diff options
| author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2026-05-31 14:07:48 +0200 |
|---|---|---|
| committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2026-05-31 14:07:48 +0200 |
| commit | 074d5edcbc991e653f79738d675c8358a684bb23 (patch) | |
| tree | c305d8e863becceb2150916bf28743aa85d98e49 /modules/by-name | |
| parent | modules/legacy/gtk: Re-enable the nordic theme (diff) | |
| download | nixos-config-074d5edcbc991e653f79738d675c8358a684bb23.zip | |
modules/{disks,boot}: Prepare re-deploy of apzu
This includes a separate partition of /nix, and a tails ISO as boot
target.
Diffstat (limited to 'modules/by-name')
| -rw-r--r-- | modules/by-name/bo/boot/iso_entry/archlive_iso.nix | 86 | ||||
| -rw-r--r-- | modules/by-name/bo/boot/iso_entry/signing_key.nix | 27 | ||||
| -rw-r--r-- | modules/by-name/bo/boot/module.nix | 244 | ||||
| -rw-r--r-- | modules/by-name/bo/boot/tails_iso.nix | 78 | ||||
| -rw-r--r-- | modules/by-name/di/disks/module.nix | 90 |
5 files changed, 268 insertions, 257 deletions
diff --git a/modules/by-name/bo/boot/iso_entry/archlive_iso.nix b/modules/by-name/bo/boot/iso_entry/archlive_iso.nix deleted file mode 100644 index d0ae8457..00000000 --- a/modules/by-name/bo/boot/iso_entry/archlive_iso.nix +++ /dev/null @@ -1,86 +0,0 @@ -# nixos-config - My current NixOS configuration -# -# Copyright (C) 2025 Benedikt Peetz <benedikt.peetz@b-peetz.de> -# SPDX-License-Identifier: GPL-3.0-or-later -# -# This file is part of my nixos-config. -# -# You should have received a copy of the License along with this program. -# If not, see <https://www.gnu.org/licenses/gpl-3.0.txt>. -{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: let - signing_key = import ./signing_key.nix {inherit pkgs;}; - - checked_iso = pkgs.stdenv.mkDerivation { - pname = "archlinux-iso"; - version = "2024.05.01"; - - srcs = [ - (pkgs.fetchurl { - url = "https://archlinux.org/iso/2024.05.01/archlinux-2024.05.01-x86_64.iso.sig"; - hash = "sha256-QOGYng6a7zA5EJKGotDccJ7fD2MmPPXQEdVr1kjJvi4="; - }) - (pkgs.fetchurl { - url = "https://mirror.informatik.tu-freiberg.de/arch/iso/latest/archlinux-2024.05.01-x86_64.iso"; - hash = "sha256-G0oE74pzUIUqEwcO5JhEKwh6YHoYhAtN19mYZ+tfakw="; - }) - (pkgs.fetchurl { - url = "https://archlinux.org/iso/2024.05.01/b2sums.txt"; - hash = "sha256-HSMS13hHXFKKQsCA8spa7XtirHCBTmePwhOsStVPbHw="; - }) - ]; - - dontUnpack = true; - - nativeBuildInputs = with pkgs; [ - sequoia-sq - ]; - - buildPhase = - /* - bash - */ - '' - cp -r "${signing_key}" ./release-key.pgp - for src in $srcs; do - cp -r "$src" "$(stripHash "$src")" - done - - sed '2d;3d;4d' b2sums.txt > b2sums_clean.txt - - # As per the directions from: https://archlinux.org/download/ - - # blake hash check - b2sum -c ./b2sums_clean.txt - - # pgp signature check - sq verify --signer-file release-key.pgp --detached archlinux-2024.05.01-x86_64.iso.sig archlinux-2024.05.01-x86_64.iso - ''; - - installPhase = '' - cp archlinux-2024.05.01-x86_64.iso "$out"; - ''; - }; -in - pkgs.stdenv.mkDerivation { - name = "live_iso_boot_entry"; - - src = checked_iso; - - dontUnpack = true; - - nativeBuildInputs = with pkgs; [ - libarchive # for bsdtar - ]; - - buildPhase = '' - mkdir iso - bsdtar -xf "$src" -C iso - ''; - - installPhase = '' - install -D ./iso/arch/boot/x86_64/initramfs-linux.img "$out/live/initramfs-linux.img" - install -D ./iso/arch/boot/x86_64/vmlinuz-linux "$out/live/vmlinuz-linux" - - install -D "$src" "$out/archlinux.iso" - ''; - } diff --git a/modules/by-name/bo/boot/iso_entry/signing_key.nix b/modules/by-name/bo/boot/iso_entry/signing_key.nix deleted file mode 100644 index d9268d75..00000000 --- a/modules/by-name/bo/boot/iso_entry/signing_key.nix +++ /dev/null @@ -1,27 +0,0 @@ -# nixos-config - My current NixOS configuration -# -# Copyright (C) 2025 Benedikt Peetz <benedikt.peetz@b-peetz.de> -# SPDX-License-Identifier: GPL-3.0-or-later -# -# This file is part of my nixos-config. -# -# You should have received a copy of the License along with this program. -# If not, see <https://www.gnu.org/licenses/gpl-3.0.txt>. -{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: -pkgs.stdenv.mkDerivation { - name = "archlinux_signing_keys"; - - outputHash = "sha256-evGWzkxMaZw3rlixKsyWCS/ZvNuZ+OfXQb6sgiHz9XY="; - outputHashAlgo = "sha256"; - NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - - nativeBuildInputs = with pkgs; [ - sequoia-sq - ]; - - dontUnpack = true; - - buildPhase = '' - sq --verbose --no-cert-store --no-key-store network wkd fetch pierre@archlinux.org --output "$out" - ''; -} diff --git a/modules/by-name/bo/boot/module.nix b/modules/by-name/bo/boot/module.nix index 4b95aedf..01c98d6e 100644 --- a/modules/by-name/bo/boot/module.nix +++ b/modules/by-name/bo/boot/module.nix @@ -12,139 +12,167 @@ lib, pkgs, modules, + modulesPath, + system, + specialArgs, ... }: let cfg = config.soispha.boot; + + tailsPrefix = "EFI/tails"; in { options.soispha.boot = { enable = lib.mkEnableOption "Bootloader configuration"; - # TODO: Add this option <2024-05-16> - # enableIsoEntry = lib.mkEnableOption "an tails iso boot entry"; + enableIsoEntry = lib.mkEnableOption "an tails iso boot entry"; }; imports = [ modules.lanzaboote.nixosModules.lanzaboote ]; - config = lib.mkIf cfg.enable ( - # let - # cfg = config.boot.loader.systemd-boot; - # inherit (config.boot.loader) efi; - # - # esa = n: lib.strings.escapeShellArg n; - # - # bootMountPoint = - # if cfg.xbootldrMountPoint != null - # then cfg.xbootldrMountPoint - # else efi.efiSysMountPoint; - # - # nixosDir = "/EFI/nixos"; - # - # # FIXME: This system has two big problems: - # # 1. It does not updated files, which still have the same name - # # 2. It forgets about files, which were 'deleted' in this configuration (these just - # # stay on disk forever) <2024-05-11> - # copyExtraFiles = '' - # echo "[systemd-boot] copying files to ${bootMountPoint}" - # empty_file=$(mktemp boot_empty_file_XXX) - # - # ${lib.concatStrings (lib.mapAttrsToList (n: v: - # /* - # bash - # */ - # '' - # if ! [ -e ${esa "${bootMountPoint}/${n}"} ]; then - # install -Dp "${v}" ${esa "${bootMountPoint}/${n}"} - # install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/${n}"} - # fi - # '') - # cfg.extraFiles)} - # - # ${lib.concatStrings (lib.mapAttrsToList (n: v: - # /* - # bash - # */ - # '' - # # if ! [ -e ${esa "${bootMountPoint}/loader/entries/${n}"} ]; then - # install -Dp "${pkgs.writeText n v}" ${esa "${bootMountPoint}/loader/entries/${n}"} - # install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/loader/entries/${n}"} - # # fi - # '') - # cfg.extraEntries)} - # ''; - # in - { - # FIXME: Reactviate this whole iso thing when a disko redeploy is done. - # (and switch to tails instead of arch) <2024-05-12> - # - # system.activationScripts = { - # copyExtraFilesForBoot = copyExtraFiles; - # }; + config = lib.mkIf cfg.enable { + # This should only be necessary for `lanzaboote`, but that is the current default in + # this module. + soispha.impermanence.directories = [ + "/var/lib/sbctl" + "/boot" + ]; + + fileSystems = { + # Emulate XBOOTLDR for lanzaboote (see: https://github.com/nix-community/lanzaboote/issues/173#issuecomment-1532386210) + "/efi/EFI/Linux" = { + device = "/boot/EFI/Linux"; + options = ["bind"]; + fsType = "btrfs"; + }; + "/efi/EFI/nixos" = { + device = "/boot/EFI/nixos"; + options = ["bind"]; + fsType = "btrfs"; + }; - # This should only be necessary for `lanzaboote`, but that is the current default in - # this module. - soispha.impermanence.directories = [ - "/var/lib/sbctl" - ]; + "/efi/${tailsPrefix}" = lib.mkIf cfg.enableIsoEntry { + device = "/boot/${tailsPrefix}"; + options = ["bind"]; + fsType = "btrfs"; + }; + }; - boot = { - initrd = { - kernelModules = ["nvme" "btrfs"]; + boot = { + initrd = { + kernelModules = ["nvme" "btrfs"]; + }; + + kernelPackages = pkgs.linuxPackages_latest; + + lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + + settings = { + # Disable editing the kernel command line (which could allow someone to become root) + editor = false; + default = "@saved"; }; + }; - kernelPackages = pkgs.linuxPackages_latest; + loader = { + external = lib.mkIf cfg.enableIsoEntry { + installHook = lib.mkForce (let + lanzabooteCfg = config.boot.lanzaboote; - lanzaboote = { - enable = true; - pkiBundle = "/var/lib/sbctl"; + lanzabooteInstallHook = import "${modulesPath}/../lib/eval-config.nix" { + inherit system specialArgs; + modules = [ + modules.lanzaboote.nixosModules.lanzaboote - settings = { - # Disable editing the kernel command line (which could allow someone to become root) - editor = false; - default = "@saved"; - }; + { + # Copy the relevant config into the eval-module context. + boot = { + inherit (config.boot) kernelPackages; + + lanzaboote = { + inherit (lanzabooteCfg) enable pkiBundle; + settings = { + inherit (lanzabooteCfg.settings) editor default; + }; + }; + + loader = { + inherit (config.boot.loader) timeout efi systemd-boot; + }; + }; + systemd.package = config.systemd.package; + } + ]; + }; + + install = pkgs.writeShellScript "wrapped-install-tails-iso-marker" '' + echo "[Wrapped bootloader install] Copying tails iso..." + ${copyExtraFiles} + + echo "[Wrapped bootloader install] Running original lanzaboote install..." + ${lanzabooteInstallHook.config.boot.loader.external.installHook} + ''; + + copyExtraFiles = let + systemdCfg = config.boot.loader.systemd-boot; + nixosDir = "EFI/nixos"; + + bootMountPoint = config.boot.loader.efi.efiSysMountPoint; + install = lib.getExe' pkgs.coreutils "install"; + + inherit (lib) mapAttrsToList; + inherit (lib.strings) escapeShellArg concatStrings; + in + pkgs.writeShellScript "copy-extra-files" '' + ${concatStrings ( + mapAttrsToList (n: v: '' + ${install} -Dp "${v}" "${bootMountPoint}/"${escapeShellArg n} + ${install} -D /dev/null "${bootMountPoint}/${nixosDir}/.extra-files/"${escapeShellArg n} + '') + systemdCfg.extraFiles + )} + + ${concatStrings ( + mapAttrsToList (n: v: '' + ${install} -Dp "${pkgs.writeText n v}" "${bootMountPoint}/loader/entries/"${escapeShellArg n} + ${install} -D /dev/null "${bootMountPoint}/${nixosDir}/.extra-files/loader/entries/"${escapeShellArg n} + '') + systemdCfg.extraEntries + )} + ''; + in + install); }; - loader = { - systemd-boot = { - # Lanzaboote currently replaces the systemd-boot module. - # This setting is usually set to true in configuration.nix - # generated at installation time. So we force it to false - # for now. - enable = false; + systemd-boot = lib.mkIf cfg.enableIsoEntry { + # Lanzaboote currently replaces the systemd-boot module. + enable = false; - # extraEntries = { - # "live.conf" = '' - # title Archlinux Live ISO - # linux /live/vmlinuz-linux - # initrd /live/initramfs-linux.img - # options img_dev=${config.soispha.disks.disk} img_loop=/archlinux.iso copytoram - # ''; - # }; - # - # extraFiles = let - # iso = import ./archlive_iso.nix {inherit pkgs;}; - # in { - # "archlinux.iso" = "${iso}/archlinux.iso"; - # "live/initramfs-linux.img" = "${iso}/live/initramfs-linux.img"; - # "live/vmlinuz-linux" = "${iso}/live/vmlinuz-linux"; - # }; + extraEntries = { + "live.conf" = '' + title Tails Live ISO + linux /${tailsPrefix}/vmlinuz-linux + initrd /${tailsPrefix}/initramfs-linux.img + options img_dev=${config.soispha.disks.disk} img_loop=/${tailsPrefix}/tails.iso copytoram + ''; }; - grub = { - enable = false; - # theme = pkgs.nixos-grub2-theme; - splashImage = ./boot_pictures/gnu.png; - efiSupport = true; - device = "nodev"; # only for efi + extraFiles = let + iso = import ./tails_iso.nix {inherit pkgs;}; + in { + "/${tailsPrefix}/tails.iso" = "${iso}/tails.iso"; + "/${tailsPrefix}/vmlinuz-linux" = "${iso}/live/vmlinuz-linux"; + "/${tailsPrefix}/initramfs-linux.img" = "${iso}/live/initramfs-linux.img"; }; + }; - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot"; - }; + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/efi"; }; }; - } - ); + }; + }; } diff --git a/modules/by-name/bo/boot/tails_iso.nix b/modules/by-name/bo/boot/tails_iso.nix new file mode 100644 index 00000000..ec2b740b --- /dev/null +++ b/modules/by-name/bo/boot/tails_iso.nix @@ -0,0 +1,78 @@ +# nixos-config - My current NixOS configuration +# +# Copyright (C) 2025 Benedikt Peetz <benedikt.peetz@b-peetz.de> +# SPDX-License-Identifier: GPL-3.0-or-later +# +# This file is part of my nixos-config. +# +# You should have received a copy of the License along with this program. +# If not, see <https://www.gnu.org/licenses/gpl-3.0.txt>. +{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: let + checked_iso = pkgs.stdenv.mkDerivation (finalAttrs: { + pname = "tails-iso"; + version = "amd64-7.8"; + + srcs = [ + (pkgs.fetchurl { + url = "https://tails.net/torrents/files/tails-${finalAttrs.version}.iso.sig"; + hash = "sha256-58vDQdXQYYqeVUHzupmDPtVVpSrxtT25+gwHe2OfvkA="; + }) + (pkgs.fetchurl { + url = "https://download.tails.net/tails/stable/tails-${finalAttrs.version}/tails-${finalAttrs.version}.iso"; + hash = "sha256-ewLHQ+3iI3aHgvKdBgysQ9QAudQ7AM83WP+VdYFmxt0="; + }) + (pkgs.fetchurl { + url = "https://tails.net/tails-signing.key"; + hash = "sha256-OwdqyM7o7K6F5Km0U1RU3hzsnaT+Yw0sjQk/thMeq1k="; + }) + ]; + + dontUnpack = true; + + nativeBuildInputs = [ + pkgs.sequoia-sq + ]; + + buildPhase = + /* + bash + */ + '' + for src in $srcs; do + cp --recursive "$src" "$(stripHash "$src")" + done + + sq verify \ + --signer-file=tails-signing.key \ + --signature-file=tails-${finalAttrs.version}.iso.sig \ + tails-${finalAttrs.version}.iso + ''; + + installPhase = '' + cp tails-${finalAttrs.version}.iso "$out"; + ''; + }); +in + pkgs.stdenv.mkDerivation { + name = "live_iso_boot_entry"; + + src = checked_iso; + + dontUnpack = true; + + nativeBuildInputs = with pkgs; [ + libarchive # for bsdtar + ]; + + buildPhase = '' + mkdir iso + bsdtar -xf "$src" -C iso + ''; + + installPhase = '' + install -D ./iso/live/initrd.img "$out/live/initramfs-linux.img" + install -D ./iso/live/vmlinuz "$out/live/vmlinuz-linux" + + install -D "$src" "$out/tails.iso" + ''; + } diff --git a/modules/by-name/di/disks/module.nix b/modules/by-name/di/disks/module.nix index 3e9d4614..542648a2 100644 --- a/modules/by-name/di/disks/module.nix +++ b/modules/by-name/di/disks/module.nix @@ -14,10 +14,9 @@ modules, ... }: let - # FIXME: The iso redeploy requires a bigger efi partition <2024-05-12> cfg = config.soispha.disks; defaultMountOptions = [ - "compress=zstd:3" # This saves disk space, at a performance cost + "compress-force=zstd:15" # This saves disk space, at a performance cost "noatime" # should have some performance upsides, and I don't use it anyways "lazytime" # make time changes in memory ]; @@ -34,15 +33,10 @@ in { ssd = lib.mkEnableOption "ssd specific improvements, like trim"; swap = { - uuid = lib.mkOption { + ram_size = lib.mkOption { type = lib.types.str; - example = lib.literalExpression "d1d20ae7-3d8a-44da-86da-677dbbb10c89"; - description = "The uuid of the swapfile"; - }; - resumeOffset = lib.mkOption { - type = lib.types.str; - example = lib.literalExpression "134324224"; - description = "The resume offset of the swapfile"; + example = lib.literalExpression "16G"; + description = "The size of the ram (translates to the swapfile size)"; }; }; }; @@ -54,6 +48,12 @@ in { config = lib.mkIf cfg.enable { systemd = lib.recursiveUpdate (import ./hibernate.nix {inherit pkgs;}) (import ./fstrim.nix {inherit pkgs lib cfg;}); + services.btrfs.autoScrub = { + enable = true; + fileSystems = ["/srv" "/nix" "/boot"]; + interval = "monthly"; + }; + disko.devices = { disk = { main = { @@ -61,21 +61,45 @@ in { content = { type = "gpt"; partitions = { + ESP = { + # This can be relatively small, as we store all the big stuff in the + # XBOOTLDR directory. + size = "256M"; + + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/efi"; + mountOptions = ["umask=0077"]; + }; + }; + + nix = { + size = "30GB"; + content = { + type = "luks"; + name = "nixos-store"; + extraOpenArgs = ["--allow-discards"]; + content = { + type = "btrfs"; + extraArgs = ["-f" "--label nixos-store"]; # Override existing partitions + mountpoint = "/nix"; + mountOptions = defaultMountOptions; + }; + }; + }; + root = { size = "100%"; - name = "root"; content = { type = "luks"; - name = "nixos"; + name = "nixos-root"; extraOpenArgs = ["--allow-discards"]; content = { type = "btrfs"; - extraArgs = ["-f" "--label nixos"]; # Override existing partitions + extraArgs = ["-f" "--label nixos-root"]; # Override existing partitions subvolumes = { - "nix" = { - mountpoint = "/nix"; - mountOptions = defaultMountOptions; - }; "persistent-storage" = { mountpoint = "/srv"; mountOptions = defaultMountOptions; @@ -84,27 +108,27 @@ in { mountpoint = "/srv/.snapshots"; mountOptions = defaultMountOptions; }; + "boot" = { + mountpoint = "/boot"; + mountOptions = defaultMountOptions; + }; "swap" = { mountpoint = "/swap"; mountOptions = [ "noatime" # should have some performance upsides, and I don't use it anyways "lazytime" # make time changes in memory ]; + swap = { + swapfile = { + priority = -1; # lower than zramSwap, just in case + size = cfg.swap.ram_size; + }; + }; }; }; }; }; }; - boot = { - type = "EF00"; - size = "512M"; - name = "boot"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; }; }; }; @@ -130,6 +154,9 @@ in { }; }; fileSystems = { + "/nix" = { + neededForBoot = true; + }; "/srv" = { neededForBoot = true; }; @@ -137,23 +164,14 @@ in { neededForBoot = true; }; }; - swapDevices = [ - #{ - # device = "/swap/swapfile"; - # priority = 1; # lower than zramSwap, just in case - # # size = 2048; # TODO: can nixos create a btrfs swapfile correctly? - #} - ]; zramSwap = { enable = true; priority = 10; # needs to be higher than hardware-swap }; boot = { kernelParams = [ - "resume_offset=${cfg.swap.resumeOffset}" "zswap.enabled=0" # zswap and zram are not really compatible ]; - resumeDevice = "/dev/disk/by-uuid/${cfg.swap.uuid}"; }; }; } |