diff --git a/flake.lock b/flake.lock index faa81e0..91bce37 100644 --- a/flake.lock +++ b/flake.lock @@ -129,6 +129,27 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1746728054, + "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=", + "owner": "nix-community", + "repo": "disko", + "rev": "ff442f5d1425feb86344c028298548024f21256d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "latest", + "repo": "disko", + "type": "github" + } + }, "firefox-gnome-theme": { "flake": false, "locked": { @@ -304,26 +325,6 @@ "type": "github" } }, - "glide-browser": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1767296470, - "narHash": "sha256-4VpU9zSO4mHV4kaqhs6Wkt7UdNwbb/6PdKWgyRkpw64=", - "owner": "glide-browser", - "repo": "glide.nix", - "rev": "2778e385e37330c9effd6c66252d940e7ec8ac95", - "type": "github" - }, - "original": { - "owner": "glide-browser", - "repo": "glide.nix", - "type": "github" - } - }, "gnome-shell": { "flake": false, "locked": { @@ -617,7 +618,7 @@ "root": { "inputs": { "agenix": "agenix", - "glide-browser": "glide-browser", + "disko": "disko", "home-manager": "home-manager_2", "impermanence": "impermanence", "nix-zulip": "nix-zulip", diff --git a/flake.nix b/flake.nix index 918cd6e..ec6c255 100644 --- a/flake.nix +++ b/flake.nix @@ -4,8 +4,8 @@ url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; }; - glide-browser = { - url = "github:glide-browser/glide.nix"; + disko = { + url = "github:nix-community/disko/latest"; inputs.nixpkgs.follows = "nixpkgs"; }; home-manager = { @@ -45,7 +45,7 @@ }; outputs = { agenix, - glide-browser, + disko, home-manager, impermanence, nixos-mailserver, @@ -70,8 +70,9 @@ ./users.nix ./secrets.nix ./modules/nixos/common.nix - impermanence.nixosModules.impermanence agenix.nixosModules.default + disko.nixosModules.disko + impermanence.nixosModules.impermanence nixos-mailserver.nixosModule noshell.nixosModules.default phoenix.nixosModules.default @@ -79,7 +80,6 @@ { nixpkgs.overlays = [ agenix.overlays.default - glide-browser.overlays.default nur.overlays.default nix-zulip'.overlays.default ]; diff --git a/machines.nix b/machines.nix index 9825bce..ade302f 100644 --- a/machines.nix +++ b/machines.nix @@ -6,6 +6,7 @@ modules = [ # impermanence ./modules/nixos/impermanence.nix + ./modules/nixos/impermanence-ssh.nix # hardware configuration # includes `system.stateVersion` @@ -39,6 +40,7 @@ # hardware configuration # verbatim as `nixos-generate-config` AND `system.stateVersion` ./modules/nixos/machines/109-199-104-83.nix + ./modules/nixos/disko/remote.nix # boot process # grub boot on /dev/sda @@ -51,9 +53,12 @@ # ssh through port 5522 among other things # andromeda@lenovo is the only user allowed access - ./modules/nixos/networking/hard-ssh.nix - ./modules/nixos/networking/ssh-as-root.nix - ({config, ...}: {users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];}) + # ./modules/nixos/networking/hard-ssh.nix + #./modules/nixos/networking/ssh-as-root.nix + ({config, ...}: { + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda]; + }) # TODO add Impermanence to the following services @@ -70,8 +75,6 @@ # zulip chat server # zulip.domain # ./modules/nixos/zulip.nix - { - } ]; }; } diff --git a/modules/nixos/boot/109-199-104-83.nix b/modules/nixos/boot/109-199-104-83.nix index d54de8e..71f8d54 100644 --- a/modules/nixos/boot/109-199-104-83.nix +++ b/modules/nixos/boot/109-199-104-83.nix @@ -1,6 +1,5 @@ { boot.loader.grub = { - devices = ["/dev/sda"]; efiSupport = true; efiInstallAsRemovable = true; }; diff --git a/modules/nixos/common.nix b/modules/nixos/common.nix index 94d77d4..ba476e5 100644 --- a/modules/nixos/common.nix +++ b/modules/nixos/common.nix @@ -20,4 +20,7 @@ # disable lecture security.sudo.extraConfig = ''Defaults lecture="never"''; + + # make users immutable + users.mutableUsers = false; } diff --git a/modules/nixos/disko/remote.nix b/modules/nixos/disko/remote.nix new file mode 100644 index 0000000..0b2e726 --- /dev/null +++ b/modules/nixos/disko/remote.nix @@ -0,0 +1,64 @@ +{ + disko.devices = { + disk = { + disk1 = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + # legacy boot + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + + # efi boot + esp = { + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + + # btrfs + # root is on nodev + root = { + size = "100%"; + content = { + extraArgs = ["-f"]; # internet told me to, works + type = "btrfs"; + subvolumes = { + # nix store + "/nix" = { + mountpoint = "/nix"; + }; + + # persistant directory + "/persist" = { + mountpoint = "/persist"; + }; + }; + }; + }; + }; + }; + }; + }; + nodev = { + # root + "/" = { + fsType = "tmpfs"; + mountOptions = [ + "defaults" + "mode=755" # stops security complaints + ]; + }; + }; + }; +} diff --git a/modules/nixos/impermanence-ssh.nix b/modules/nixos/impermanence-ssh.nix new file mode 100644 index 0000000..00dc294 --- /dev/null +++ b/modules/nixos/impermanence-ssh.nix @@ -0,0 +1,4 @@ +{ + # ONLY include this module AFTER a machine has been provisioned + environment.persistence."/persist".directories = ["/etc/ssh"]; +} diff --git a/modules/nixos/impermanence.nix b/modules/nixos/impermanence.nix index 91e0dd7..7f0062b 100644 --- a/modules/nixos/impermanence.nix +++ b/modules/nixos/impermanence.nix @@ -7,7 +7,6 @@ "/var/log" "/var/lib/nixos" "/var/lib/systemd/coredump" - "/etc/ssh" ]; files = [ "/etc/machine-id" diff --git a/modules/nixos/machines/109-199-104-83.nix b/modules/nixos/machines/109-199-104-83.nix index 85399e9..998001c 100644 --- a/modules/nixos/machines/109-199-104-83.nix +++ b/modules/nixos/machines/109-199-104-83.nix @@ -17,30 +17,6 @@ boot.kernelModules = []; boot.extraModulePackages = []; - fileSystems."/" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["defaults" "mode=755"]; - }; - - fileSystems."/nix" = { - device = "/dev/disk/by-uuid/3457e181-b01d-4712-809d-c8b65e863992"; - fsType = "btrfs"; - options = ["subvol=nix"]; - }; - - fileSystems."/persist" = { - device = "/dev/disk/by-uuid/3457e181-b01d-4712-809d-c8b65e863992"; - fsType = "btrfs"; - options = ["subvol=persist"]; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/05FB-0941"; - fsType = "vfat"; - options = ["fmask=0022" "dmask=0022"]; - }; - swapDevices = []; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; diff --git a/users/andromeda/home.nix b/users/andromeda/home.nix index 5960690..6be79be 100644 --- a/users/andromeda/home.nix +++ b/users/andromeda/home.nix @@ -35,7 +35,6 @@ in { pkgs.dust pkgs.fluffychat pkgs.fzf - pkgs.glide-browser pkgs.glow pkgs.grim pkgs.jmtpfs