diff options
| author | Baitinq <manuelpalenzuelamerino@gmail.com> | 2022-08-06 12:02:36 +0200 |
|---|---|---|
| committer | Baitinq <manuelpalenzuelamerino@gmail.com> | 2022-08-06 12:05:29 +0200 |
| commit | d4bf84aa8d41f1bc12bdc49c10a0afdfb87f9f07 (patch) | |
| tree | d2946c34af9dc90e0d6b34a72f7803dbe5050b99 /hosts/phobos | |
| parent | Firefox: Remove bypass-paywalls extension (diff) | |
| download | nixos-config-d4bf84aa8d41f1bc12bdc49c10a0afdfb87f9f07.tar.gz nixos-config-d4bf84aa8d41f1bc12bdc49c10a0afdfb87f9f07.tar.bz2 nixos-config-d4bf84aa8d41f1bc12bdc49c10a0afdfb87f9f07.zip | |
Phobos: Change filesystem to be encrypted+stateless
Diffstat (limited to 'hosts/phobos')
| -rw-r--r-- | hosts/phobos/default.nix | 13 | ||||
| -rw-r--r-- | hosts/phobos/hardware.nix | 26 |
2 files changed, 30 insertions, 9 deletions
diff --git a/hosts/phobos/default.nix b/hosts/phobos/default.nix index 5bdd524..c31d832 100644 --- a/hosts/phobos/default.nix +++ b/hosts/phobos/default.nix @@ -1,6 +1,8 @@ { config, pkgs, lib, secrets, hostname, inputs, user, ... }: { imports = [ + "${inputs.impermanence}/nixos.nix" + ./hardware.nix ../../modules/bluetooth @@ -35,6 +37,17 @@ ''; */ + environment.persistence."/persist" = { + directories = [ + "/var/log" + "/var/lib" + ]; + files = [ + "/etc/machine-id" + "/etc/nix/id_rsa" + ]; + }; + environment.etc."nix-index/files".source = inputs.nix-index.legacyPackages.x86_64-linux.database; } diff --git a/hosts/phobos/hardware.nix b/hosts/phobos/hardware.nix index 4833668..478449b 100644 --- a/hosts/phobos/hardware.nix +++ b/hosts/phobos/hardware.nix @@ -15,29 +15,37 @@ in kernelParams = [ "net.ifnames=0" "biosdevname=0" "iomem=relaxed" "mitigations=off" ]; }; + fileSystems."/" = { + device = "none"; + fsType = "tmpfs"; + }; + fileSystems."/boot" = { device = "/dev/disk/by-uuid/0A8B-3968"; fsType = "vfat"; }; - fileSystems."/" = { - device = "/dev/disk/by-uuid/9a450653-8369-4850-af4f-cbec7cac8a99"; - fsType = "btrfs"; - options = [ "subvol=root" "compress-force=zstd" "noatime" ]; - }; + boot.initrd.luks.devices."encrypted_root".device = "/dev/disk/by-uuid/095dc267-9281-4535-9491-b3fcded614a8"; - fileSystems."/home" = { - device = "/dev/disk/by-uuid/9a450653-8369-4850-af4f-cbec7cac8a99"; + fileSystems."/persist" = { + device = "/dev/mapper/encrypted_root"; fsType = "btrfs"; - options = [ "subvol=home" "compress-force=zstd" ]; + neededForBoot = true; + options = [ "subvol=persist" "compress-force=zstd" "noatime" ]; }; fileSystems."/nix" = { - device = "/dev/disk/by-uuid/9a450653-8369-4850-af4f-cbec7cac8a99"; + device = "/dev/mapper/encrypted_root"; fsType = "btrfs"; options = [ "subvol=nix" "compress-force=zstd" "noatime" ]; }; + fileSystems."/home" = { + device = "/dev/mapper/encrypted_root"; + fsType = "btrfs"; + options = [ "subvol=home" "compress-force=zstd" ]; + }; + swapDevices = [ ]; powerManagement.cpuFreqGovernor = powerMode; |