feat: impermanence

2026-04-25 02:08:29 +02:00 · 2023-12-02 17:56:03 +08:00
parent 26dc7bb149
commit 67c62534e8
6 changed files with 214 additions and 118 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -329,16 +329,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1701040754,
+        "lastModified": 1700814205,
-        "narHash": "sha256-rHld3E3CeVI/GUxH3xE+mqAo+IX2hTbXVfXKahCrG5I=",
+        "narHash": "sha256-lWqDPKHRbQfi+zNIivf031BUeyciVOtwCwTjyrhDB5g=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "7c97c46dc4f45f2a78df536a6ebe15252831b800",
+        "rev": "aeb2232d7a32530d3448318790534d196bf9427a",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "master",
+        "ref": "release-23.11",
        "repo": "home-manager",
        "type": "github"
      }
@@ -391,6 +391,21 @@
        "type": "github"
      }
    },
    "impermanence": {
      "locked": {
        "lastModified": 1697303681,
        "narHash": "sha256-caJ0rXeagaih+xTgRduYtYKL1rZ9ylh06CIrt1w5B4g=",
        "owner": "nix-community",
        "repo": "impermanence",
        "rev": "0f317c2e9e56550ce12323eb39302d251618f5b5",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "impermanence",
        "type": "github"
      }
    },
    "lib-aggregate": {
      "inputs": {
        "flake-utils": "flake-utils",
@@ -599,16 +614,16 @@
    },
    "nixpkgs-darwin": {
      "locked": {
-        "lastModified": 1700977043,
+        "lastModified": 1701386440,
-        "narHash": "sha256-tX4d36Bq75NBjnYGaCO9b403VDpdFa99NtdUPQ4EALk=",
+        "narHash": "sha256-xI0uQ9E7JbmEy/v8kR9ZQan6389rHug+zOtZeZFiDJk=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "abbe047fb8a5a7074b6de24cced0dbdb27ea0ea8",
+        "rev": "293822e55ec1872f715a66d0eda9e592dc14419f",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixpkgs-23.11-darwin",
        "repo": "nixpkgs",
        "type": "github"
      }
@@ -715,16 +730,16 @@
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1700794826,
+        "lastModified": 1701389149,
-        "narHash": "sha256-RyJTnTNKhO0yqRpDISk03I/4A67/dp96YRxc86YOPgU=",
+        "narHash": "sha256-rU1suTIEd5DGCaAXKW6yHoCfR1mnYjOXQFOaH7M23js=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "5a09cb4b393d58f9ed0d9ca1555016a8543c2ac8",
+        "rev": "5de0b32be6e85dc1a9404c75131316e4ffbc634c",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "nixos-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
@@ -828,6 +843,7 @@
        "cattppuccin-k9s": "cattppuccin-k9s",
        "home-manager": "home-manager_2",
        "hyprland": "hyprland",
        "impermanence": "impermanence",
        "mysecrets": "mysecrets",
        "nix-darwin": "nix-darwin",
        "nixos-generators": "nixos-generators",
--- a/flake.nix
+++ b/flake.nix
@@ -277,13 +277,12 @@
    # which represents the GitHub repository URL + branch/commit-id/tag.
    # Official NixOS package source, using nixos's stable branch by default
-    # nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
    # for macos
-    nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-unstable";
+    nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-23.11-darwin";
    # nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-23.11-darwin";
    nix-darwin = {
      url = "github:lnl7/nix-darwin";
      inputs.nixpkgs.follows = "nixpkgs-darwin";
@@ -291,14 +290,17 @@
    # home-manager, used for managing user configuration
    home-manager = {
-      # url = "github:nix-community/home-manager/release-23.11";
+      url = "github:nix-community/home-manager/release-23.11";
-      url = "github:nix-community/home-manager/master";
+      # url = "github:nix-community/home-manager/master";
      # The `follows` keyword in inputs is used for inheritance.
      # Here, `inputs.nixpkgs` of home-manager is kept consistent with the `inputs.nixpkgs` of the current flake,
      # to avoid problems caused by different versions of nixpkgs dependencies.
      inputs.nixpkgs.follows = "nixpkgs";
    };
    impermanence.url = "github:nix-community/impermanence";
    # modern window compositor
    hyprland.url = "github:hyprwm/Hyprland/v0.32.3";
    # community wayland nixpkgs
--- a/hosts/idols/ai/default.nix
+++ b/hosts/idols/ai/default.nix
@@ -1,4 +1,4 @@
-{config, ...} @ args:
+{ pkgs, ...} @ args:
 #############################################################
 #
 #  Ai - my main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
@@ -10,7 +10,9 @@
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
-    ../../../modules/nixos/fhs-fonts.nix
+    ./impermanence.nix
    # ../../../modules/nixos/fhs-fonts.nix
    ../../../modules/nixos/libvirt.nix
    ../../../modules/nixos/core-desktop.nix
    ../../../modules/nixos/remote-building.nix
@@ -21,23 +23,6 @@
  nixpkgs.overlays = import ../../../overlays args;
  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
  # supported fil systems, so we can mount any removable disks with these filesystems
  boot.supportedFilesystems = [
    "ext4"
    "btrfs"
    "xfs"
    #"zfs"
    "ntfs"
    "fat"
    "vfat"
    "exfat"
    "cifs" # mount windows share
  ];
  boot.kernelParams = [ "nvidia.NVreg_PreserveVideoMemoryAllocations=1" ];
  networking = {
    hostName = "ai";
    wireless.enable = false; # Enables wireless support via wpa_supplicant.
@@ -65,7 +50,7 @@
    ];
  };
-  virtualisation.docker.storageDriver = "btrfs";
+  # virtualisation.docker.storageDriver = "btrfs";
  # for Nvidia GPU
  services.xserver.videoDrivers = ["nvidia"]; # will install nvidia-vaapi-driver by default
--- a/hosts/idols/ai/hardware-configuration.nix
+++ b/hosts/idols/ai/hardware-configuration.nix
@@ -1,32 +1,42 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
-  imports =
+  config,
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+  lib,
-    ];
+  pkgs,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  # Use the EFI boot loader.
  boot.loader.efi.canTouchEfiVariables = true;
  # depending on how you configured your disk mounts, change this to /boot or /boot/efi.
-  boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  boot.loader.efi.efiSysMountPoint = "/boot";
-  boot.loader.grub = {
+  boot.loader.systemd-boot.enable = true;
-    enable = true;
+
-    device = "nodev";
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
-    efiSupport = true;
+  boot.initrd.kernelModules = [];
-    useOSProber = true; # automatically add other OSs into grub menu
+  boot.kernelModules = ["kvm-intel"];
-    # if you use an encrypted /boot partition, you should enable this option.
+  boot.kernelParams = [ "nvidia.NVreg_PreserveVideoMemoryAllocations=1" ];
-    # grub 2.12-rc1 support only luks1 and luks2+pbkdf2,
+  boot.extraModulePackages = [];
-    # so the /boot partition can only use those two luks encrypt format.
+
-    enableCryptodisk = true;
+  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
-  };
+  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
  # supported fil systems, so we can mount any removable disks with these filesystems
  boot.supportedFilesystems = [
    "ext4"
    "btrfs"
    "xfs"
    "ntfs"
    "fat"
    "vfat"
    "cifs" # mount windows share
  ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  boot.initrd = {
    # unlocked luks devices via a keyfile or prompt a passphrase.
@@ -40,74 +50,60 @@
      # it's less secure, but faster.
      allowDiscards = true;
    };
    luks.devices."crypted-boot" = {
      device = "/dev/nvme0n1p3";
      #keyFile = "/boot-part.key";
      # boot partition do not require fast speed, so we disable it.
      allowDiscards = false;
    };
    # secrets to append to the initrd.
    # the initrd is located in /boot partition, so only enabled this options when you encryped /boot partition!
    secrets = {
      # Format:
      #   file-path inside initrd  =  the source path it should be copied from.
      # "/boot-part.key" = "/etc/secrets/initrd/boot-part.key";
    };
  };
  # equal to `mount -t tmpfs tmpfs /`
  fileSystems."/" = {
    device = "tmpfs";
    fsType = "tmpfs";
    # set mode to 755, otherwise systemd will set it to 777, which cause problems.
    options = ["relatime" "mode=755"];
  };
-  fileSystems."/" =
+  fileSystems."/nix" = {
-    { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c";
+    device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
-      fsType = "btrfs";
+    fsType = "btrfs";
-      options = [ "subvol=@root" "compress-force=zstd:1" ];
+    options = ["subvol=@nix" "noatime" "compress-force=zstd:1"];
-    };
+  };
-  fileSystems."/nix" =
+  fileSystems."/persistent" = {
-    { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c";
+    device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
-      fsType = "btrfs";
+    fsType = "btrfs";
-      options = [ "subvol=@nix" "noatime" "compress-force=zstd:1" ];
+    options = ["subvol=@persistent" "compress-force=zstd:1"];
-    };
+    neededForBoot = true;
  };
-  fileSystems."/home" =
+  fileSystems."/snapshots" = {
-    { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c";
+    device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
-      fsType = "btrfs";
+    fsType = "btrfs";
-      options = [ "subvol=@home" "compress-force=zstd:1" ];
+    options = ["subvol=@snapshots" "compress-force=zstd:1"];
-    };
+  };
  # mount swap subvolume in readonly mode.
-  fileSystems."/swap" =
+  fileSystems."/swap" = {
-    { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c";
+    device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
-      fsType = "btrfs";
+    fsType = "btrfs";
-      options = [ "subvol=@swap" "ro" ];
+    options = ["subvol=@swap" "ro"];
-    };
+  };
  # remount swapfile in read-write mode
-  fileSystems."/swap/swapfile" =
+  fileSystems."/swap/swapfile" = {
-    { 
+    # the swapfile is located in /swap subvolume, so we need to mount /swap first.
-      # the swapfile is located in /swap subvolume, so we need to mount /swap first.
+    depends = ["/swap"];
      depends = [ "/swap"];
      device = "/swap/swapfile";
      fsType = "none";
      options = [ "bind" "rw" ];
    };
-  fileSystems."/boot" =
+    device = "/swap/swapfile";
-    { device = "/dev/mapper/crypted-boot";
+    fsType = "none";
-      fsType = "ext4";
+    options = ["bind" "rw"];
-    };
+  };
-  fileSystems."/boot/efi" =
+  fileSystems."/boot" = {
-    { device = "/dev/nvme0n1p1";
+    device = "/dev/nvme0n1p1";
-      fsType = "vfat";
+    fsType = "vfat";
-    };
+  };
-  swapDevices =
+  swapDevices = [
-    [ { device = "/swap/swapfile"; }
+    {device = "/swap/swapfile";}
-    ];
+  ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
--- a/hosts/idols/ai/impermanence.nix
+++ b/hosts/idols/ai/impermanence.nix
@@ -0,0 +1,93 @@
 {impermanence, pkgs, ...}: {
  imports = [
    impermanence.nixosModules.impermanence
  ];
  environment.systemPackages = [
    # `sudo ncdu -x /`
    pkgs.ncdu
  ];
  # There are two ways to clear the root filesystem on every boot:
  ##  1. use tmpfs for /
  ##  2. (btrfs/zfs only)take a blank snapshot of the root filesystem and revert to it on every boot via:
  ##  3. boot.initrd.postDeviceCommands = ''
  ##       mkdir -p /run/mymount
  ##       mount -o subvol=/ /dev/disk/by-uuid/UUID /run/mymount
  ##       btrfs subvolume delete /run/mymount
  ##       btrfs subvolume snapshot / /run/mymount
  ##     '';
  #
  #  See also https://grahamc.com/blog/erase-your-darlings/
  environment.persistence."/persistent" = {
    # sets the mount option x-gvfs-hide on all the bind mounts
    # to hide them from the file manager
    hideMounts = true;
    directories = [
      "/etc/NetworkManager/system-connections"
      "/etc/ssh"
      "/etc/nix/inputs"
      # my files
      "/etc/agenix/"
      "/var/log"
      "/var/lib"
      # created by modules/nixos/fhs-fonts.nix
      # for flatpak apps
      # "/usr/share/fonts"
      # "/usr/share/icons"
    ];
    files = [
      "/etc/machine-id"
    ];
    users.ryan = {
      directories = [
        "codes"
        "nix-config"
        "tmp"
        "Downloads"
        "Music"
        "Pictures"
        "Documents"
        "Videos"
        {
          directory = ".gnupg";
          mode = "0700";
        }
        {
          directory = ".ssh";
          mode = "0700";
        }
        {
          directory = ".aws";
          mode = "0700";
        }
        {
          directory = ".docker";
          mode = "0700";
        }
        {
          directory = ".kube";
          mode = "0700";
        }
        ".bash_history"
        ".cache"
        ".config"
        ".local"
        ".mozilla"
        ".npm"
        ".wakatime"
      ];
      files = [
        ".wakatime.cfg"
        ".wakatime.bdb"
      ];
    };
  };
 }
--- a/modules/nixos/user-group.nix
+++ b/modules/nixos/user-group.nix
@@ -3,15 +3,19 @@
 {
  nix.settings.trusted-users = [username];
  # Don't allow mutation of users outside the config.
  users.mutableUsers = false;
  users.groups = {
    "${username}" = {};
    docker = {};
    wireshark = {};
  };
-  # Define a user account. Don't forget to set a password with ‘passwd’.
+
  users.users."${username}" = {
-    # the hashed password with salt is generated by run `mkpasswd`.
+    # generated by `mkpasswd -m scrypt`
-    hashedPassword = "$y$j9T$YQu5vhlnogjDFDWp9QkPh0$Eu85OiwllqvLg5fzRVMLVHNO7InA3ro8grTJJIepyH1";
+    # we have to use initialHashedPassword here, if your'are using tmpfs for /
    initialHashedPassword = "$7$CU..../....Sdl/JRH..9eIvZ6mE/52r.$xeR6lyvTcVVKt28Owcoc/vPOOECcYSiq1xjw/QCz2t0";
    home = "/home/${username}";
    isNormalUser = true;
    description = username;
@@ -28,9 +32,9 @@
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiipi59EnVbi6bK1bGrcbfEM263wgdNfbrt6VBC1rHx ryan@ai-idols"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII7PTkP3ixXTZlrJNSHnXgkmHNT+QslFi9wNYXOpVwGB ryan@harmonica"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK3F3AH/vKnA2vxl72h67fcxhIK8l+7F/bdE1zmtwTVU ryan@romantic"
    ];
  };
  users.users.root.initialHashedPassword = "$7$CU..../....X6uvZYnFD.i1CqqFFNl4./$4vgqzIPyw5XBr0aCDFbY/UIRRJr7h5SMGoQ/ZvX3FP2";
  # DO NOT promote the specified user to input password for `nix-store` and `nix-copy-closure`
  security.sudo.extraRules = [