2024-11-11 23:02:38 +01:00
|
|
|
{
|
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
pkgs,
|
|
|
|
...
|
|
|
|
}:
|
|
|
|
{
|
|
|
|
|
|
|
|
imports = [
|
|
|
|
./updater.nix
|
|
|
|
./ssh.nix
|
|
|
|
./builder.nix
|
|
|
|
./veritysetup.nix
|
|
|
|
];
|
|
|
|
|
|
|
|
system.build.updatePackage = pkgs.runCommand "update-package" { } ''
|
|
|
|
mkdir "$out"
|
|
|
|
cd "$out"
|
|
|
|
cp "${config.system.build.image}"/* .
|
|
|
|
${pkgs.coreutils}/bin/sha256sum * > SHA256SUMS
|
|
|
|
'';
|
|
|
|
|
|
|
|
systemd.repart.partitions = {
|
|
|
|
"10-esp" = {
|
|
|
|
Type = "esp";
|
|
|
|
Format = "vfat";
|
|
|
|
SizeMinBytes = "96M";
|
|
|
|
SizeMaxBytes = "96M";
|
|
|
|
};
|
|
|
|
"20-root-verity-a" = {
|
|
|
|
Type = "root-verity";
|
|
|
|
SizeMinBytes = "64M";
|
|
|
|
SizeMaxBytes = "64M";
|
|
|
|
};
|
|
|
|
"22-root-a" = {
|
|
|
|
Type = "root";
|
|
|
|
SizeMinBytes = "512M";
|
|
|
|
SizeMaxBytes = "512M";
|
|
|
|
};
|
|
|
|
"30-root-verity-b" = {
|
|
|
|
Type = "root-verity";
|
|
|
|
SizeMinBytes = "64M";
|
|
|
|
SizeMaxBytes = "64M";
|
|
|
|
Label = "_empty";
|
|
|
|
ReadOnly = 1;
|
|
|
|
};
|
|
|
|
"32-root-b" = {
|
|
|
|
Type = "root";
|
|
|
|
SizeMinBytes = "512M";
|
|
|
|
SizeMaxBytes = "512M";
|
|
|
|
Label = "_empty";
|
|
|
|
ReadOnly = 1;
|
|
|
|
};
|
|
|
|
"40-home" = {
|
|
|
|
Type = "home";
|
|
|
|
Format = "btrfs";
|
|
|
|
SizeMinBytes = "512M";
|
|
|
|
Encrypt = "tpm2";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
boot.loader.grub.enable = false;
|
2024-11-15 21:09:57 +01:00
|
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
|
|
boot.loader.systemd-boot.enable = true;
|
|
|
|
boot.uki.name = "patos";
|
|
|
|
|
|
|
|
boot.initrd = {
|
|
|
|
compressor = "zstd";
|
|
|
|
compressorArgs = [ "-8" ];
|
|
|
|
|
|
|
|
luks.forceLuksSupportInInitrd = true;
|
|
|
|
kernelModules = [
|
|
|
|
"dm_mod"
|
|
|
|
"dm_crypt"
|
|
|
|
] ++ config.boot.initrd.luks.cryptoModules;
|
|
|
|
|
|
|
|
supportedFilesystems = {
|
|
|
|
btrfs = true;
|
|
|
|
erofs = true;
|
|
|
|
};
|
2024-11-11 23:02:38 +01:00
|
|
|
|
2024-11-15 21:09:57 +01:00
|
|
|
systemd.enable = true;
|
|
|
|
systemd.repart.enable = true;
|
|
|
|
systemd.services.systemd-repart = {
|
|
|
|
after = lib.mkForce [ "sysroot.mount" ];
|
|
|
|
requires = [ "sysroot.mount" ];
|
|
|
|
serviceConfig.Environment = [
|
|
|
|
"SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard"
|
|
|
|
];
|
|
|
|
};
|
2024-11-11 23:02:38 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
system.etc.overlay.mutable = false;
|
|
|
|
users.mutableUsers = false;
|
|
|
|
|
|
|
|
boot.kernelParams = [
|
|
|
|
"rootfstype=erofs"
|
|
|
|
"rootflags=ro"
|
|
|
|
"roothash=${config.system.build.verityRootHash}"
|
|
|
|
];
|
|
|
|
|
|
|
|
fileSystems."/var" = {
|
|
|
|
fsType = "tmpfs";
|
|
|
|
options = [ "mode=0755" ];
|
|
|
|
};
|
|
|
|
|
|
|
|
# Required to mount the efi partition
|
|
|
|
boot.kernelModules = [
|
|
|
|
"vfat"
|
|
|
|
"nls_cp437"
|
|
|
|
"nls_iso8859-1"
|
|
|
|
];
|
|
|
|
|
|
|
|
# Store SSH host keys on /home since /etc is read-only
|
|
|
|
services.openssh.hostKeys = [
|
|
|
|
{
|
|
|
|
path = "/home/.ssh/ssh_host_ed25519_key";
|
|
|
|
type = "ed25519";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
|
|
|
|
environment.etc."machine-id" = {
|
|
|
|
text = "";
|
|
|
|
mode = "0755";
|
|
|
|
};
|
|
|
|
|
|
|
|
# Refuse to boot on mount failure
|
|
|
|
systemd.targets."sysinit".requires = [ "local-fs.target" ];
|
|
|
|
|
|
|
|
# Make sure home gets mounted
|
|
|
|
systemd.targets."local-fs".requires = [ "home.mount" ];
|
|
|
|
|
|
|
|
}
|