ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues 1 Pull Requests 3 Actions 1 Packages Projects Releases Wiki Activity

luks migration, home migration fixes
Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 9s
Details
Check Nix flake / Perform Nix flake checks (pull_request) Successful in 3m49s
Details

Browse Source
This commit is contained in:
ahuston-0
2026-05-03 17:33:56 -04:00
parent 43c026c451
commit b4233b8f1c
6 changed files with 59 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/systems.nix
+1
View File
@@ -167,6 +167,7 @@ rec {
outputs outputs
server server
system system
home
; ;
}; };
modules = [ modules = [
modules/base.nix
+4 -1
View File
@@ -3,6 +3,7 @@
inputs, inputs,
outputs, outputs,
server, server,
home,
system, system,
... ...
}: }:
@@ -22,6 +23,9 @@
mutableUsers = lib.mkDefault false; mutableUsers = lib.mkDefault false;
}; };
networking.firewall.enable = lib.mkDefault true;
}
// lib.optionalAttrs home {
home-manager = { home-manager = {
useGlobalPkgs = true; useGlobalPkgs = true;
useUserPackages = true; useUserPackages = true;
@@ -34,5 +38,4 @@
}; };
}; };
networking.firewall.enable = lib.mkDefault true;
} }
systems/argiletum/configuration.nix
+12 -2
View File
@@ -13,8 +13,18 @@
useNetworkd = true; useNetworkd = true;
}; };
# Raspberry Pi 4 uses U-Boot / extlinux, not systemd-boot # Raspberry Pi 4 uses U-Boot / extlinux — disable both GRUB and systemd-boot
boot.useSystemdBoot = lib.mkForce false; # TPM 2.0 HAT: systemd initrd required for tpm2-device auto-unlock
# After first install, enroll with:
# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --recovery-key /dev/mmcblk0p3
boot = {
useSystemdBoot = lib.mkForce false;
loader.grub.enable = lib.mkOverride 0 false;
initrd = {
systemd.enable = true;
luks.devices."cryptroot".crypttabExtraOpts = [ "tpm2-device=auto" ];
};
};
sops = { sops = {
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
systems/argiletum/disk.nix
+30 -20
View File
@@ -6,16 +6,13 @@
type = "disk"; type = "disk";
device = "/dev/mmcblk0"; device = "/dev/mmcblk0";
content = { content = {
type = "table"; type = "gpt";
format = "mbr"; partitions = {
partitions = [ # Raspberry Pi firmware partition — must be vfat and first
{ firmware = {
# Raspberry Pi firmware partition — must be vfat and first size = "256MiB";
name = "firmware"; type = "EF00";
type = "primary"; priority = 1;
start = "1MiB";
end = "512MiB";
bootable = true;
content = { content = {
type = "filesystem"; type = "filesystem";
format = "vfat"; format = "vfat";
@@ -25,20 +22,33 @@
"dmask=0077" "dmask=0077"
]; ];
}; };
} };
{ # NixOS boot partition — holds kernels/initrds for each generation
# Root filesystem boot = {
name = "root"; size = "1GiB";
type = "primary"; priority = 2;
start = "512MiB";
end = "100%";
content = { content = {
type = "filesystem"; type = "filesystem";
format = "ext4"; format = "ext4";
mountpoint = "/"; mountpoint = "/boot";
}; };
} };
]; # Root filesystem — LUKS-encrypted, unlocked via TPM 2.0 HAT
root = {
size = "100%";
priority = 3;
content = {
type = "luks";
name = "cryptroot";
settings.allowDiscards = true;
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
}; };
}; };
}; };
systems/artemision/desktop.nix
+3
View File
@@ -40,6 +40,9 @@
dbus = { dbus = {
enable = true; enable = true;
implementation = "broker"; implementation = "broker";
packages = with pkgs; [
gcr
];
}; };
}; };
users/alice/non-server.nix
+9 -1
View File
@@ -207,6 +207,14 @@ in
}; };
}; };
}; };
rbw = {
enable = true;
settings = {
lockTimeout = 300;
pinentry = pkgs.pinentry-gnome3;
email = "snowinginwonderland@gmail.com";
};
};
}; };
services.gnome-keyring.enable = true; services.gnome-keyring.enable = true;
@@ -268,7 +276,7 @@ in
nextcloud-client nextcloud-client
bitwarden-cli bitwarden-cli
bitwarden-menu rofi-rbw-wayland
wtype wtype
obsidian obsidian
libreoffice-qt-fresh libreoffice-qt-fresh