From fb7ed06740bb69b6f2396cef0813d838eb21823b Mon Sep 17 00:00:00 2001 From: O_o <36400459+god464@users.noreply.github.com> Date: Tue, 22 Oct 2024 00:19:50 +0800 Subject: [PATCH] feat(desktop): adding support for luks (#114) (#114) --- .sops.yaml | 2 +- hosts/common/default.nix | 1 - hosts/desktop/default.nix | 7 ++++ hosts/desktop/disk.nix | 70 ++++++++++++++++++++++---------------- hosts/desktop/secrets.yaml | 22 ++++++------ modules/booter/default.nix | 11 +++--- 6 files changed, 64 insertions(+), 49 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 09aa36b..1182f57 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,6 @@ keys: - &recover age1fqsveefjf02dy9uzg2xa0pqjsaypa9d9xvpe9c293cg0cv3m7e7ss2uct5 - - &desktop age1csgj89yftc8587lp00m7g75khsfpzwyjytqln47x473zug4lhsfqqpsclh + - &desktop age1gklefcuzv2ard7fzqkycmx8lrrscjp942xpfx2u9m0fwapt383ysnxh2qy - &server age1972wm0vc96w489jfw7sd335ayz4t2j4839s8sgjpdcf89fur7qfqea8lm7 creation_rules: - path_regex: ^hosts/desktop/secrets\.yaml$ diff --git a/hosts/common/default.nix b/hosts/common/default.nix index 1ded980..0138539 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -1,6 +1,5 @@ { users.mutableUsers = false; - hardware.cpu.amd.updateMicrocode = true; zramSwap.enable = true; services.btrfs.autoScrub.enable = true; documentation = { diff --git a/hosts/desktop/default.nix b/hosts/desktop/default.nix index cca3962..763f8cb 100644 --- a/hosts/desktop/default.nix +++ b/hosts/desktop/default.nix @@ -20,6 +20,7 @@ cache = [ "https://cosmic.cachix.org" ]; trustKeys = [ "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE=" ]; }; + hardware.enableAllFirmware = true; users.users.cl = { isNormalUser = true; extraGroups = [ "wheel" ]; @@ -39,6 +40,12 @@ withRuby = true; defaultEditor = true; }; + clash-verge = { + enable = true; + tunMode = true; + autoStart = true; + package = pkgs.clash-verge-rev; + }; }; home-manager = { useGlobalPkgs = true; diff --git a/hosts/desktop/disk.nix b/hosts/desktop/disk.nix index 8666fa2..efddc33 100644 --- a/hosts/desktop/disk.nix +++ b/hosts/desktop/disk.nix @@ -9,6 +9,7 @@ partitions = { ESP = { size = "1G"; + label = "ESP"; type = "EF00"; content = { type = "filesystem"; @@ -18,36 +19,47 @@ }; }; root = { - size = "100%"; + end = "-128G"; + label = "ROOT"; content = { - type = "btrfs"; - extraArgs = [ - "-f" - "--csum XXHASH" - "-L NixOS" - ]; - subvolumes = { - "@nix" = { - mountpoint = "/nix"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "@persist" = { - mountOptions = [ - "compress=zstd" - "noatime" - ]; - mountpoint = "/persist"; - }; - "@swap" = { - mountOptions = [ - "compress=zstd" - "noatime" - ]; - mountpoint = "/.swap"; - swap.swapfile.size = "4G"; + type = "luks"; + name = "nixos"; + settings = { + allowDiscards = true; + bypassWorkqueues = true; + fallbackToPassword = true; + crypttabExtraOpts = [ "tpm2-device=auto" ]; + }; + content = { + type = "btrfs"; + extraArgs = [ + "-f" + "--csum XXHASH" + "-L NixOS" + ]; + subvolumes = { + "@nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "@persist" = { + mountOptions = [ + "compress=zstd" + "noatime" + ]; + mountpoint = "/persist"; + }; + "@swap" = { + mountOptions = [ + "compress=zstd" + "noatime" + ]; + mountpoint = "/.swap"; + swap.swapfile.size = "4G"; + }; }; }; }; diff --git a/hosts/desktop/secrets.yaml b/hosts/desktop/secrets.yaml index 1c193ae..ac0fe5a 100644 --- a/hosts/desktop/secrets.yaml +++ b/hosts/desktop/secrets.yaml @@ -5,23 +5,23 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1csgj89yftc8587lp00m7g75khsfpzwyjytqln47x473zug4lhsfqqpsclh + - recipient: age1gklefcuzv2ard7fzqkycmx8lrrscjp942xpfx2u9m0fwapt383ysnxh2qy enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXRTFwdlNXdDBxNnNuVEQ3 - bjNpTWdNUGZ4djZkK0NsdEZTWW5PSUxhNGljClBqeUFzYTdsaUlKRzFhM0QzWUtY - UUFuclJydmQrYnRLTEFycFdsNmlDcGsKLS0tIHBnS2l5VHNCbXF2YWdqd1dxU3Bz - TndGTllyV1RlYktsbTZHams3Mjd2T1UKfJg125AMyAvuTF0fBgcxM6capRWdXK7o - uFNm1ePPV7fzfWt+DBNgBxo64dXjmMogYQR59PqvY+HpYEjmzhNZSg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBva01ENmhMdDl4ZUlzK2xH + VVJhUit6WXdzMFFSWkFRWEJZaTArckRKZGlBCk96NiszdHJoNXRZUEFpbWdLZWtn + NVBva0xlNWNpb2FlcFAwd3RHOXVXcG8KLS0tIC9aUTYvcWx4cUp2R3lYOTh4VW9W + eTVnK0lSaUV5ME1mYmNBYWxKWXV3NDgKuqtGJrHcvuqq3r+dtMYE4n4rCF0gPUku + yhNrcmdhQmly2H0JiS5+WusH2lznTEnheeZPoK8+GrLpH42BcQshKA== -----END AGE ENCRYPTED FILE----- - recipient: age1fqsveefjf02dy9uzg2xa0pqjsaypa9d9xvpe9c293cg0cv3m7e7ss2uct5 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzMEt0M2FuTWU0T09RTmNG - VElFSlRGRDg4ampsR2JQbFN3QXBybU0xUURvCjVRdXVBdkE4S2d2UVhxbWc1cTlj - R29Gb09tcG9PelBVUVNpY0VzNjBqSmcKLS0tIHJVYUhxYTBSMlFxVEgzSVRoVmVY - YmZ0MVhDQUlWQ01DL3dTYjZsZzhtSDAKxK0IxAv9E/y0h0FGUMX1KfyP6hhjKcqp - 0KQ5Vg7Ve8vUV0dqqjEIbAfBVSgzklaYjlBTpjNIK1ORAQnOm0b+Jg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJK0pGeDZrcHdoeUs4TzZR + VDM4TlF5bnZUL1NLbE51YUhmRWs3VmppYUNnClJ0b3FtMHZEQUxhRU4wWjFDUTlp + K2xUdWQ3QllMOHZUdkhsWDluUzJ4Mm8KLS0tIEtBV3V2K3RYNDZKbUdNZWJRcCtR + b3FoOTl3N0J4cWFQZWVQeDdoblNMSkUKlAWfZa45pGjI3s3D1KdRquY0RO5hlzLh + OKGe9ijTe2I+vuUlziFdlib4sRZVGfEzaOhKo6NBWlExyrmTNcm2ag== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-10-04T01:16:59Z" mac: ENC[AES256_GCM,data:dIV+IhxVwjM8IsuShn++xKQ0WZpib/Wf/xUbn158UAOpizHs569tPv3DcfGxF3FCRKT/Re3ivt1FuDUYsaIBzjqoSEd3wfwglLVJdssDw2qhIWvGOTnFC6hBr+tqvBke6zCHVgSg+2DazKZ/+mOMO4FEjs1zt1ZbtDHk01YET+w=,iv:ErZqVPPUKKZFor4oo0V65oNOkvOffZWI9nEyC9Kzs94=,tag:pl9vBTvip8pUzhn0AD365A==,type:str] diff --git a/modules/booter/default.nix b/modules/booter/default.nix index 07cf744..d30b633 100644 --- a/modules/booter/default.nix +++ b/modules/booter/default.nix @@ -24,19 +24,15 @@ in { initrd = { availableKernelModules = [ - "ata_piix" - "mptspi" - "uhci_hcd" - "ehci_pci" - "ahci" + "nvme" + "xhci_pci" + "uas" "sd_mod" - "sr_mod" ]; supportedFilesystems = [ "btrfs" "tmpfs" ]; - systemd.enable = true; }; kernelModules = [ "kvm-amd" ]; kernelPackages = cfg.kernel; @@ -55,6 +51,7 @@ in "quiet" "splash" ]; + }) (mkIf (!display.enable) { loader.systemd-boot = {