Add persist key before install

README.md

@@ -1,12 +1,28 @@
 # Installation
 
 ```sh
-git clone https://codeberg.org/muon/home && cd home
 sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount hosts/$(hostname)/disk-config.nix
-sudo btrfs subvolume snapshot -r /mnt /mnt/root-blank
-sudo nixos-generate-config --root /mnt
+sudo mkdir /tmp/mnt
+sudo mount /dev/mapper/crypted /tmp/mnt
+sudo btrfs subvolume snapshot -r /tmp/mnt/root /tmp/mnt/root-blank
+sudo umount /tmp/mnt
+sudo nixos-generate-config --no-filesystems --root /mnt
 cp /mnt/etc/nixos/hardware-configuration.nix hosts/$(hostname)/hardware-configuration.nix
+rbw config set email admin@muon.host
+rbw config set base_url https://vault.muon.host
+rbw login
+sudo mkdir -p /mnt/etc/ssh
+nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.data.password' | sudo tee /mnt/etc/ssh/ssh_host_ed25519_key.pub"
+nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.notes' | sudo tee /mnt/etc/ssh/ssh_host_ed25519_key"
+sudo mkdir -p /mnt{,/persist}/var/lib/sops-nix
+sudo chown muon:users /mnt/var/lib/sops-nix -R
+sudo chown muon:users /mnt/persist/var/lib/sops-nix -R
+rbw get sops > /mnt/var/lib/sops-nix/key.txt
+sudo cp {/mnt,/mnt/persist}/var/lib/sops-nix/key.txt
 sudo nixos-install --root /mnt --no-root-passwd --flake .#$(hostname)
+sudo cp -r /mnt/var/lib/nixos/* /mnt/persist/var/lib/nixos/
+sudo cp -r /mnt/etc/ssh/ssh_host* /mnt/persist/etc/ssh/
+sudo cp {/mnt,/mnt/persist}/etc/machine-id
 ```
 
 # Impermanence

hosts/murk/configuration.nix

@@ -5,10 +5,16 @@ in {
   # Hardware
   imports = [
     ./hardware-configuration.nix
+    "${
+      builtins.fetchTarball {
+        url =
+          "https://github.com/nix-community/disko/archive/refs/tags/v1.12.0.tar.gz";
+        sha256 = "0wbx518d2x54yn4xh98cgm65wvj0gpy6nia6ra7ns4j63hx14fkq";
+      }
+    }/module.nix"
     ./disk-config.nix
-    inputs.impermanence.nixosModules.impermanence
-    (inputs.nixpkgs
-      + "/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix")
+    # (inputs.nixpkgs
+    #   + "/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix")
   ];
 
   environment.systemPackages = with inputs.nix-alien.packages.${system};
@@ -22,13 +28,13 @@ in {
 
   # Modules
   mods.desktop.enable = true;
-  mods.boot.enable = false;
+  mods.boot.enable = true;
 
   mods.theme.enable = true;
   mods.theme.scheme = "woodland";
   mods.theme.wallpaper = ./wallpaper.png;
 
-  mods.impermanence.enable = false;
+  mods.impermanence.enable = true;
 
   services.xserver.windowManager.i3.enable = true;
 

hosts/murk/disk-config.nix

@@ -1,9 +1,9 @@
-{ inputs }: {
-  inputs.disko.devices = {
+{
+  disko.devices = {
     disk = {
       main = {
         type = "disk";
-        device = "/dev/disk/by-diskseq/1";
+        device = "/dev/sda";
         content = {
           type = "gpt";
           partitions = {
@@ -66,4 +66,7 @@
       };
     };
   };
+
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/var/log".neededForBoot = true;
 }

hosts/murk/hardware-configuration.nix

@@ -7,13 +7,61 @@
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
   boot.initrd.availableKernelModules =
-    [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+    [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
   boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
-  boot.supportedFilesystems = [ "zfs" "ntfs" "btrfs" ];
 
-  networking.useDHCP = lib.mkDefault true;
+  fileSystems."/" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = [ "subvol=root" ];
+  };
+
+  boot.initrd.luks.devices."crypted".device =
+    "/dev/disk/by-uuid/1ca0c5f6-3cb3-4f86-94a5-4376461da227";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/4BD8-A887";
+    fsType = "vfat";
+    options = [ "fmask=0077" "dmask=0077" ];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = [ "subvol=home" "compress=zstd" "noatime" ];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = [ "subvol=nix" "compress=zstd" "noatime" ];
+  };
+
+  fileSystems."/persist" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = [ "subvol=persist" "compress=zstd" "noatime" ];
+    neededForBoot = true;
+  };
+
+  fileSystems."/swap" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = [ "subvol=swap" ];
+  };
+
+  fileSystems."/var/log" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = [ "subvol=log" "compress=zstd" "noatime" ];
+    neededForBoot = true;
+  };
+
+  swapDevices = [ ];
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

modules/home/impermanence.nix

@@ -3,23 +3,23 @@ let
   fs-diff = with pkgs;
     writeShellApplication {
       name = "fs-diff";
-      runtimeInputs = [ flameshot curl xsel ];
       text = ''
         #!/usr/bin/env bash
         # fs-diff.sh
         set -euo pipefail
 
-        OLD_TRANSID=$(sudo btrfs subvolume find-new /mnt/root-blank 9999999)
-        OLD_TRANSID=${OLD_TRANSID}
+        sudo mkdir /btrfs_tmp
+        sudo mount -o subvol=/ /dev/mapper/crypted /btrfs_tmp
 
-        sudo mkdir /mnt
-        sudo mount -o subvol=/ /dev/mapper/crypted /mnt
-        sudo btrfs subvolume find-new "/mnt/root" "$OLD_TRANSID" |
-        sed \'$d\' |
+        OLD_TRANSID=$(sudo btrfs subvolume find-new /btrfs_tmp/root-blank 9999999)
+        OLD_TRANSID=''${OLD_TRANSID#transid marker was }
+
+        sudo btrfs subvolume find-new "/btrfs_tmp/root" "$OLD_TRANSID" |
+        sed '$d' |
         cut -f17- -d' ' |
         sort |
         uniq |
-        while read path; do
+        while read -r path; do
           path="/$path"
           if [ -L "$path" ]; then
             : # The path is a symbolic link, so is probably handled by NixOS already
@@ -29,22 +29,22 @@ let
             echo "$path"
           fi
         done
-        sudo umount /mnt
+        sudo umount /btrfs_tmp
       '';
     };
 in with lib; {
   config = mkIf osConfig.mods.impermanence.enable {
     home.packages = [ fs-diff ];
-    home.persistence."/persistent/home/muon" = {
-      directories = [
-        "documents"
-        "downloads"
-        "src"
-        ".gnupg"
-        ".ssh"
-        ".config/sops"
-        ".local/share/direnv"
-      ];
-    };
+    # home.persistence."/persist/home/muon" = {
+    #   directories = [
+    #     "documents"
+    #     "downloads"
+    #     "src"
+    #     ".gnupg"
+    #     ".ssh"
+    #     ".config/sops"
+    #     ".local/share/direnv"
+    #   ];
+    # };
   };
 }

modules/home/sops/default.nix

@@ -3,7 +3,7 @@ let cfg = config.mods;
 in with lib; {
   imports = [ inputs.sops-nix.homeManagerModules.sops ];
   sops = {
-    age.keyFile = "/home/muon/.config/sops/age/keys.txt";
+    age.keyFile = "/persist/var/lib/sops-nix/key.txt";
     defaultSopsFile = ./secrets.yaml;
     secrets.zipline-auth = { };
   };

modules/nixos/impermanence.nix

@@ -3,14 +3,9 @@ with lib; {
   options.mods.impermanence.enable = mkEnableOption "enables impermanence";
 
   config = mkIf config.mods.impermanence.enable {
-    environment.persistence."/persistent" = {
-      directories = [
-        "/var/lib/bluetooth"
-        "/var/lib/nixos"
-        "/var/lib/systemd/coredump"
-        "/etc/NetworkManager/system-connections"
-      ];
-      files = [ "/etc/machine-id" ];
+    environment.persistence."/persist" = {
+      directories = [ "/var/lib/nixos" "/var/lib/systemd/coredump" "/etc/ssh" ];
+      files = [ "/var/lib/sops-nix/key.txt" "/etc/machine-id" ];
     };
 
     boot.initrd.postResumeCommands = lib.mkAfter ''

modules/nixos/sops/default.nix

@@ -3,9 +3,9 @@ let cfg = config.mods;
 in with lib; {
   imports = [ inputs.sops-nix.nixosModules.sops ];
   sops = {
-    age.keyFile = "/home/muon/.config/sops/age/keys.txt";
+    age.keyFile = "/persist/var/lib/sops-nix/key.txt";
     defaultSopsFile = ./secrets.yaml;
-    secrets.muon-password = { };
+    secrets.muon-password.neededForUsers = true;
     secrets.zipline-secret = mkIf cfg.server.share.enable {
       owner = "zipline";
       group = "zipline";

utils.nix

@@ -8,6 +8,7 @@
         ./modules/nixos
         inputs.home-manager.nixosModules.default
         inputs.stylix.nixosModules.stylix
+        inputs.impermanence.nixosModules.impermanence
       ];
     };
 }