From 67c62534e897889da206051c5e4e298db0640aaf Mon Sep 17 00:00:00 2001 From: ryan4yin Date: Sat, 2 Dec 2023 17:56:03 +0800 Subject: [PATCH] feat: impermanence --- flake.lock | 40 ++++-- flake.nix | 14 +- hosts/idols/ai/default.nix | 25 +--- hosts/idols/ai/hardware-configuration.nix | 148 +++++++++++----------- hosts/idols/ai/impermanence.nix | 93 ++++++++++++++ modules/nixos/user-group.nix | 12 +- 6 files changed, 214 insertions(+), 118 deletions(-) create mode 100644 hosts/idols/ai/impermanence.nix diff --git a/flake.lock b/flake.lock index 74e54fd2..32d2d762 100644 --- a/flake.lock +++ b/flake.lock @@ -329,16 +329,16 @@ ] }, "locked": { - "lastModified": 1701040754, - "narHash": "sha256-rHld3E3CeVI/GUxH3xE+mqAo+IX2hTbXVfXKahCrG5I=", + "lastModified": 1700814205, + "narHash": "sha256-lWqDPKHRbQfi+zNIivf031BUeyciVOtwCwTjyrhDB5g=", "owner": "nix-community", "repo": "home-manager", - "rev": "7c97c46dc4f45f2a78df536a6ebe15252831b800", + "rev": "aeb2232d7a32530d3448318790534d196bf9427a", "type": "github" }, "original": { "owner": "nix-community", - "ref": "master", + "ref": "release-23.11", "repo": "home-manager", "type": "github" } @@ -391,6 +391,21 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1697303681, + "narHash": "sha256-caJ0rXeagaih+xTgRduYtYKL1rZ9ylh06CIrt1w5B4g=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "0f317c2e9e56550ce12323eb39302d251618f5b5", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, "lib-aggregate": { "inputs": { "flake-utils": "flake-utils", @@ -599,16 +614,16 @@ }, "nixpkgs-darwin": { "locked": { - "lastModified": 1700977043, - "narHash": "sha256-tX4d36Bq75NBjnYGaCO9b403VDpdFa99NtdUPQ4EALk=", + "lastModified": 1701386440, + "narHash": "sha256-xI0uQ9E7JbmEy/v8kR9ZQan6389rHug+zOtZeZFiDJk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "abbe047fb8a5a7074b6de24cced0dbdb27ea0ea8", + "rev": "293822e55ec1872f715a66d0eda9e592dc14419f", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixpkgs-unstable", + "ref": "nixpkgs-23.11-darwin", "repo": "nixpkgs", "type": "github" } @@ -715,16 +730,16 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1700794826, - "narHash": "sha256-RyJTnTNKhO0yqRpDISk03I/4A67/dp96YRxc86YOPgU=", + "lastModified": 1701389149, + "narHash": "sha256-rU1suTIEd5DGCaAXKW6yHoCfR1mnYjOXQFOaH7M23js=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5a09cb4b393d58f9ed0d9ca1555016a8543c2ac8", + "rev": "5de0b32be6e85dc1a9404c75131316e4ffbc634c", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-unstable", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } @@ -828,6 +843,7 @@ "cattppuccin-k9s": "cattppuccin-k9s", "home-manager": "home-manager_2", "hyprland": "hyprland", + "impermanence": "impermanence", "mysecrets": "mysecrets", "nix-darwin": "nix-darwin", "nixos-generators": "nixos-generators", diff --git a/flake.nix b/flake.nix index c9e4d8dd..be15eddf 100644 --- a/flake.nix +++ b/flake.nix @@ -277,13 +277,12 @@ # which represents the GitHub repository URL + branch/commit-id/tag. # Official NixOS package source, using nixos's stable branch by default - # nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; # for macos - nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-unstable"; - # nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-23.11-darwin"; + nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-23.11-darwin"; nix-darwin = { url = "github:lnl7/nix-darwin"; inputs.nixpkgs.follows = "nixpkgs-darwin"; @@ -291,14 +290,17 @@ # home-manager, used for managing user configuration home-manager = { - # url = "github:nix-community/home-manager/release-23.11"; - url = "github:nix-community/home-manager/master"; + url = "github:nix-community/home-manager/release-23.11"; + # url = "github:nix-community/home-manager/master"; + # The `follows` keyword in inputs is used for inheritance. # Here, `inputs.nixpkgs` of home-manager is kept consistent with the `inputs.nixpkgs` of the current flake, # to avoid problems caused by different versions of nixpkgs dependencies. inputs.nixpkgs.follows = "nixpkgs"; }; + impermanence.url = "github:nix-community/impermanence"; + # modern window compositor hyprland.url = "github:hyprwm/Hyprland/v0.32.3"; # community wayland nixpkgs diff --git a/hosts/idols/ai/default.nix b/hosts/idols/ai/default.nix index 2cc6901a..bf55223b 100644 --- a/hosts/idols/ai/default.nix +++ b/hosts/idols/ai/default.nix @@ -1,4 +1,4 @@ -{config, ...} @ args: +{ pkgs, ...} @ args: ############################################################# # # Ai - my main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use. @@ -10,7 +10,9 @@ # Include the results of the hardware scan. ./hardware-configuration.nix - ../../../modules/nixos/fhs-fonts.nix + ./impermanence.nix + + # ../../../modules/nixos/fhs-fonts.nix ../../../modules/nixos/libvirt.nix ../../../modules/nixos/core-desktop.nix ../../../modules/nixos/remote-building.nix @@ -21,23 +23,6 @@ nixpkgs.overlays = import ../../../overlays args; - # Enable binfmt emulation of aarch64-linux, this is required for cross compilation. - boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"]; - # supported fil systems, so we can mount any removable disks with these filesystems - boot.supportedFilesystems = [ - "ext4" - "btrfs" - "xfs" - #"zfs" - "ntfs" - "fat" - "vfat" - "exfat" - "cifs" # mount windows share - ]; - - boot.kernelParams = [ "nvidia.NVreg_PreserveVideoMemoryAllocations=1" ]; - networking = { hostName = "ai"; wireless.enable = false; # Enables wireless support via wpa_supplicant. @@ -65,7 +50,7 @@ ]; }; - virtualisation.docker.storageDriver = "btrfs"; + # virtualisation.docker.storageDriver = "btrfs"; # for Nvidia GPU services.xserver.videoDrivers = ["nvidia"]; # will install nvidia-vaapi-driver by default diff --git a/hosts/idols/ai/hardware-configuration.nix b/hosts/idols/ai/hardware-configuration.nix index b65cc47d..1576904a 100644 --- a/hosts/idols/ai/hardware-configuration.nix +++ b/hosts/idols/ai/hardware-configuration.nix @@ -1,32 +1,42 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; # Use the EFI boot loader. boot.loader.efi.canTouchEfiVariables = true; # depending on how you configured your disk mounts, change this to /boot or /boot/efi. - boot.loader.efi.efiSysMountPoint = "/boot/efi"; - boot.loader.grub = { - enable = true; - device = "nodev"; - efiSupport = true; - useOSProber = true; # automatically add other OSs into grub menu - # if you use an encrypted /boot partition, you should enable this option. - # grub 2.12-rc1 support only luks1 and luks2+pbkdf2, - # so the /boot partition can only use those two luks encrypt format. - enableCryptodisk = true; - }; + boot.loader.efi.efiSysMountPoint = "/boot"; + boot.loader.systemd-boot.enable = true; + + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.kernelParams = [ "nvidia.NVreg_PreserveVideoMemoryAllocations=1" ]; + boot.extraModulePackages = []; + + # Enable binfmt emulation of aarch64-linux, this is required for cross compilation. + boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"]; + # supported fil systems, so we can mount any removable disks with these filesystems + boot.supportedFilesystems = [ + "ext4" + "btrfs" + "xfs" + "ntfs" + "fat" + "vfat" + "cifs" # mount windows share + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; boot.initrd = { # unlocked luks devices via a keyfile or prompt a passphrase. @@ -40,74 +50,60 @@ # it's less secure, but faster. allowDiscards = true; }; - - luks.devices."crypted-boot" = { - device = "/dev/nvme0n1p3"; - #keyFile = "/boot-part.key"; - - # boot partition do not require fast speed, so we disable it. - allowDiscards = false; - }; - - # secrets to append to the initrd. - # the initrd is located in /boot partition, so only enabled this options when you encryped /boot partition! - secrets = { - # Format: - # file-path inside initrd = the source path it should be copied from. - # "/boot-part.key" = "/etc/secrets/initrd/boot-part.key"; - }; }; + # equal to `mount -t tmpfs tmpfs /` + fileSystems."/" = { + device = "tmpfs"; + fsType = "tmpfs"; + # set mode to 755, otherwise systemd will set it to 777, which cause problems. + options = ["relatime" "mode=755"]; + }; - fileSystems."/" = - { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c"; - fsType = "btrfs"; - options = [ "subvol=@root" "compress-force=zstd:1" ]; - }; + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd"; + fsType = "btrfs"; + options = ["subvol=@nix" "noatime" "compress-force=zstd:1"]; + }; - fileSystems."/nix" = - { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c"; - fsType = "btrfs"; - options = [ "subvol=@nix" "noatime" "compress-force=zstd:1" ]; - }; + fileSystems."/persistent" = { + device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd"; + fsType = "btrfs"; + options = ["subvol=@persistent" "compress-force=zstd:1"]; + neededForBoot = true; + }; - fileSystems."/home" = - { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c"; - fsType = "btrfs"; - options = [ "subvol=@home" "compress-force=zstd:1" ]; - }; + fileSystems."/snapshots" = { + device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd"; + fsType = "btrfs"; + options = ["subvol=@snapshots" "compress-force=zstd:1"]; + }; # mount swap subvolume in readonly mode. - fileSystems."/swap" = - { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c"; - fsType = "btrfs"; - options = [ "subvol=@swap" "ro" ]; - }; + fileSystems."/swap" = { + device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd"; + fsType = "btrfs"; + options = ["subvol=@swap" "ro"]; + }; # remount swapfile in read-write mode - fileSystems."/swap/swapfile" = - { - # the swapfile is located in /swap subvolume, so we need to mount /swap first. - depends = [ "/swap"]; - - device = "/swap/swapfile"; - fsType = "none"; - options = [ "bind" "rw" ]; - }; + fileSystems."/swap/swapfile" = { + # the swapfile is located in /swap subvolume, so we need to mount /swap first. + depends = ["/swap"]; - fileSystems."/boot" = - { device = "/dev/mapper/crypted-boot"; - fsType = "ext4"; - }; + device = "/swap/swapfile"; + fsType = "none"; + options = ["bind" "rw"]; + }; - fileSystems."/boot/efi" = - { device = "/dev/nvme0n1p1"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/nvme0n1p1"; + fsType = "vfat"; + }; - swapDevices = - [ { device = "/swap/swapfile"; } - ]; + swapDevices = [ + {device = "/swap/swapfile";} + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/idols/ai/impermanence.nix b/hosts/idols/ai/impermanence.nix new file mode 100644 index 00000000..60e9b973 --- /dev/null +++ b/hosts/idols/ai/impermanence.nix @@ -0,0 +1,93 @@ +{impermanence, pkgs, ...}: { + imports = [ + impermanence.nixosModules.impermanence + ]; + + + environment.systemPackages = [ + # `sudo ncdu -x /` + pkgs.ncdu + ]; + + # There are two ways to clear the root filesystem on every boot: + ## 1. use tmpfs for / + ## 2. (btrfs/zfs only)take a blank snapshot of the root filesystem and revert to it on every boot via: + ## 3. boot.initrd.postDeviceCommands = '' + ## mkdir -p /run/mymount + ## mount -o subvol=/ /dev/disk/by-uuid/UUID /run/mymount + ## btrfs subvolume delete /run/mymount + ## btrfs subvolume snapshot / /run/mymount + ## ''; + # + # See also https://grahamc.com/blog/erase-your-darlings/ + environment.persistence."/persistent" = { + # sets the mount option x-gvfs-hide on all the bind mounts + # to hide them from the file manager + hideMounts = true; + directories = [ + "/etc/NetworkManager/system-connections" + "/etc/ssh" + "/etc/nix/inputs" + + # my files + "/etc/agenix/" + + "/var/log" + "/var/lib" + + # created by modules/nixos/fhs-fonts.nix + # for flatpak apps + # "/usr/share/fonts" + # "/usr/share/icons" + ]; + files = [ + "/etc/machine-id" + ]; + users.ryan = { + directories = [ + "codes" + "nix-config" + "tmp" + + "Downloads" + "Music" + "Pictures" + "Documents" + "Videos" + + { + directory = ".gnupg"; + mode = "0700"; + } + { + directory = ".ssh"; + mode = "0700"; + } + { + directory = ".aws"; + mode = "0700"; + } + { + directory = ".docker"; + mode = "0700"; + } + { + directory = ".kube"; + mode = "0700"; + } + + ".bash_history" + ".cache" + ".config" + ".local" + ".mozilla" + ".npm" + ".wakatime" + ]; + files = [ + ".wakatime.cfg" + ".wakatime.bdb" + ]; + }; + }; +} diff --git a/modules/nixos/user-group.nix b/modules/nixos/user-group.nix index 9cb21858..effb2c1e 100644 --- a/modules/nixos/user-group.nix +++ b/modules/nixos/user-group.nix @@ -3,15 +3,19 @@ { nix.settings.trusted-users = [username]; + # Don't allow mutation of users outside the config. + users.mutableUsers = false; + users.groups = { "${username}" = {}; docker = {}; wireshark = {}; }; - # Define a user account. Don't forget to set a password with ‘passwd’. + users.users."${username}" = { - # the hashed password with salt is generated by run `mkpasswd`. - hashedPassword = "$y$j9T$YQu5vhlnogjDFDWp9QkPh0$Eu85OiwllqvLg5fzRVMLVHNO7InA3ro8grTJJIepyH1"; + # generated by `mkpasswd -m scrypt` + # we have to use initialHashedPassword here, if your'are using tmpfs for / + initialHashedPassword = "$7$CU..../....Sdl/JRH..9eIvZ6mE/52r.$xeR6lyvTcVVKt28Owcoc/vPOOECcYSiq1xjw/QCz2t0"; home = "/home/${username}"; isNormalUser = true; description = username; @@ -28,9 +32,9 @@ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiipi59EnVbi6bK1bGrcbfEM263wgdNfbrt6VBC1rHx ryan@ai-idols" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII7PTkP3ixXTZlrJNSHnXgkmHNT+QslFi9wNYXOpVwGB ryan@harmonica" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK3F3AH/vKnA2vxl72h67fcxhIK8l+7F/bdE1zmtwTVU ryan@romantic" ]; }; + users.users.root.initialHashedPassword = "$7$CU..../....X6uvZYnFD.i1CqqFFNl4./$4vgqzIPyw5XBr0aCDFbY/UIRRJr7h5SMGoQ/ZvX3FP2"; # DO NOT promote the specified user to input password for `nix-store` and `nix-copy-closure` security.sudo.extraRules = [