From ebc446116cae1bcaea10b3273361e4cf5185d5ca Mon Sep 17 00:00:00 2001 From: Andrea Ciceri Date: Sat, 20 Jul 2024 00:48:48 +0200 Subject: [PATCH] Re-deploy `sisko` with `impermanence` --- flake.lock | 16 ++++++++ flake.nix | 1 + hosts/default.nix | 5 ++- hosts/picard/default.nix | 2 +- hosts/sisko/default.nix | 65 +++++++++++++++++------------- hosts/sisko/disko.nix | 29 ++++++++++--- modules/forgejo/default.nix | 8 +--- modules/home-assistant/default.nix | 4 +- modules/nginx-base/default.nix | 4 ++ 9 files changed, 89 insertions(+), 45 deletions(-) diff --git a/flake.lock b/flake.lock index 099dbf5..7b0925b 100644 --- a/flake.lock +++ b/flake.lock @@ -852,6 +852,21 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1719091691, + "narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, "kernel-src": { "flake": false, "locked": { @@ -1653,6 +1668,7 @@ "hercules-ci-effects": "hercules-ci-effects_3", "homeManager": "homeManager", "homeManagerGitWorkspace": "homeManagerGitWorkspace", + "impermanence": "impermanence", "lix": "lix", "lix-module": "lix-module", "mobile-nixos": "mobile-nixos", diff --git a/flake.nix b/flake.nix index 2299602..7b754e0 100644 --- a/flake.nix +++ b/flake.nix @@ -68,6 +68,7 @@ flake = false; }; arion.url = "github:hercules-ci/arion"; + impermanence.url = "github:nix-community/impermanence"; }; outputs = inputs @ {flakeParts, ...}: diff --git a/hosts/default.nix b/hosts/default.nix index 7ec9a15..8adb65e 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -160,6 +160,7 @@ extraModules = with inputs; [ disko.nixosModules.disko arion.nixosModules.arion + impermanence.nixosModules.impermanence # lix-module.nixosModules.default # inputs.hercules-ci-agent.nixosModules.agent-service; # rock5b.nixosModules.default @@ -173,8 +174,8 @@ "home-planimetry".owner = "hass"; "cloudflare-dyndns-api-token" = {}; "restic-hetzner-password" = {}; - "minio-credentials".owner = "minio"; - "aws-credentials".owner = "hercules-ci-agent"; + # "minio-credentials".owner = "minio"; + # "aws-credentials".owner = "hercules-ci-agent"; "hass-ssh-key".owner = "hass"; # "matrix-registration-shared-secret".owner = "matrix-synapse"; # "matrix-sliding-sync-secret".owner = "matrix-synapse"; diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix index 9b63f91..3dc217d 100644 --- a/hosts/picard/default.nix +++ b/hosts/picard/default.nix @@ -32,7 +32,7 @@ "restic" "binfmt" "greetd" - "syncthing" + # "syncthing" "hass-poweroff" "forgejo-runners" "teamviewer" diff --git a/hosts/sisko/default.nix b/hosts/sisko/default.nix index 760e9e4..6ec4fd2 100644 --- a/hosts/sisko/default.nix +++ b/hosts/sisko/default.nix @@ -13,7 +13,7 @@ "wireguard-server" "mediatomb" "transmission" - "hercules-ci" + # "hercules-ci" "home-assistant" "adguard-home" "cloudflare-dyndns" @@ -21,13 +21,13 @@ "invidious" "searx" "rock5b-samba" - "paperless" - "restic" - "syncthing" - "minio" - # "matrix" + # "paperless" + # "restic" + # "syncthing" + # "minio" + # # "matrix" "forgejo" - # "jellyfin" + # # "jellyfin" # "immich" ] ++ [ @@ -62,8 +62,6 @@ ccr.enable = true; - # services.rock5b-fan-control.enable = true; - nixpkgs.hostPlatform = "aarch64-linux"; swapDevices = []; @@ -84,26 +82,35 @@ "console=ttyS0,1500000" ]; - # fileSystems."/mnt/film" = { - # device = "//ccr.ydns.eu/film"; - # fsType = "cifs"; - # options = let - # credentials = pkgs.writeText "credentials" '' - # username=guest - # password= - # ''; - # in ["credentials=${credentials},x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"]; - # }; - # fileSystems."/mnt/archivio" = { - # device = "//ccr.ydns.eu/archivio"; - # fsType = "cifs"; - # options = let - # credentials = pkgs.writeText "credentials" '' - # username=guest - # password= - # ''; - # in ["credentials=${credentials},x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"]; - # }; + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/etc/NetworkManager/system-connections" + "/var/db/dhcpcd/" + "/var/lib/NetworkManager/" + "/var/lib/nixos" + "/var/lib/systemd" + "/var/lib/systemd/coredump" + "/var/log" + "/var/lib/containers" + "/var/lib/postgresql" + ]; + files = [ + "/etc/machine-id" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + }; + + age.identityPaths = [ + "/persist/etc/ssh/ssh_host_ed25519_key" + "/persist/etc/ssh/ssh_host_rsa_key" + ]; + + fileSystems."/persist".neededForBoot = true; + boot.tmp.cleanOnBoot = true; fileSystems."/mnt/hd" = { device = "/dev/disk/by-id/ata-WDC_WD10EADS-22M2B0_WD-WCAV52709550-part1"; diff --git a/hosts/sisko/disko.nix b/hosts/sisko/disko.nix index 325dbcf..b1fda80 100644 --- a/hosts/sisko/disko.nix +++ b/hosts/sisko/disko.nix @@ -7,6 +7,10 @@ let # old_hd = "/dev/disk/by-id/ata-WDC_WD5000AAKX-08U6AA0_WD-WCC2E5TR40FU"; in { disko.devices = { + nodev."/" = { + fsType = "tmpfs"; + mountOptions = ["size=1024M" "defaults" "mode=755"]; + }; disk = { ssd = { device = ssd; @@ -17,20 +21,35 @@ in { ESP = { label = "ESP"; type = "EF00"; - size = "1G"; + size = "1024M"; content = { type = "filesystem"; format = "vfat"; mountpoint = "/boot"; }; }; - root = { - label = "root"; - size = "100%"; + nixroot = { + size = "100G"; content = { type = "filesystem"; format = "ext4"; - mountpoint = "/"; + mountpoint = "/nix"; + }; + }; + persist = { + size = "100G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/persist"; + }; + }; + tmp = { + end = "0"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/tmp"; }; }; }; diff --git a/modules/forgejo/default.nix b/modules/forgejo/default.nix index 8a1f821..1365115 100644 --- a/modules/forgejo/default.nix +++ b/modules/forgejo/default.nix @@ -29,15 +29,11 @@ SHOW_FOOTER_VERSION = false; }; }; - mailerPasswordFile = config.age.secrets.autistici-password.path; + secrets.mailer.PASSWD = config.age.secrets.autistici-password.path; dump.enable = true; }; - systemd.tmpfiles.rules = [ - "d ${config.services.forgejo.stateDir} 770 forgejo forgejo" - ]; - - backup.paths = [ + environment.persistence."/persist".directories = [ config.services.forgejo.stateDir ]; diff --git a/modules/home-assistant/default.nix b/modules/home-assistant/default.nix index 99f86c7..b21f37c 100644 --- a/modules/home-assistant/default.nix +++ b/modules/home-assistant/default.nix @@ -210,8 +210,8 @@ in { }; }; - backup.paths = [ - "/var/lib/hass" + environment.persistence."/persist".directories = [ + config.services.home-assistant.configDir ]; # virtualisation.oci-containers = { diff --git a/modules/nginx-base/default.nix b/modules/nginx-base/default.nix index 8baeece..fa8dd61 100644 --- a/modules/nginx-base/default.nix +++ b/modules/nginx-base/default.nix @@ -16,4 +16,8 @@ recommendedProxySettings = true; recommendedTlsSettings = true; }; + + environment.persistence."/persist".directories = [ + "/var/lib/acme" + ]; }