From bf329299d3c412bdbe6d1145b0947e6950c5c548 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 30 Jul 2024 15:22:50 +0200 Subject: ... --- hosts/sif/default.nix | 8 ++--- hosts/sif/gkleen-rclone.yaml | 34 ++++++++++---------- hosts/sif/hw.nix | 76 +++++++++++++++++++++++++++++++++----------- hosts/sif/mail/secrets.yaml | 34 ++++++++++---------- 4 files changed, 94 insertions(+), 58 deletions(-) (limited to 'hosts') diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 319dccd9..87c0f3bf 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -13,7 +13,7 @@ in { imports = with flake.nixosModules.systemProfiles; [ ./hw.nix ./mail - initrd-all-crypto-modules default-locale openssh rebuild-machines + tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines networkmanager ]; @@ -35,8 +35,8 @@ in { emergencyAccess = config.users.users.root.hashedPassword; }; luks.devices = { - nvm0 = { device = "/dev/disk/by-uuid/fe641e81-0812-4181-a5f6-382ebba509bb"; bypassWorkqueues = true; }; - nvm1 = { device = "/dev/disk/by-uuid/43df1ba8-1728-4193-8855-920a82d4494a"; bypassWorkqueues = true; }; + nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; }; + nvm1 = { device = "/dev/disk/by-uuid/2884e98d-5afd-4965-91c9-88ffb5ec58bc"; bypassWorkqueues = true; }; }; availableKernelModules = [ "drbg" "nvme" "xhci_pci" "usb_storage" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ]; kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" "dm-mod" "dm-crypt" ]; @@ -655,6 +655,6 @@ in { in [ gtk-portal ]; }; - system.stateVersion = "20.03"; + system.stateVersion = "24.11"; }; } diff --git a/hosts/sif/gkleen-rclone.yaml b/hosts/sif/gkleen-rclone.yaml index 4bc07556..f0430f71 100644 --- a/hosts/sif/gkleen-rclone.yaml +++ b/hosts/sif/gkleen-rclone.yaml @@ -5,28 +5,26 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1ure0athvtnaqqw48pe0y3upqdzmkaen9h70yggd9va4hva6avd8qqm6s4d + - recipient: age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhazlZcFRyY2ZxZ2dLb00v - SzZmM3paanI1b090NW8za1FKa3Q0bWlKeTJNCllhRGo2bDNaMkxpMHlweEZGU3FQ - SlFIQmxqK2trWm5TRFp0SEhVRUNNWncKLS0tIHc3OGNqbHF0eFozdWp1V3IvRFJJ - bzd6VTRPT1pqYVFPQ0IyblVQdWt4MUUKtp8FKeOVhZ6DTY0euegOFcmUL6bNYlml - 1DlbDUF47mAMz6HfsvpyoJmLG/uQBCXUVIpP18ignQtJJx043+vnEA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZU1MY0JCRkdPK0JIWEs4 + MnVQYWN1cklPSFJFTkYxVm9nVFpYSjRTUENnClZZaUw0QVYxejMzM0VvYTUzMUlE + N0ZVV0laeVJQV3BsUHJzVWlNM0ZZWEUKLS0tIEZvRWtEdzFwVlVMS2FxT2Z3NHRo + STZZRWxURnQ1MHE2RlJVQmdiM2VlNVkKpDJSJxij/LKFGUyuy/iAmf/Gq+PhLh4V + DoowTqWMehgKz/x14HCegI6fIuI2Spwk6GVVICQvmk5Y33/kyneOiA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4c0hoSGE4SVpwRkpBZmgv + SVVDODZmbkN4THNMelJucXZ3aTFrUDlmRmtZCkl3UFlROWJyd0VGakZRK3NGUEty + UUxjMDVZZWc4MXdKQTlKczF4N1gxYUUKLS0tIHRyczNiTzJLYTZaRFduc2RoaXhU + SUpCMXJDd1YwcnpuQ2hHa2Q4TlNGYjgKe3cSIERblN7XbI8mBWWSKhdLs6J8LT6t + 3Q2gz8LZhtEJvROOYiVjcnZG9iOLLkgsy/mI34Y0evcKZrvvsPyQ1g== -----END AGE ENCRYPTED FILE----- lastmodified: "2022-01-31T18:19:02Z" mac: ENC[AES256_GCM,data:E/XAsuv+EqFud686SHuRp6XZ4f8uoXMI2rnPI733lQg/x/zuvCoOil9AtnQpStnu9wchlbee/y53uUDzAdTiYsjBCRqqt+19iAPnRHPZ2eb82SPetIRA8leKhiJFtOpHFTmlPYHCokxVBH6qLDjaJj/1Dx7Iv9xoAB4ECYnWxTo=,iv:wY5p++ixK5KA+Xnpuj0/3YBLMr/CQwIm3Nj3DzQC4II=,tag:f+7rincFHPEJZp+QJ2iiMQ==,type:str] - pgp: - - created_at: "2023-01-30T10:58:04Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DXxoViZlp6dISAQdAEEQ+ELalInEqD7WVWPyhz9C2WGOAqYZdW8wHn+i7c3cw - HgPkJXA0JJBawtQ+eqWtVBbmZbabVdiZ7xOAlVQWrVXa7tN7s2y4yY6KESB/5NFo - 0l4BvOF0KdMDkBx9rhVakSfCJ9w/3ZodD2tZ/KgttamnsYg9EwI2xDSsFowK0gUM - 2t7ZnDbDsQCrIR0y/qL5DwFVVKlvbDl5ZGLq5Py/ECMh5WdsEQ0dqBmeytxN44gw - =SxAd - -----END PGP MESSAGE----- - fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51 + pgp: [] unencrypted_suffix: _unencrypted version: 3.7.1 diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix index 3442a93a..bd3aa0de 100644 --- a/hosts/sif/hw.nix +++ b/hosts/sif/hw.nix @@ -1,25 +1,65 @@ { config, lib, pkgs, ... }: { - fileSystems."/" = - { device = "/dev/disk/by-uuid/f094bf06-66f9-40a8-9ab2-2b54d05223d2"; - fsType = "btrfs"; - }; + fileSystems = { + "/boot" = + { device = "LABEL=boot"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + "/.bcachefs" = + { device = "LABEL=sif"; + fsType = "bcachefs"; + neededForBoot = true; + }; + "/nix" = + { device = "/.bcachefs/nix"; + fsType = "none"; + options = [ "bind" ]; + }; + "/root" = + { device = "/.bcachefs/root"; + fsType = "none"; + options = [ "bind" ]; + }; + "/var/log" = + { device = "/.bcachefs/var/log"; + fsType = "none"; + options = [ "bind" ]; + }; + "/var/lib/sops-nix" = + { device = "/.bcachefs/var/lib/sops-nix"; + fsType = "none"; + options = [ "bind" ]; + neededForBoot = true; + }; + "/var/lib/nixos" = + { device = "/.bcachefs/var/lib/nixos"; + fsType = "none"; + options = [ "bind" ]; + neededForBoot = true; + }; + "/var/lib/chrony" = + { device = "/.bcachefs/var/lib/chrony"; + fsType = "none"; + options = [ "bind" ]; + }; + "/var/lib/systemd" = + { device = "/.bcachefs/var/lib/systemd"; + fsType = "none"; + options = [ "bind" ]; + neededForBoot = true; + }; + "/home" = + { device = "/.bcachefs/home"; + fsType = "none"; + options = [ "bind" ]; + }; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/B3A2-D029"; - fsType = "vfat"; - }; - - fileSystems."/home" = - { device = "/dev/disk/by-uuid/9e932072-3c56-4a9c-8da7-3163d2a8bf28"; - fsType = "btrfs"; - }; - - fileSystems."/var/media" = - { device = "/dev/disk/by-uuid/437eca70-d017-4d52-a1fa-2f4c7a87f096"; - fsType = "btrfs"; - }; + swapDevices = [ + { device = "LABEL=swap"; } + ]; nix.settings.max-jobs = 12; # High-DPI console diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/mail/secrets.yaml index 5ac36cc6..3c74b710 100644 --- a/hosts/sif/mail/secrets.yaml +++ b/hosts/sif/mail/secrets.yaml @@ -5,28 +5,26 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1ure0athvtnaqqw48pe0y3upqdzmkaen9h70yggd9va4hva6avd8qqm6s4d + - recipient: age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYkM2VWRIZzZCQUVYeThv - eWhHZE5GVFVOSUtLcDBXQmhtdFhuTThBdTF3ClNVcDl3SUdRMGJXOENyNWdSb21z - OXY1QUNwUjRrbU00b2hHS3pJM3diTFkKLS0tIEFxV2JSbWphdEEzbE8xbkd2cXBz - dEhFSDVKbFJJZWRPY3o2am94ZURJL2cKwJkjD9jarS3zdcNBVpx3cIjh8XmXCL+C - AN1T7DQjzQpD65Mdbj9QqXx1p0HmjO/sqr1yNQopub8oQneLbtx8Gg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MVYrR1ZrUXVhYVIvdTdS + OUxoOGhRZ3p2dFhCYkxta1REYy9FWTFEZVNJCjhpQ0VMcWdkWWQ1blZyVVpGWk81 + UVBTZzNKSis2ZVVNdFA4TldvL05oMWcKLS0tIEl0TU8xQUhkTk83dDhzYU5aeCtR + OVcrdFRaeGxZL2kxT3VzUnBtWEI1Y1UK8LwKTus25P/nQrMJG5MOuR/lD2PCgeLC + WYBIbFusX//mwr1nymyWnHXkfXf8uHzpc6rJGFoa+TuOVU3elYB/Pg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcUs2OGp6WWN5cm9IVDdx + TFRpZTJXQjBXeGp3RytPaFdjR3UyVURnYmhZCnh3SDNYR0J1US9vcEhTbmJCNm5r + emJReml2QTNkTC93M0lpYlpNbTc4TGsKLS0tIGZ4YkE4STQ2dmh4akJVcnZOUVhT + MTNrOGxqZmFWSnl0U3lVTnllbEFTN28KKv/W6tk2YlNQV8fotfjSLg1HOs6OdMj4 + GkZ30jQYfwmFYEA8YPn9JXbVNpprXd0d6ufLl/tAQckT6lsqGhwzeg== -----END AGE ENCRYPTED FILE----- lastmodified: "2022-02-02T14:45:23Z" mac: ENC[AES256_GCM,data:UdM/VmdfqhYm1aFCHaO0mbJA/oyV/J2oKVVmGDa0Co3MWq9aWMqP726O+rLk36W0HOG4fmue//R1Q524au2hMW9bZUFzrubfQt2V78tZRZeHCJSRmOmi1D1EDdfPz9J3oWDvIEgIIsAk5H5EuuH0j6FILye6tzcomNGDAKZbwuc=,iv:a7dJAqkcroLp01gkGKV5gm6gTIIMa/9P8qJn44ISrw0=,tag:R9/6X6mgfVSLK7bmoWRnfQ==,type:str] - pgp: - - created_at: "2023-01-30T10:58:14Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DXxoViZlp6dISAQdAYwW96YVgfK1Y3Ue1EA3qbE3zw4k4gdTnzWeBB2Ljux4w - urG4pwe47rkuq3e1TMdZxxDeZe0OvLwaZBVfD+eFVUrnLYbkrm4shvrq+6xv70Zm - 0l4BvG9W6VvUXNyKR0Bl65K/hqm8A7GOBPfB35npsY+1ufeJJYdmxX6n7dL94SX5 - he4m9JRuiyPrRxomudU5nrWLQwKQk8WtavExfVq6zIlnkhlGerKbxDVEIsFaDleT - =7IFo - -----END PGP MESSAGE----- - fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51 + pgp: [] unencrypted_suffix: _unencrypted version: 3.7.1 -- cgit v1.2.3