diff --git a/configs/common.nix b/configs/common.nix index 7f9331c..580c342 100755 --- a/configs/common.nix +++ b/configs/common.nix @@ -8,7 +8,7 @@ # kernelParams = [ "quiet" ]; consoleLogLevel = 0; kernel.sysctl = { "vm.max_map_count" = 262144; }; - initrd.systemd.enable = (!config.boot.swraid.enable && !config.boot.isContainer); + # initrd.systemd.enable = (!config.boot.swraid.enable && !config.boot.isContainer); }; # Work around for https://github.com/NixOS/nixpkgs/issues/124215 diff --git a/flake.lock b/flake.lock index 206c14a..0ea9f9d 100644 --- a/flake.lock +++ b/flake.lock @@ -8,11 +8,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1730321876, - "narHash": "sha256-hG8dCERfiM1yUDRWvEplr9kMgEe79xWaeF1On4H5gcs=", + "lastModified": 1730390431, + "narHash": "sha256-M+rMhDB69Y35IlhmAMN4ErDige+wKPwhb6HDqpF14Rw=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "6d2d6b13f317bcc6ef0709974962b1d49dedb102", + "rev": "40388a7427ee32af175c5169ae7587ffd2dec125", "type": "github" }, "original": { @@ -38,22 +38,6 @@ "type": "github" } }, - "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1717312683, - "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=", - "owner": "nix-community", - "repo": "flake-compat", - "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "flake-compat", - "type": "github" - } - }, "flake-schemas": { "locked": { "lastModified": 1721999734, @@ -118,11 +102,11 @@ ] }, "locked": { - "lastModified": 1730016908, - "narHash": "sha256-bFCxJco7d8IgmjfNExNz9knP8wvwbXU4s/d53KOK6U0=", + "lastModified": 1730450782, + "narHash": "sha256-0AfApF8aexgB6o34qqLW2cCX4LaWJajBVdU6ddiWZBM=", "owner": "nix-community", "repo": "home-manager", - "rev": "e83414058edd339148dc142a8437edb9450574c8", + "rev": "8ca921e5a806b5b6171add542defe7bdac79d189", "type": "github" }, "original": { @@ -132,6 +116,21 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1730403150, + "narHash": "sha256-W1FH5aJ/GpRCOA7DXT/sJHFpa5r8sq2qAUncWwRZ3Gg=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "0d09341beeaa2367bac5d718df1404bf2ce45e6f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, "jovian": { "inputs": { "nix-github-actions": "nix-github-actions", @@ -162,11 +161,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1730108786, - "narHash": "sha256-HanZv/MCAcW2BMbe7Ns942ceMa2bTJUW48J654LiR/o=", + "lastModified": 1730399394, + "narHash": "sha256-ryBNcIi3X3YPc7hsTLYzp13NFsnp/i+v+stWjB8fryk=", "owner": "taj-ny", "repo": "kwin-effects-forceblur", - "rev": "523a7d714cc1c921ed9edb4a2bd6fd49817bc4bb", + "rev": "9100b4f6fb7c81b66fd773f7943ad6a51371a496", "type": "github" }, "original": { @@ -198,36 +197,13 @@ "type": "github" } }, - "nixos-cosmic": { - "inputs": { - "flake-compat": "flake-compat_2", - "nixpkgs": [ - "nixpkgs-unstable" - ], - "nixpkgs-stable": "nixpkgs-stable", - "rust-overlay": "rust-overlay" - }, - "locked": { - "lastModified": 1730338548, - "narHash": "sha256-wwAKXZr5GU36NrVy/gERRWuQjIKvZYrTD5mRahd87vI=", - "owner": "lilyinstarlight", - "repo": "nixos-cosmic", - "rev": "bb2350119400c47be764c348e67f1b38e858435f", - "type": "github" - }, - "original": { - "owner": "lilyinstarlight", - "repo": "nixos-cosmic", - "type": "github" - } - }, "nixos-hardware": { "locked": { - "lastModified": 1730365793, - "narHash": "sha256-XU41ts73mLV81CS+kGv7KTWjMeAQYReIRTRn9/WTjhs=", + "lastModified": 1730368399, + "narHash": "sha256-F8vJtG389i9fp3k2/UDYHMed3PLCJYfxCqwiVP7b9ig=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "b486ff2d754c0c396f391f6b83cb048066de8332", + "rev": "da14839ac5f38ee6adbdb4e6db09b5eef6d6ccdc", "type": "github" }, "original": { @@ -239,11 +215,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1729880355, - "narHash": "sha256-RP+OQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM=", + "lastModified": 1730200266, + "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "18536bf04cd71abd345f9579158841376fdd0c5a", + "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd", "type": "github" }, "original": { @@ -255,11 +231,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1730137625, - "narHash": "sha256-9z8oOgFZiaguj+bbi3k4QhAD6JabWrnv7fscC/mt0KE=", + "lastModified": 1730327045, + "narHash": "sha256-xKel5kd1AbExymxoIfQ7pgcX6hjw9jCgbiBjiUfSVJ8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "64b80bfb316b57cdb8919a9110ef63393d74382a", + "rev": "080166c15633801df010977d9d7474b4a6c549d7", "type": "github" }, "original": { @@ -306,34 +282,14 @@ "chaotic": "chaotic", "fw-fanctrl": "fw-fanctrl", "home-manager": "home-manager_2", + "impermanence": "impermanence", "kwin-effects-forceblur": "kwin-effects-forceblur", - "nixos-cosmic": "nixos-cosmic", "nixos-hardware": "nixos-hardware", + "nixpkgs-stable": "nixpkgs-stable", "nixpkgs-unstable": "nixpkgs-unstable", "sops-nix": "sops-nix" } }, - "rust-overlay": { - "inputs": { - "nixpkgs": [ - "nixos-cosmic", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730255392, - "narHash": "sha256-9pydem8OVxa0TwjUai1PJe0yHAJw556CWCEwyoAq8Ik=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "7509d76ce2b3d22b40bd25368b45c0a9f7f36c89", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, "sops-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 09ad79d..189c9df 100644 --- a/flake.nix +++ b/flake.nix @@ -28,10 +28,12 @@ inputs.nixpkgs.follows = "nixpkgs-unstable"; }; - nixos-cosmic = { - url = "github:lilyinstarlight/nixos-cosmic"; - inputs.nixpkgs.follows = "nixpkgs-unstable"; - }; + impermanence.url = "github:nix-community/impermanence"; + + # nixos-cosmic = { + # url = "github:lilyinstarlight/nixos-cosmic"; + # inputs.nixpkgs.follows = "nixpkgs-unstable"; + # }; }; outputs = @@ -43,7 +45,8 @@ , nixpkgs-stable , nixpkgs-unstable , sops-nix - , nixos-cosmic + # , nixos-cosmic + , impermanence , ... } @ inputs: let @@ -63,16 +66,15 @@ # pass to it, with each system as an argument forAllSystems = nixpkgs.lib.genAttrs systems; - cosmic-modules = [ - { - nix.settings = { - substituters = [ "https://cosmic.cachix.org/" ]; - trusted-public-keys = [ "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE=" ]; - }; - } - nixos-cosmic.nixosModules.default - ]; - + # cosmic-modules = [ + # { + # nix.settings = { + # substituters = [ "https://cosmic.cachix.org/" ]; + # trusted-public-keys = [ "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE=" ]; + # }; + # } + # nixos-cosmic.nixosModules.default + # ]; in { overlays = import ./overlays { inherit inputs; }; @@ -82,8 +84,14 @@ system = "x86_64-linux"; specialArgs = { inherit inputs outputs; }; modules = [ - ./machine/desktop/configuration.nix + impermanence.nixosModules.impermanence chaotic.nixosModules.default # OUR DEFAULT MODULE + nixos-hardware.nixosModules.common-cpu-amd + nixos-hardware.nixosModules.common-cpu-amd-pstate + nixos-hardware.nixosModules.common-cpu-amd-zenpower + nixos-hardware.nixosModules.common-pc-ssd + sops-nix.nixosModules.sops + ./machine/desktop/configuration.nix ]; }; diff --git a/fs-diff.sh b/fs-diff.sh new file mode 100755 index 0000000..bd581d0 --- /dev/null +++ b/fs-diff.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash +# fs-diff.sh +set -euo pipefail + +OLD_TRANSID=$(sudo btrfs subvolume find-new /mnt/root-blank 9999999) +OLD_TRANSID=${OLD_TRANSID#transid marker was } + +sudo btrfs subvolume find-new "/mnt/root" "$OLD_TRANSID" | +sed '$d' | +cut -f17- -d' ' | +sort | +uniq | +while read path; do + path="/$path" + if [ -L "$path" ]; then + : # The path is a symbolic link, so is probably handled by NixOS already + elif [ -d "$path" ]; then + : # The path is a directory, ignore + else + echo "$path" + fi +done diff --git a/machine/desktop/configuration.nix b/machine/desktop/configuration.nix index 45c1c69..6372aa8 100755 --- a/machine/desktop/configuration.nix +++ b/machine/desktop/configuration.nix @@ -37,11 +37,6 @@ in imports = [ ./hardware-configuration.nix - inputs.nixos-hardware.nixosModules.common-cpu-amd - inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate - inputs.nixos-hardware.nixosModules.common-cpu-amd-zenpower - inputs.nixos-hardware.nixosModules.common-pc-ssd - inputs.sops-nix.nixosModules.sops ../../configs/browser.nix ../../configs/common.nix ../../configs/docker.nix @@ -53,8 +48,6 @@ in ../../configs/user.nix ]; - # chaotic.mesa-git.enable = true; - sops = { defaultSopsFile = ../../secrets.yaml; validateSopsFiles = true; @@ -113,15 +106,82 @@ in # patch = ../../kernelpatches/fix-netfilter-6.11.4.patch; # }]; - initrd.luks.devices = { - root = { - # Use https://nixos.wiki/wiki/Full_Disk_Encryption - device = "/dev/disk/by-uuid/cc43f1eb-49c3-41a6-9279-6766de3659e7"; - preLVM = true; + initrd = { + luks.devices = { + root = { + # Use https://nixos.wiki/wiki/Full_Disk_Encryption + device = "/dev/disk/by-uuid/cc43f1eb-49c3-41a6-9279-6766de3659e7"; + allowDiscards = true; + preLVM = true; + }; }; + + postDeviceCommands = pkgs.lib.mkBefore '' + mkdir -p /mnt + + # We first mount the btrfs root to /mnt + # so we can manipulate btrfs subvolumes. + mount -o subvol=/ /dev/mapper/lvm-root /mnt + + # While we're tempted to just delete /root and create + # a new snapshot from /root-blank, /root is already + # populated at this point with a number of subvolumes, + # which makes `btrfs subvolume delete` fail. + # So, we remove them first. + # + # /root contains subvolumes: + # - /root/var/lib/portables + # - /root/var/lib/machines + # + # I suspect these are related to systemd-nspawn, but + # since I don't use it I'm not 100% sure. + # Anyhow, deleting these subvolumes hasn't resulted + # in any issues so far, except for fairly + # benign-looking errors from systemd-tmpfiles. + btrfs subvolume list -o /mnt/root | + cut -f9 -d' ' | + while read subvolume; do + echo "deleting /$subvolume subvolume..." + btrfs subvolume delete "/mnt/$subvolume" + done && + echo "deleting /root subvolume..." && + btrfs subvolume delete /mnt/root + + echo "restoring blank /root subvolume..." + btrfs subvolume snapshot /mnt/root-blank /mnt/root + + # Once we're done rolling back to a blank snapshot, + # we can unmount /mnt and continue on the boot process. + umount /mnt + ''; }; }; + environment.persistence."/persist" = { + directories = [ + "/etc/coolercontrol" + "/etc/NetworkManager/system-connections" + "/etc/nixos" + "/var/lib/bluetooth" + "/var/lib/docker" + "/var/lib/nixos" + "/var/lib/samba" + "/var/lib/sddm" + "/var/lib/systemd/rfkill" + "/var/lib/tailscale" + "/var/lib/tuptime" + "/var/lib/vnstat" + ]; + files = [ + # "/etc/machine-id" + "/etc/NIXOS" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + }; + systemd.services = { monitor = { description = "AMDGPU Control Daemon"; @@ -142,11 +202,14 @@ in inputs.kwin-effects-forceblur.packages.${pkgs.system}.default lact amdgpu_top + python3 python311Packages.tkinter + snapraid mergerfs gimp + clinfo gparted mission-center @@ -235,11 +298,11 @@ in }; }; - jellyfin = { - enable = true; - user = "alex"; - group = "users"; - }; + # jellyfin = { + # enable = true; + # user = "alex"; + # group = "users"; + # }; tailscale.enable = true; @@ -265,31 +328,47 @@ in exclude = map (x: paths + "/" + x) be.borg-exclude; }; - home-external = rec { - compression = "auto,zstd"; - encryption = { - mode = "repokey-blake2"; - passCommand = "cat ${config.sops.secrets.borg-key.path}"; - }; - extraCreateArgs = "--checkpoint-interval 600 --exclude-caches"; - paths = "/home/alex"; - repo = "/run/media/alex/b6c33623-fc23-47ed-b6f5-e99455d5534a/borg"; - startAt = []; - user = "alex"; - prune.keep = { - daily = 7; - weekly = 4; - monthly = 6; - }; - extraPruneArgs = "--save-space --list --stats"; - exclude = map (x: paths + "/" + x) [ - ".cache" - ".config/Nextcloud/logs" - ".local/share/baloo" - ]; - }; + # home-external = rec { + # compression = "auto,zstd"; + # encryption = { + # mode = "repokey-blake2"; + # passCommand = "cat ${config.sops.secrets.borg-key.path}"; + # }; + # extraCreateArgs = "--checkpoint-interval 600 --exclude-caches"; + # paths = "/home/alex"; + # repo = "/run/media/alex/b6c33623-fc23-47ed-b6f5-e99455d5534a/borg"; + # startAt = [ ]; + # user = "alex"; + # prune.keep = { + # daily = 7; + # weekly = 4; + # monthly = 6; + # }; + # extraPruneArgs = "--save-space --list --stats"; + # exclude = map (x: paths + "/" + x) [ + # ".cache" + # ".config/Nextcloud/logs" + # ".local/share/baloo" + # ]; + # }; }; }; + security = { + rtkit.enable = true; + apparmor.enable = true; + + auditd.enable = true; + audit.enable = true; + audit.rules = [ + "-a exit,always -F arch=b64 -S execve" + ]; + + sudo.extraConfig = '' + # rollback results in sudo lectures after each reboot + Defaults lecture = never + ''; + }; + system.stateVersion = "24.11"; } diff --git a/machine/desktop/hardware-configuration.nix b/machine/desktop/hardware-configuration.nix index 578dc62..7df0d00 100644 --- a/machine/desktop/hardware-configuration.nix +++ b/machine/desktop/hardware-configuration.nix @@ -18,31 +18,32 @@ "/" = { device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad"; fsType = "btrfs"; - options = [ "subvol=root" "compress=zstd" "noatime" ]; + options = [ "subvol=root" "discard=async" "compress=zstd" "noatime" ]; }; "/home" = { device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad"; fsType = "btrfs"; - options = [ "subvol=home" "compress=zstd" "noatime" ]; + options = [ "subvol=home" "discard=async" "compress=zstd" "noatime" ]; }; "/nix" = { device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad"; fsType = "btrfs"; - options = [ "subvol=nix" "compress=zstd" "noatime" ]; + options = [ "subvol=nix" "discard=async" "compress=zstd" "noatime" ]; }; "/persist" = { device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad"; fsType = "btrfs"; - options = [ "subvol=persist" "compress=zstd" "noatime" ]; + options = [ "subvol=persist" "discard=async" "compress=zstd" "noatime" ]; + neededForBoot = true; }; "/var/log" = { device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad"; fsType = "btrfs"; - options = [ "subvol=log" "compress=zstd" "noatime" ]; + options = [ "subvol=log" "discard=async" "compress=zstd" "noatime" ]; neededForBoot = true; };