk-config.nix inputs.impermanence.nixosModules.impermanence - (inputs.nixpkgs - + "/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix") + # (inputs.nixpkgs + # + "/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix") ]; environment.systemPackages = with inputs.nix-alien.packages.${system}; @@ -22,13 +21,13 @@ in { # Modules mods.desktop.enable = true; - mods.boot.enable = false; + mods.boot.enable = true; mods.theme.enable = true; mods.theme.scheme = "woodland"; mods.theme.wallpaper = ./wallpaper.png; - mods.impermanence.enable = false; + mods.impermanence.enable = true; services.xserver.windowManager.i3.enable = true; diff --git a/hosts/murk/disk-config.nix b/hosts/murk/disk-config.nix index 1154668..2e47e57 100644 --- a/hosts/murk/disk-config.nix +++ b/hosts/murk/disk-config.nix @@ -1,9 +1,9 @@ -{ inputs }: { - inputs.disko.devices = { +{ + disko.devices = { disk = { main = { type = "disk"; - device = "/dev/disk/by-diskseq/1"; + device = "/dev/sda"; content = { type = "gpt"; partitions = { diff --git a/hosts/murk/hardware-configuration.nix b/hosts/murk/hardware-configuration.nix index d986145..6ea19ce 100644 --- a/hosts/murk/hardware-configuration.nix +++ b/hosts/murk/hardware-configuration.nix @@ -4,16 +4,61 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = - [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - boot.supportedFilesystems = [ "zfs" "ntfs" "btrfs" ]; - networking.useDHCP = lib.mkDefault true; + fileSystems."/" = + { device = "/dev/mapper/crypted"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; + + boot.initrd.luks.devices."crypted".device = "/dev/disk/by-uuid/1ca0c5f6-3cb3-4f86-94a5-4376461da227"; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/4BD8-A887"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + fileSystems."/home" = + { device = "/dev/mapper/crypted"; + fsType = "btrfs"; + options = [ "subvol=home" ]; + }; + + fileSystems."/nix" = + { device = "/dev/mapper/crypted"; + fsType = "btrfs"; + options = [ "subvol=nix" ]; + }; + + fileSystems."/persist" = + { device = "/dev/mapper/crypted"; + fsType = "btrfs"; + options = [ "subvol=persist" ]; + }; + + fileSystems."/swap" = + { device = "/dev/mapper/crypted"; + fsType = "btrfs"; + options = [ "subvol=swap" ]; + }; + + fileSystems."/var/log" = + { device = "/dev/mapper/crypted"; + fsType = "btrfs"; + options = [ "subvol=log" ]; + }; + + swapDevices = [ ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/modules/home/impermanence.nix b/modules/home/impermanence.nix index db544ce..5c910f3 100644 --- a/modules/home/impermanence.nix +++ b/modules/home/impermanence.nix @@ -9,17 +9,18 @@ let # fs-diff.sh set -euo pipefail - OLD_TRANSID=$(sudo btrfs subvolume find-new /mnt/root-blank 9999999) - OLD_TRANSID=${OLD_TRANSID} + sudo mkdir /btrfs_tmp + sudo mount -o subvol=/ /dev/mapper/crypted /btrfs_tmp - sudo mkdir /mnt - sudo mount -o subvol=/ /dev/mapper/crypted /mnt - sudo btrfs subvolume find-new "/mnt/root" "$OLD_TRANSID" | - sed \'$d\' | + OLD_TRANSID=$(sudo btrfs subvolume find-new /btrfs_tmp/root-blank 9999999) + OLD_TRANSID=''${OLD_TRANSID#transid marker was } + + sudo btrfs subvolume find-new "/btrfs_tmp/root" "$OLD_TRANSID" | + sed '$d' | cut -f17- -d' ' | sort | uniq | - while read path; do + while read -r path; do path="/$path" if [ -L "$path" ]; then : # The path is a symbolic link, so is probably handled by NixOS already @@ -29,7 +30,7 @@ let echo "$path" fi done - sudo umount /mnt + sudo umount /btrfs_tmp ''; }; in with lib; { From aba1da6c1f4f02c28ea9d99a0bcc722f4b5cced8 Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 18:57:30 +0000 Subject: [PATCH 02/21] Remove persist --- modules/home/impermanence.nix | 22 +++++++++++----------- modules/nixos/impermanence.nix | 18 +++++++++--------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/modules/home/impermanence.nix b/modules/home/impermanence.nix index 5c910f3..7a7a461 100644 --- a/modules/home/impermanence.nix +++ b/modules/home/impermanence.nix @@ -36,16 +36,16 @@ let in with lib; { config = mkIf osConfig.mods.impermanence.enable { home.packages = [ fs-diff ]; - home.persistence."/persistent/home/muon" = { - directories = [ - "documents" - "downloads" - "src" - ".gnupg" - ".ssh" - ".config/sops" - ".local/share/direnv" - ]; - }; + # home.persistence."/persistent/home/muon" = { + # directories = [ + # "documents" + # "downloads" + # "src" + # ".gnupg" + # ".ssh" + # ".config/sops" + # ".local/share/direnv" + # ]; + # }; }; } diff --git a/modules/nixos/impermanence.nix b/modules/nixos/impermanence.nix index f2ffa3d..2871d4a 100644 --- a/modules/nixos/impermanence.nix +++ b/modules/nixos/impermanence.nix @@ -3,15 +3,15 @@ with lib; { options.mods.impermanence.enable = mkEnableOption "enables impermanence"; config = mkIf config.mods.impermanence.enable { - environment.persistence."/persistent" = { - directories = [ - "/var/lib/bluetooth" - "/var/lib/nixos" - "/var/lib/systemd/coredump" - "/etc/NetworkManager/system-connections" - ]; - files = [ "/etc/machine-id" ]; - }; + # environment.persistence."/persistent" = { + # directories = [ + # "/var/lib/bluetooth" + # "/var/lib/nixos" + # "/var/lib/systemd/coredump" + # "/etc/NetworkManager/system-connections" + # ]; + # files = [ "/etc/machine-id" ]; + # }; boot.initrd.postResumeCommands = lib.mkAfter '' mkdir /btrfs_tmp From 41ae205f6a54d1b285512c49517e832425199a04 Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 20:20:55 +0000 Subject: [PATCH 03/21] Fix persist --- README.md | 5 ++ hosts/murk/configuration.nix | 10 +++- hosts/murk/hardware-configuration.nix | 85 ++++++++++++++------------- modules/home/impermanence.nix | 3 +- modules/nixos/impermanence.nix | 22 ++++--- 5 files changed, 72 insertions(+), 53 deletions(-) diff --git a/README.md b/README.md index d213455..5d7702b 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,11 @@ sudo umount /tmp/mnt sudo nixos-generate-config --root /mnt cp /mnt/etc/nixos/hardware-configuration.nix hosts/$(hostname)/hardware-configuration.nix sudo nixos-install --root /mnt --no-root-passwd --flake .#$(hostname) +sudo nixos-enter +passwd +passwd muon +exit +sudo reboot ``` # Impermanence diff --git a/hosts/murk/configuration.nix b/hosts/murk/configuration.nix index 5f9f24c..969f9c3 100644 --- a/hosts/murk/configuration.nix +++ b/hosts/murk/configuration.nix @@ -6,6 +6,11 @@ in { imports = [ ./hardware-configuration.nix inputs.impermanence.nixosModules.impermanence + "${ + builtins.fetchTarball + "https://github.com/nix-community/disko/archive/master.tar.gz" + }/module.nix" + ./disk-config.nix # (inputs.nixpkgs # + "/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix") ]; @@ -19,9 +24,12 @@ in { networking.hostId = "a2309090"; mods.home.file = ./home.nix; + boot.loader.grub.enable = true; + boot.loader.grub.efiSupport = true; + boot.loader.grub.efiInstallAsRemovable = true; + # Modules mods.desktop.enable = true; - mods.boot.enable = true; mods.theme.enable = true; mods.theme.scheme = "woodland"; diff --git a/hosts/murk/hardware-configuration.nix b/hosts/murk/hardware-configuration.nix index 6ea19ce..2598b86 100644 --- a/hosts/murk/hardware-configuration.nix +++ b/hosts/murk/hardware-configuration.nix @@ -4,61 +4,64 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.availableKernelModules = + [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/mapper/crypted"; - fsType = "btrfs"; - options = [ "subvol=root" ]; - }; + fileSystems."/" = { + device = "/dev/mapper/crypted"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; - boot.initrd.luks.devices."crypted".device = "/dev/disk/by-uuid/1ca0c5f6-3cb3-4f86-94a5-4376461da227"; + boot.initrd.luks.devices."crypted".device = + "/dev/disk/by-uuid/1ca0c5f6-3cb3-4f86-94a5-4376461da227"; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/4BD8-A887"; - fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/4BD8-A887"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; - fileSystems."/home" = - { device = "/dev/mapper/crypted"; - fsType = "btrfs"; - options = [ "subvol=home" ]; - }; + fileSystems."/home" = { + device = "/dev/mapper/crypted"; + fsType = "btrfs"; + options = [ "subvol=home" "compress=zstd" "noatime" ]; + }; - fileSystems."/nix" = - { device = "/dev/mapper/crypted"; - fsType = "btrfs"; - options = [ "subvol=nix" ]; - }; + fileSystems."/nix" = { + device = "/dev/mapper/crypted"; + fsType = "btrfs"; + options = [ "subvol=nix" "compress=zstd" "noatime" ]; + }; - fileSystems."/persist" = - { device = "/dev/mapper/crypted"; - fsType = "btrfs"; - options = [ "subvol=persist" ]; - }; + fileSystems."/persist" = { + device = "/dev/mapper/crypted"; + fsType = "btrfs"; + options = [ "subvol=persist" "compress=zstd" "noatime" ]; + neededForBoot = true; + }; - fileSystems."/swap" = - { device = "/dev/mapper/crypted"; - fsType = "btrfs"; - options = [ "subvol=swap" ]; - }; + fileSystems."/swap" = { + device = "/dev/mapper/crypted"; + fsType = "btrfs"; + options = [ "subvol=swap" ]; + }; - fileSystems."/var/log" = - { device = "/dev/mapper/crypted"; - fsType = "btrfs"; - options = [ "subvol=log" ]; - }; + fileSystems."/var/log" = { + device = "/dev/mapper/crypted"; + fsType = "btrfs"; + options = [ "subvol=log" "compress=zstd" "noatime" ]; + neededForBoot = true; + }; swapDevices = [ ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.intel.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/modules/home/impermanence.nix b/modules/home/impermanence.nix index 7a7a461..b2dee21 100644 --- a/modules/home/impermanence.nix +++ b/modules/home/impermanence.nix @@ -3,7 +3,6 @@ let fs-diff = with pkgs; writeShellApplication { name = "fs-diff"; - runtimeInputs = [ flameshot curl xsel ]; text = '' #!/usr/bin/env bash # fs-diff.sh @@ -36,7 +35,7 @@ let in with lib; { config = mkIf osConfig.mods.impermanence.enable { home.packages = [ fs-diff ]; - # home.persistence."/persistent/home/muon" = { + # home.persistence."/persist/home/muon" = { # directories = [ # "documents" # "downloads" diff --git a/modules/nixos/impermanence.nix b/modules/nixos/impermanence.nix index 2871d4a..2ca5297 100644 --- a/modules/nixos/impermanence.nix +++ b/modules/nixos/impermanence.nix @@ -3,15 +3,19 @@ with lib; { options.mods.impermanence.enable = mkEnableOption "enables impermanence"; config = mkIf config.mods.impermanence.enable { - # environment.persistence."/persistent" = { - # directories = [ - # "/var/lib/bluetooth" - # "/var/lib/nixos" - # "/var/lib/systemd/coredump" - # "/etc/NetworkManager/system-connections" - # ]; - # files = [ "/etc/machine-id" ]; - # }; + environment.persistence."/persist" = { + directories = + [ "/var/lib/nixos" "/var/lib/systemd/coredump" "/etc/nixos" ]; + files = [ + "/etc/machine-id" + "/etc/passwd" + "/etc/group" + "/etc/shadow" + "/etc/subgid" + "/etc/subuid" + "/etc/sudoers" + ]; + }; boot.initrd.postResumeCommands = lib.mkAfter '' mkdir /btrfs_tmp From 39c26942a7a2d29aae4ad588493a99440c8adc45 Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 20:27:12 +0000 Subject: [PATCH 04/21] Add hash --- hosts/murk/configuration.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/hosts/murk/configuration.nix b/hosts/murk/configuration.nix index 969f9c3..6f07d91 100644 --- a/hosts/murk/configuration.nix +++ b/hosts/murk/configuration.nix @@ -7,8 +7,11 @@ in { ./hardware-configuration.nix inputs.impermanence.nixosModules.impermanence "${ - builtins.fetchTarball - "https://github.com/nix-community/disko/archive/master.tar.gz" + builtins.fetchTarball { + url = + "https://github.com/nix-community/disko/archive/refs/tags/v1.12.0.tar.gz"; + sha256 = "0wbx518d2x54yn4xh98cgm65wvj0gpy6nia6ra7ns4j63hx14fkq"; + } }/module.nix" ./disk-config.nix # (inputs.nixpkgs From e2676da17e18db4b878051cb86b55066716e3360 Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 20:28:17 +0000 Subject: [PATCH 05/21] Update generate config --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5d7702b..816f631 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ sudo mkdir /tmp/mnt sudo mount /dev/mapper/crypted /tmp/mnt sudo btrfs subvolume snapshot -r /tmp/mnt/root /tmp/mnt/root-blank sudo umount /tmp/mnt -sudo nixos-generate-config --root /mnt +sudo nixos-generate-config --no-filesystems --root /mnt cp /mnt/etc/nixos/hardware-configuration.nix hosts/$(hostname)/hardware-configuration.nix sudo nixos-install --root /mnt --no-root-passwd --flake .#$(hostname) sudo nixos-enter From f443bae2eda1f1397f6931d8d1984ba01313f317 Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 20:33:54 +0000 Subject: [PATCH 06/21] Add neededForBoot --- README.md | 5 ----- hosts/murk/disk-config.nix | 5 ++++- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 816f631..f2504bf 100644 --- a/README.md +++ b/README.md @@ -10,11 +10,6 @@ sudo umount /tmp/mnt sudo nixos-generate-config --no-filesystems --root /mnt cp /mnt/etc/nixos/hardware-configuration.nix hosts/$(hostname)/hardware-configuration.nix sudo nixos-install --root /mnt --no-root-passwd --flake .#$(hostname) -sudo nixos-enter -passwd -passwd muon -exit -sudo reboot ``` # Impermanence diff --git a/hosts/murk/disk-config.nix b/hosts/murk/disk-config.nix index 2e47e57..7083763 100644 --- a/hosts/murk/disk-config.nix +++ b/hosts/murk/disk-config.nix @@ -1,4 +1,4 @@ -{ +{ config, lib, pgks, ... }: { disko.devices = { disk = { main = { @@ -66,4 +66,7 @@ }; }; }; + + fileSystems."/persist".neededForBoot = true; + fileSystems."/var/log".neededForBoot = true; } From d6f3800246f103e9a1f96bf044f03567a5699ada Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 20:35:28 +0000 Subject: [PATCH 07/21] Add boot --- hosts/murk/configuration.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/hosts/murk/configuration.nix b/hosts/murk/configuration.nix index 6f07d91..21925f1 100644 --- a/hosts/murk/configuration.nix +++ b/hosts/murk/configuration.nix @@ -27,12 +27,9 @@ in { networking.hostId = "a2309090"; mods.home.file = ./home.nix; - boot.loader.grub.enable = true; - boot.loader.grub.efiSupport = true; - boot.loader.grub.efiInstallAsRemovable = true; - # Modules mods.desktop.enable = true; + mods.boot.enable = true; mods.theme.enable = true; mods.theme.scheme = "woodland"; From ae295eb2414dc35fb6fefb65febbded5a2384e5d Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 20:39:18 +0000 Subject: [PATCH 08/21] Update persist etc files --- modules/nixos/impermanence.nix | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/modules/nixos/impermanence.nix b/modules/nixos/impermanence.nix index 2ca5297..b8a3711 100644 --- a/modules/nixos/impermanence.nix +++ b/modules/nixos/impermanence.nix @@ -6,15 +6,7 @@ with lib; { environment.persistence."/persist" = { directories = [ "/var/lib/nixos" "/var/lib/systemd/coredump" "/etc/nixos" ]; - files = [ - "/etc/machine-id" - "/etc/passwd" - "/etc/group" - "/etc/shadow" - "/etc/subgid" - "/etc/subuid" - "/etc/sudoers" - ]; + files = [ "/etc/machine-id" ]; }; boot.initrd.postResumeCommands = lib.mkAfter '' From 51a84f597c22545f62246e7d9d31a75dceaa9e1d Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 20:56:17 +0000 Subject: [PATCH 09/21] Add persist install commands --- README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f2504bf..d77cf1c 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ # Installation ```sh -git clone https://codeberg.org/muon/home && cd home sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount hosts/$(hostname)/disk-config.nix sudo mkdir /tmp/mnt sudo mount /dev/mapper/crypted /tmp/mnt @@ -10,6 +9,17 @@ sudo umount /tmp/mnt sudo nixos-generate-config --no-filesystems --root /mnt cp /mnt/etc/nixos/hardware-configuration.nix hosts/$(hostname)/hardware-configuration.nix sudo nixos-install --root /mnt --no-root-passwd --flake .#$(hostname) +sudo mkdir -p /mnt/persist/{etc,var/lib/systemd} +sudo cp -r {/mnt,/mnt/persist}/etc/nixos +sudo cp -r {/mnt,/mnt/persist}/var/lib/nixos +sudo cp -r {/mnt,/mnt/persist}/var/lib/systemd/coredump +sudo cp {/mnt,/mnt/persist}/etc/machine-id +rbw config set email admin@muon.host +rbw config set base_url vault.muon.host +rbw login +sudo mkdir -p /mnt/home/muon/.config/sops/age/keys.txt +sudo chown muon:users /mnt/home/muon/.config +rbw get sops > /mnt/home/muon/.config/sops/age/keys.txt ``` # Impermanence From ee3d2b563bc466999d3a4191029cd30afef2852f Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 20:58:17 +0000 Subject: [PATCH 10/21] Fix path --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d77cf1c..f362e25 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ sudo cp {/mnt,/mnt/persist}/etc/machine-id rbw config set email admin@muon.host rbw config set base_url vault.muon.host rbw login -sudo mkdir -p /mnt/home/muon/.config/sops/age/keys.txt +sudo mkdir -p /mnt/home/muon/.config/sops/age sudo chown muon:users /mnt/home/muon/.config rbw get sops > /mnt/home/muon/.config/sops/age/keys.txt ``` From 0874e87ef2316e8d5ef640f71fe192b7715b18e2 Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 20:59:05 +0000 Subject: [PATCH 11/21] Fix disk-config --- hosts/murk/disk-config.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/murk/disk-config.nix b/hosts/murk/disk-config.nix index 7083763..05a9f01 100644 --- a/hosts/murk/disk-config.nix +++ b/hosts/murk/disk-config.nix @@ -1,4 +1,4 @@ -{ config, lib, pgks, ... }: { +{ disko.devices = { disk = { main = { From 19b9edc01b1150de454de026e5e0dbbcb9a8478a Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 21:17:32 +0000 Subject: [PATCH 12/21] Fix commands --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index f362e25..5852a3d 100644 --- a/README.md +++ b/README.md @@ -8,18 +8,18 @@ sudo btrfs subvolume snapshot -r /tmp/mnt/root /tmp/mnt/root-blank sudo umount /tmp/mnt sudo nixos-generate-config --no-filesystems --root /mnt cp /mnt/etc/nixos/hardware-configuration.nix hosts/$(hostname)/hardware-configuration.nix +rbw config set email admin@muon.host +rbw config set base_url https://vault.muon.host +rbw login +sudo mkdir -p /mnt/home/muon/.config/sops/age +sudo chown muon:users /mnt/home/muon/.config -R +rbw get sops > /mnt/home/muon/.config/sops/age/keys.txt sudo nixos-install --root /mnt --no-root-passwd --flake .#$(hostname) sudo mkdir -p /mnt/persist/{etc,var/lib/systemd} sudo cp -r {/mnt,/mnt/persist}/etc/nixos sudo cp -r {/mnt,/mnt/persist}/var/lib/nixos sudo cp -r {/mnt,/mnt/persist}/var/lib/systemd/coredump sudo cp {/mnt,/mnt/persist}/etc/machine-id -rbw config set email admin@muon.host -rbw config set base_url vault.muon.host -rbw login -sudo mkdir -p /mnt/home/muon/.config/sops/age -sudo chown muon:users /mnt/home/muon/.config -rbw get sops > /mnt/home/muon/.config/sops/age/keys.txt ``` # Impermanence From ac0f87a42963b4c1bef52412cb4a63dee374be2e Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 21:36:11 +0000 Subject: [PATCH 13/21] Fix sops user passwd --- README.md | 7 ++++--- hosts/murk/configuration.nix | 1 - modules/home/sops/default.nix | 2 +- modules/nixos/impermanence.nix | 8 ++++++-- modules/nixos/sops/default.nix | 4 ++-- utils.nix | 1 + 6 files changed, 14 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 5852a3d..80effd8 100644 --- a/README.md +++ b/README.md @@ -11,13 +11,14 @@ cp /mnt/etc/nixos/hardware-configuration.nix hosts/$(hostname)/hardware-configur rbw config set email admin@muon.host rbw config set base_url https://vault.muon.host rbw login -sudo mkdir -p /mnt/home/muon/.config/sops/age -sudo chown muon:users /mnt/home/muon/.config -R -rbw get sops > /mnt/home/muon/.config/sops/age/keys.txt +sudo mkdir -p /mnt/var/lib/sops-nix +sudo chown muon:users /mnt/var/lib/sops-nix -R +rbw get sops > /mnt/var/lib/sops-nix/key.txt sudo nixos-install --root /mnt --no-root-passwd --flake .#$(hostname) sudo mkdir -p /mnt/persist/{etc,var/lib/systemd} sudo cp -r {/mnt,/mnt/persist}/etc/nixos sudo cp -r {/mnt,/mnt/persist}/var/lib/nixos +sudo cp -r {/mnt,/mnt/persist}/var/lib/sops-nix sudo cp -r {/mnt,/mnt/persist}/var/lib/systemd/coredump sudo cp {/mnt,/mnt/persist}/etc/machine-id ``` diff --git a/hosts/murk/configuration.nix b/hosts/murk/configuration.nix index 21925f1..c0748c1 100644 --- a/hosts/murk/configuration.nix +++ b/hosts/murk/configuration.nix @@ -5,7 +5,6 @@ in { # Hardware imports = [ ./hardware-configuration.nix - inputs.impermanence.nixosModules.impermanence "${ builtins.fetchTarball { url = diff --git a/modules/home/sops/default.nix b/modules/home/sops/default.nix index 4bfb885..1bb97a5 100644 --- a/modules/home/sops/default.nix +++ b/modules/home/sops/default.nix @@ -3,7 +3,7 @@ let cfg = config.mods; in with lib; { imports = [ inputs.sops-nix.homeManagerModules.sops ]; sops = { - age.keyFile = "/home/muon/.config/sops/age/keys.txt"; + age.keyFile = "/var/lib/sops-nix/key.txt"; defaultSopsFile = ./secrets.yaml; secrets.zipline-auth = { }; }; diff --git a/modules/nixos/impermanence.nix b/modules/nixos/impermanence.nix index b8a3711..72e62bc 100644 --- a/modules/nixos/impermanence.nix +++ b/modules/nixos/impermanence.nix @@ -4,8 +4,12 @@ with lib; { config = mkIf config.mods.impermanence.enable { environment.persistence."/persist" = { - directories = - [ "/var/lib/nixos" "/var/lib/systemd/coredump" "/etc/nixos" ]; + directories = [ + "/var/lib/nixos" + "/var/lib/systemd/coredump" + "/var/lib/sops-nix" + "/etc/nixos" + ]; files = [ "/etc/machine-id" ]; }; diff --git a/modules/nixos/sops/default.nix b/modules/nixos/sops/default.nix index 01891a7..c38c876 100644 --- a/modules/nixos/sops/default.nix +++ b/modules/nixos/sops/default.nix @@ -3,9 +3,9 @@ let cfg = config.mods; in with lib; { imports = [ inputs.sops-nix.nixosModules.sops ]; sops = { - age.keyFile = "/home/muon/.config/sops/age/keys.txt"; + age.keyFile = "/var/lib/sops-nix/key.txt"; defaultSopsFile = ./secrets.yaml; - secrets.muon-password = { }; + secrets.muon-password.neededForUsers = true; secrets.zipline-secret = mkIf cfg.server.share.enable { owner = "zipline"; group = "zipline"; diff --git a/utils.nix b/utils.nix index 672e982..fdb6c8b 100644 --- a/utils.nix +++ b/utils.nix @@ -8,6 +8,7 @@ ./modules/nixos inputs.home-manager.nixosModules.default inputs.stylix.nixosModules.stylix + inputs.impermanence.nixosModules.impermanence ]; }; } From 9f197645c4e247e3657ecaba908efc910803eebc Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 21:59:41 +0000 Subject: [PATCH 14/21] Fix persist copy --- README.md | 8 +++----- modules/nixos/impermanence.nix | 9 ++------- 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 80effd8..7b29df3 100644 --- a/README.md +++ b/README.md @@ -15,11 +15,9 @@ sudo mkdir -p /mnt/var/lib/sops-nix sudo chown muon:users /mnt/var/lib/sops-nix -R rbw get sops > /mnt/var/lib/sops-nix/key.txt sudo nixos-install --root /mnt --no-root-passwd --flake .#$(hostname) -sudo mkdir -p /mnt/persist/{etc,var/lib/systemd} -sudo cp -r {/mnt,/mnt/persist}/etc/nixos -sudo cp -r {/mnt,/mnt/persist}/var/lib/nixos -sudo cp -r {/mnt,/mnt/persist}/var/lib/sops-nix -sudo cp -r {/mnt,/mnt/persist}/var/lib/systemd/coredump +sudo mkdir -p /mnt/persist/var/lib/sops-nix +sudo cp -r /mnt/var/lib/nixos/* /mnt/persist/var/lib/nixos/ +sudo cp {/mnt,/mnt/persist}/var/lib/sops-nix/key.txt sudo cp {/mnt,/mnt/persist}/etc/machine-id ``` diff --git a/modules/nixos/impermanence.nix b/modules/nixos/impermanence.nix index 72e62bc..8ce89a0 100644 --- a/modules/nixos/impermanence.nix +++ b/modules/nixos/impermanence.nix @@ -4,13 +4,8 @@ with lib; { config = mkIf config.mods.impermanence.enable { environment.persistence."/persist" = { - directories = [ - "/var/lib/nixos" - "/var/lib/systemd/coredump" - "/var/lib/sops-nix" - "/etc/nixos" - ]; - files = [ "/etc/machine-id" ]; + directories = [ "/var/lib/nixos" "/var/lib/systemd/coredump" ]; + files = [ "/var/lib/sops-nix/key.txt" "/etc/machine-id" ]; }; boot.initrd.postResumeCommands = lib.mkAfter '' From bc97a4ab04fc116485430a382b4d14ee6c67267b Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 22:18:40 +0000 Subject: [PATCH 15/21] Fix sops persist --- README.md | 3 +++ modules/nixos/impermanence.nix | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7b29df3..223815f 100644 --- a/README.md +++ b/README.md @@ -14,9 +14,12 @@ rbw login sudo mkdir -p /mnt/var/lib/sops-nix sudo chown muon:users /mnt/var/lib/sops-nix -R rbw get sops > /mnt/var/lib/sops-nix/key.txt +nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.data.password'" > /etc/ssh/ssh_host_ed25519_key.pub +nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.notes'" > /etc/ssh/ssh_host_ed25519_key sudo nixos-install --root /mnt --no-root-passwd --flake .#$(hostname) sudo mkdir -p /mnt/persist/var/lib/sops-nix sudo cp -r /mnt/var/lib/nixos/* /mnt/persist/var/lib/nixos/ +sudo cp -r /mnt/var/etc/ssh/* /mnt/persist/etc/ssh/ sudo cp {/mnt,/mnt/persist}/var/lib/sops-nix/key.txt sudo cp {/mnt,/mnt/persist}/etc/machine-id ``` diff --git a/modules/nixos/impermanence.nix b/modules/nixos/impermanence.nix index 8ce89a0..069db06 100644 --- a/modules/nixos/impermanence.nix +++ b/modules/nixos/impermanence.nix @@ -4,7 +4,7 @@ with lib; { config = mkIf config.mods.impermanence.enable { environment.persistence."/persist" = { - directories = [ "/var/lib/nixos" "/var/lib/systemd/coredump" ]; + directories = [ "/var/lib/nixos" "/var/lib/systemd/coredump" "/etc/ssh" ]; files = [ "/var/lib/sops-nix/key.txt" "/etc/machine-id" ]; }; From dcd9a47a3e852b507977ee3b818b8c497ca7488b Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 22:20:13 +0000 Subject: [PATCH 16/21] Fix ssh path --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 223815f..e3e4fd2 100644 --- a/README.md +++ b/README.md @@ -14,12 +14,12 @@ rbw login sudo mkdir -p /mnt/var/lib/sops-nix sudo chown muon:users /mnt/var/lib/sops-nix -R rbw get sops > /mnt/var/lib/sops-nix/key.txt -nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.data.password'" > /etc/ssh/ssh_host_ed25519_key.pub -nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.notes'" > /etc/ssh/ssh_host_ed25519_key +nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.data.password'" > /mnt/etc/ssh/ssh_host_ed25519_key.pub +nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.notes'" > /mnt/etc/ssh/ssh_host_ed25519_key sudo nixos-install --root /mnt --no-root-passwd --flake .#$(hostname) sudo mkdir -p /mnt/persist/var/lib/sops-nix sudo cp -r /mnt/var/lib/nixos/* /mnt/persist/var/lib/nixos/ -sudo cp -r /mnt/var/etc/ssh/* /mnt/persist/etc/ssh/ +sudo cp -r /mnt/etc/ssh/* /mnt/persist/etc/ssh/ sudo cp {/mnt,/mnt/persist}/var/lib/sops-nix/key.txt sudo cp {/mnt,/mnt/persist}/etc/machine-id ``` From a1e4f2b6e1dd7797f4af28eeede27d917ee32d25 Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 22:30:38 +0000 Subject: [PATCH 17/21] Add ssh mkdir --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e3e4fd2..ce2ef31 100644 --- a/README.md +++ b/README.md @@ -11,11 +11,12 @@ cp /mnt/etc/nixos/hardware-configuration.nix hosts/$(hostname)/hardware-configur rbw config set email admin@muon.host rbw config set base_url https://vault.muon.host rbw login +sudo mkdir -p /mnt/etc/ssh +nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.data.password'" > /mnt/etc/ssh/ssh_host_ed25519_key.pub +nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.notes'" > /mnt/etc/ssh/ssh_host_ed25519_key sudo mkdir -p /mnt/var/lib/sops-nix sudo chown muon:users /mnt/var/lib/sops-nix -R rbw get sops > /mnt/var/lib/sops-nix/key.txt -nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.data.password'" > /mnt/etc/ssh/ssh_host_ed25519_key.pub -nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.notes'" > /mnt/etc/ssh/ssh_host_ed25519_key sudo nixos-install --root /mnt --no-root-passwd --flake .#$(hostname) sudo mkdir -p /mnt/persist/var/lib/sops-nix sudo cp -r /mnt/var/lib/nixos/* /mnt/persist/var/lib/nixos/ From 3086f83fc95ae1abe8759c3cfebe7aa5794c801b Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 22:35:06 +0000 Subject: [PATCH 18/21] Add ssh write priviledge --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ce2ef31..2f01848 100644 --- a/README.md +++ b/README.md @@ -12,8 +12,8 @@ rbw config set email admin@muon.host rbw config set base_url https://vault.muon.host rbw login sudo mkdir -p /mnt/etc/ssh -nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.data.password'" > /mnt/etc/ssh/ssh_host_ed25519_key.pub -nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.notes'" > /mnt/etc/ssh/ssh_host_ed25519_key +nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.data.password'" | sudo tee /mnt/etc/ssh/ssh_host_ed25519_key.pub +nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.notes'" | sudo tee /mnt/etc/ssh/ssh_host_ed25519_key sudo mkdir -p /mnt/var/lib/sops-nix sudo chown muon:users /mnt/var/lib/sops-nix -R rbw get sops > /mnt/var/lib/sops-nix/key.txt From 800e05c7447884fbaf0c776bc3f8d7a606cf14dc Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 22:37:50 +0000 Subject: [PATCH 19/21] Fix quotes --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2f01848..9b55fb0 100644 --- a/README.md +++ b/README.md @@ -12,8 +12,8 @@ rbw config set email admin@muon.host rbw config set base_url https://vault.muon.host rbw login sudo mkdir -p /mnt/etc/ssh -nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.data.password'" | sudo tee /mnt/etc/ssh/ssh_host_ed25519_key.pub -nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.notes'" | sudo tee /mnt/etc/ssh/ssh_host_ed25519_key +nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.data.password' | sudo tee /mnt/etc/ssh/ssh_host_ed25519_key.pub" +nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.notes' | sudo tee /mnt/etc/ssh/ssh_host_ed25519_key" sudo mkdir -p /mnt/var/lib/sops-nix sudo chown muon:users /mnt/var/lib/sops-nix -R rbw get sops > /mnt/var/lib/sops-nix/key.txt From 33743a121cee33ca06927d9dcc3f8ca0bde68ffe Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 23:01:17 +0000 Subject: [PATCH 20/21] Add persist key --- README.md | 2 +- modules/home/sops/default.nix | 2 +- modules/nixos/sops/default.nix | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 9b55fb0..4592cd3 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ rbw get sops > /mnt/var/lib/sops-nix/key.txt sudo nixos-install --root /mnt --no-root-passwd --flake .#$(hostname) sudo mkdir -p /mnt/persist/var/lib/sops-nix sudo cp -r /mnt/var/lib/nixos/* /mnt/persist/var/lib/nixos/ -sudo cp -r /mnt/etc/ssh/* /mnt/persist/etc/ssh/ +sudo cp -r /mnt/etc/ssh/ssh_host* /mnt/persist/etc/ssh/ sudo cp {/mnt,/mnt/persist}/var/lib/sops-nix/key.txt sudo cp {/mnt,/mnt/persist}/etc/machine-id ``` diff --git a/modules/home/sops/default.nix b/modules/home/sops/default.nix index 1bb97a5..87bd88b 100644 --- a/modules/home/sops/default.nix +++ b/modules/home/sops/default.nix @@ -3,7 +3,7 @@ let cfg = config.mods; in with lib; { imports = [ inputs.sops-nix.homeManagerModules.sops ]; sops = { - age.keyFile = "/var/lib/sops-nix/key.txt"; + age.keyFile = "/persist/var/lib/sops-nix/key.txt"; defaultSopsFile = ./secrets.yaml; secrets.zipline-auth = { }; }; diff --git a/modules/nixos/sops/default.nix b/modules/nixos/sops/default.nix index c38c876..e021207 100644 --- a/modules/nixos/sops/default.nix +++ b/modules/nixos/sops/default.nix @@ -3,7 +3,7 @@ let cfg = config.mods; in with lib; { imports = [ inputs.sops-nix.nixosModules.sops ]; sops = { - age.keyFile = "/var/lib/sops-nix/key.txt"; + age.keyFile = "/persist/var/lib/sops-nix/key.txt"; defaultSopsFile = ./secrets.yaml; secrets.muon-password.neededForUsers = true; secrets.zipline-secret = mkIf cfg.server.share.enable { From 0245d1a8a6d6d019db3894c7e2ed28df71d76a7c Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 31 Jul 2025 23:18:40 +0000 Subject: [PATCH 21/21] Add persist key before install --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 4592cd3..87e7768 100644 --- a/README.md +++ b/README.md @@ -14,14 +14,14 @@ rbw login sudo mkdir -p /mnt/etc/ssh nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.data.password' | sudo tee /mnt/etc/ssh/ssh_host_ed25519_key.pub" nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.notes' | sudo tee /mnt/etc/ssh/ssh_host_ed25519_key" -sudo mkdir -p /mnt/var/lib/sops-nix +sudo mkdir -p /mnt{,/persist}/var/lib/sops-nix sudo chown muon:users /mnt/var/lib/sops-nix -R +sudo chown muon:users /mnt/persist/var/lib/sops-nix -R rbw get sops > /mnt/var/lib/sops-nix/key.txt +sudo cp {/mnt,/mnt/persist}/var/lib/sops-nix/key.txt sudo nixos-install --root /mnt --no-root-passwd --flake .#$(hostname) -sudo mkdir -p /mnt/persist/var/lib/sops-nix sudo cp -r /mnt/var/lib/nixos/* /mnt/persist/var/lib/nixos/ sudo cp -r /mnt/etc/ssh/ssh_host* /mnt/persist/etc/ssh/ -sudo cp {/mnt,/mnt/persist}/var/lib/sops-nix/key.txt sudo cp {/mnt,/mnt/persist}/etc/machine-id ```