robertodr · January 4, 2024 15:04
diff --git a/configuration.nix b/configuration.nix
 {
  config,
  lib,
  pkgs,
  ...
 }: {
  imports = [
    ./hardware-configuration.nix
    "${builtins.fetchTarball "https://github.com/nix-community/disko/archive/aef9a509db64a081186af2dc185654d78dc8e344.tar.gz"}/module.nix"
    ./disko-config.nix
    "${builtins.fetchTarball "https://github.com/NixOS/nixos-hardware/archive/a15b6e525f5737a47b4ce28445c836996fb2ea8c.tar.gz"}/framework/13-inch/12th-gen-intel"
    "${builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/033643a45a4a920660ef91caa391fbffb14da466.tar.gz"}/nixos.nix"
  ];

  boot = {
    kernelParams = ["resume_offset=533760"];  # <-- CHANGE with output of btrfs inspect-internal map-swapfile -r /.swapvol/swapfile
    resumeDevice = "/dev/disk/by-uuid/edc1b1c1-ae2e-462c-8390-fdf11cf81ea9";  # <-- CHANGE with output of findmnt -no UUID -T /.swapvol/swapfile
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
    # the rollback service is from: https://discourse.nixos.org/t/impermanence-vs-systemd-initrd-w-tpm-unlocking/25167/3
    initrd.systemd.services.root-rollback = {
      description = "Rollback BTRFS root subvolume to a pristine state";
      wantedBy = [
        "initrd.target"
      ];
      after = [
        # LUKS/TPM process
        "[email protected]"
      ];
      before = [
        "sysroot.mount"
      ];
      unitConfig.DefaultDependencies = "no";
      serviceConfig.Type = "oneshot";
      script = ''
        mkdir -p /mnt
        # We first mount the btrfs root to /mnt
        # so we can manipulate btrfs subvolumes.
        mount -o subvol=/ /dev/mapper/encrypted /mnt
        # While we're tempted to just delete /root and create
        # a new snapshot from /root-blank, /root is already
        # populated at this point with a number of subvolumes,
        # which makes `btrfs subvolume delete` fail.
        # So, we remove them first.
        #
        # /root contains subvolumes:
        # - /root/var/lib/portables
        # - /root/var/lib/machines
        #
        # I suspect these are related to systemd-nspawn, but
        # since I don't use it I'm not 100% sure.
        # Anyhow, deleting these subvolumes hasn't resulted
        # in any issues so far, except for fairly
        # benign-looking errors from systemd-tmpfiles.
        btrfs subvolume list -o /mnt/root |
          cut -f9 -d' ' |
          while read subvolume; do
            echo "deleting /$subvolume subvolume..."
            btrfs subvolume delete "/mnt/$subvolume"
          done &&
          echo "deleting /root subvolume..." &&
          btrfs subvolume delete /mnt/root
        echo "restoring blank /root subvolume..."
        btrfs subvolume snapshot /mnt/root-blank /mnt/root
        # Once we're done rolling back to a blank snapshot,
        # we can unmount /mnt and continue on the boot process.
        umount /mnt
      '';
    };
  };

  fileSystems."/nix".neededForBoot = true;
  fileSystems."/persist".neededForBoot = true;

  environment.persistence."/persist" = {
    hideMounts = true;
    directories = [
      "/var/log"
      "/var/lib/bluetooth"
      "/var/lib/nixos"
      "/var/lib/systemd/coredump"
      "/etc/NetworkManager/system-connections"
      "/etc/nixos"
      {
        directory = "/var/lib/colord";
        user = "colord";
        group = "colord";
        mode = "u=rwx,g=rx,o=";
      }
    ];
    files = [
      "/etc/machine-id"
      {
        file = "/var/keys/secret_file";
        parentDirectory = {mode = "u=rwx,g=,o=";};
      }
    ];
  };

  networking = {
    hostName = "kellanved";
    networkmanager.enable = true;
  };

  time.timeZone = "Europe/Oslo";

  i18n.defaultLocale = "en_US.UTF-8";

  services = {
    xserver = {
      enable = true;
      displayManager.gdm.enable = true;
      displayManager.gdm.wayland = false;
      desktopManager.gnome.enable = true;
      xkb = {
        layout = "us";
        options = "eurosign:e,caps:escape";
      };
      libinput.enable = true;
    };
    pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;
      pulse.enable = true;
    };
  };

  sound.enable = true;
  hardware.pulseaudio.enable = false;
  security.rtkit.enable = true;

  users = {
    groups = {
      roberto = {gid = 1000;};
    };
    users = {
      roberto = {
        isNormalUser = true;
        description = "Roberto Di Remigio Eikås";
        group = "roberto";
        uid = 1000;
        extraGroups = ["users" "networkmanager" "wheel"];
        shell = pkgs.fish;
        hashedPassword = "$y$j9T$9CT7imGp.njKexGkzwsTh/$7y/T3A6cPIvy7CFKEBOJzil4sJmof0IaFR9BlJr2b15";
        packages = with pkgs; [
        ];
      };
    };
  };

  nixpkgs = {
    config.allowUnfree = true;
  };

  environment.systemPackages = with pkgs; [
    alejandra
    neovim
    zoom-us
  ];

  programs = {
    _1password-gui = {
      enable = true;
      polkitPolicyOwners = ["roberto"];
    };
    _1password.enable = true;
    firefox.enable = true;
    fish.enable = true;
    git.enable = true;
  };

  system.copySystemConfiguration = true;

  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
  # Most users should NEVER change this value after the initial install, for any reason,
  # even if you've upgraded your system to a new NixOS release.
  #
  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
  # so changing it will NOT upgrade your system.
  #
  # This value being lower than the current NixOS release does NOT mean your system is
  # out of date, out of support, or vulnerable.
  #
  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
  # and migrated your data accordingly.
  #
  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "23.11"; # Did you read the comment?
 }
diff --git a/disko-config.nix b/disko-config.nix
 {
  disko.devices = {
    disk = {
      nvme0n1 = {
        type = "disk";
        device = "/dev/nvme0n1";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              label = "EFI";
              size = "512M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [
                  "defaults"
                ];
              };
            };
            luks = {
              size = "100%";
              content = {
                type = "luks";
                name = "encrypted";
                passwordFile = "/tmp/secret.key"; # path to file containing password for initial encryption
                settings.allowDiscards = true;
                content = {
                  type = "btrfs";
                  extraArgs = ["-f"];
                  postCreateHook = ''
                    MNTPOINT=$(mktemp -d)
                    mount /dev/mapper/encrypted "$MNTPOINT" -o subvol=/
                    trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
                    btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
                  '';
                  subvolumes = {
                    "/root" = {
                      mountpoint = "/";
                      mountOptions = ["compress=zstd" "noatime"];
                    };
                    "/nix" = {
                      mountpoint = "/nix";
                      mountOptions = ["compress=zstd" "noatime"];
                    };
                    "/swap" = {
                      mountpoint = "/.swapvol";
                      swap.swapfile.size = "66G";
                    };
                    "/home" = {
                      mountpoint = "/home";
                      mountOptions = ["compress=zstd" "noatime"];
                    };
                    "/persist" = {
                      mountpoint = "/persist";
                      mountOptions = ["compress=zstd" "noatime"];
                    };
                  };
                };
              };
            };
          };
        };
      };
    };
  };
 }
diff --git a/hardware-configuration.nix b/hardware-configuration.nix
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];

  boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod"];
  boot.initrd.kernelModules = [];
  boot.kernelModules = ["kvm-intel"];
  boot.extraModulePackages = [];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp166s0.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
	{
	config,
	lib,
	pkgs,
	...
	}: {
	imports = [
	./hardware-configuration.nix
	"${builtins.fetchTarball "https://github.com/nix-community/disko/archive/aef9a509db64a081186af2dc185654d78dc8e344.tar.gz"}/module.nix"
	./disko-config.nix
	"${builtins.fetchTarball "https://github.com/NixOS/nixos-hardware/archive/a15b6e525f5737a47b4ce28445c836996fb2ea8c.tar.gz"}/framework/13-inch/12th-gen-intel"
	"${builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/033643a45a4a920660ef91caa391fbffb14da466.tar.gz"}/nixos.nix"
	];

	boot = {
	kernelParams = ["resume_offset=533760"]; # <-- CHANGE with output of btrfs inspect-internal map-swapfile -r /.swapvol/swapfile
	resumeDevice = "/dev/disk/by-uuid/edc1b1c1-ae2e-462c-8390-fdf11cf81ea9"; # <-- CHANGE with output of findmnt -no UUID -T /.swapvol/swapfile
	loader = {
	systemd-boot.enable = true;
	efi.canTouchEfiVariables = true;
	};
	# the rollback service is from: https://discourse.nixos.org/t/impermanence-vs-systemd-initrd-w-tpm-unlocking/25167/3
	initrd.systemd.services.root-rollback = {
	description = "Rollback BTRFS root subvolume to a pristine state";
	wantedBy = [
	"initrd.target"
	];
	after = [
	# LUKS/TPM process
	"[email protected]"
	];
	before = [
	"sysroot.mount"
	];
	unitConfig.DefaultDependencies = "no";
	serviceConfig.Type = "oneshot";
	script = ''
	mkdir -p /mnt
	# We first mount the btrfs root to /mnt
	# so we can manipulate btrfs subvolumes.
	mount -o subvol=/ /dev/mapper/encrypted /mnt
	# While we're tempted to just delete /root and create
	# a new snapshot from /root-blank, /root is already
	# populated at this point with a number of subvolumes,
	# which makes `btrfs subvolume delete` fail.
	# So, we remove them first.
	#
	# /root contains subvolumes:
	# - /root/var/lib/portables
	# - /root/var/lib/machines
	#
	# I suspect these are related to systemd-nspawn, but
	# since I don't use it I'm not 100% sure.
	# Anyhow, deleting these subvolumes hasn't resulted
	# in any issues so far, except for fairly
	# benign-looking errors from systemd-tmpfiles.
	btrfs subvolume list -o /mnt/root \|
	cut -f9 -d' ' \|
	while read subvolume; do
	echo "deleting /$subvolume subvolume..."
	btrfs subvolume delete "/mnt/$subvolume"
	done &&
	echo "deleting /root subvolume..." &&
	btrfs subvolume delete /mnt/root
	echo "restoring blank /root subvolume..."
	btrfs subvolume snapshot /mnt/root-blank /mnt/root
	# Once we're done rolling back to a blank snapshot,
	# we can unmount /mnt and continue on the boot process.
	umount /mnt
	'';
	};
	};

	fileSystems."/nix".neededForBoot = true;
	fileSystems."/persist".neededForBoot = true;

	environment.persistence."/persist" = {
	hideMounts = true;
	directories = [
	"/var/log"
	"/var/lib/bluetooth"
	"/var/lib/nixos"
	"/var/lib/systemd/coredump"
	"/etc/NetworkManager/system-connections"
	"/etc/nixos"
	{
	directory = "/var/lib/colord";
	user = "colord";
	group = "colord";
	mode = "u=rwx,g=rx,o=";
	}
	];
	files = [
	"/etc/machine-id"
	{
	file = "/var/keys/secret_file";
	parentDirectory = {mode = "u=rwx,g=,o=";};
	}
	];
	};

	networking = {
	hostName = "kellanved";
	networkmanager.enable = true;
	};

	time.timeZone = "Europe/Oslo";

	i18n.defaultLocale = "en_US.UTF-8";

	services = {
	xserver = {
	enable = true;
	displayManager.gdm.enable = true;
	displayManager.gdm.wayland = false;
	desktopManager.gnome.enable = true;
	xkb = {
	layout = "us";
	options = "eurosign:e,caps:escape";
	};
	libinput.enable = true;
	};
	pipewire = {
	enable = true;
	alsa.enable = true;
	alsa.support32Bit = true;
	pulse.enable = true;
	};
	};

	sound.enable = true;
	hardware.pulseaudio.enable = false;
	security.rtkit.enable = true;

	users = {
	groups = {
	roberto = {gid = 1000;};
	};
	users = {
	roberto = {
	isNormalUser = true;
	description = "Roberto Di Remigio Eikås";
	group = "roberto";
	uid = 1000;
	extraGroups = ["users" "networkmanager" "wheel"];
	shell = pkgs.fish;
	hashedPassword = "$y$j9T$9CT7imGp.njKexGkzwsTh/$7y/T3A6cPIvy7CFKEBOJzil4sJmof0IaFR9BlJr2b15";
	packages = with pkgs; [
	];
	};
	};
	};

	nixpkgs = {
	config.allowUnfree = true;
	};

	environment.systemPackages = with pkgs; [
	alejandra
	neovim
	zoom-us
	];

	programs = {
	_1password-gui = {
	enable = true;
	polkitPolicyOwners = ["roberto"];
	};
	_1password.enable = true;
	firefox.enable = true;
	fish.enable = true;
	git.enable = true;
	};

	system.copySystemConfiguration = true;

	# This option defines the first version of NixOS you have installed on this particular machine,
	# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
	#
	# Most users should NEVER change this value after the initial install, for any reason,
	# even if you've upgraded your system to a new NixOS release.
	#
	# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
	# so changing it will NOT upgrade your system.
	#
	# This value being lower than the current NixOS release does NOT mean your system is
	# out of date, out of support, or vulnerable.
	#
	# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
	# and migrated your data accordingly.
	#
	# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
	system.stateVersion = "23.11"; # Did you read the comment?
	}
	{
	disko.devices = {
	disk = {
	nvme0n1 = {
	type = "disk";
	device = "/dev/nvme0n1";
	content = {
	type = "gpt";
	partitions = {
	ESP = {
	label = "EFI";
	size = "512M";
	type = "EF00";
	content = {
	type = "filesystem";
	format = "vfat";
	mountpoint = "/boot";
	mountOptions = [
	"defaults"
	];
	};
	};
	luks = {
	size = "100%";
	content = {
	type = "luks";
	name = "encrypted";
	passwordFile = "/tmp/secret.key"; # path to file containing password for initial encryption
	settings.allowDiscards = true;
	content = {
	type = "btrfs";
	extraArgs = ["-f"];
	postCreateHook = ''
	MNTPOINT=$(mktemp -d)
	mount /dev/mapper/encrypted "$MNTPOINT" -o subvol=/
	trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
	btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
	'';
	subvolumes = {
	"/root" = {
	mountpoint = "/";
	mountOptions = ["compress=zstd" "noatime"];
	};
	"/nix" = {
	mountpoint = "/nix";
	mountOptions = ["compress=zstd" "noatime"];
	};
	"/swap" = {
	mountpoint = "/.swapvol";
	swap.swapfile.size = "66G";
	};
	"/home" = {
	mountpoint = "/home";
	mountOptions = ["compress=zstd" "noatime"];
	};
	"/persist" = {
	mountpoint = "/persist";
	mountOptions = ["compress=zstd" "noatime"];
	};
	};
	};
	};
	};
	};
	};
	};
	};
	};
	}
	# Do not modify this file! It was generated by ‘nixos-generate-config’
	# and may be overwritten by future invocations. Please make changes
	# to /etc/nixos/configuration.nix instead.
	{
	config,
	lib,
	pkgs,
	modulesPath,
	...
	}: {
	imports = [
	(modulesPath + "/installer/scan/not-detected.nix")
	];

	boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod"];
	boot.initrd.kernelModules = [];
	boot.kernelModules = ["kvm-intel"];
	boot.extraModulePackages = [];

	# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
	# (the default) this is the recommended approach. When using systemd-networkd it's
	# still possible to use this option, but it's recommended to use it in conjunction
	# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
	networking.useDHCP = lib.mkDefault true;
	# networking.interfaces.wlp166s0.useDHCP = lib.mkDefault true;

	nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
	hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
	}