luks migration, home migration fixes
This commit is contained in:
@@ -167,6 +167,7 @@ rec {
|
||||
outputs
|
||||
server
|
||||
system
|
||||
home
|
||||
;
|
||||
};
|
||||
modules = [
|
||||
|
||||
+4
-1
@@ -3,6 +3,7 @@
|
||||
inputs,
|
||||
outputs,
|
||||
server,
|
||||
home,
|
||||
system,
|
||||
...
|
||||
}:
|
||||
@@ -22,6 +23,9 @@
|
||||
mutableUsers = lib.mkDefault false;
|
||||
};
|
||||
|
||||
networking.firewall.enable = lib.mkDefault true;
|
||||
}
|
||||
// lib.optionalAttrs home {
|
||||
home-manager = {
|
||||
useGlobalPkgs = true;
|
||||
useUserPackages = true;
|
||||
@@ -34,5 +38,4 @@
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.enable = lib.mkDefault true;
|
||||
}
|
||||
|
||||
@@ -13,8 +13,18 @@
|
||||
useNetworkd = true;
|
||||
};
|
||||
|
||||
# Raspberry Pi 4 uses U-Boot / extlinux, not systemd-boot
|
||||
boot.useSystemdBoot = lib.mkForce false;
|
||||
# Raspberry Pi 4 uses U-Boot / extlinux — disable both GRUB and systemd-boot
|
||||
# TPM 2.0 HAT: systemd initrd required for tpm2-device auto-unlock
|
||||
# After first install, enroll with:
|
||||
# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --recovery-key /dev/mmcblk0p3
|
||||
boot = {
|
||||
useSystemdBoot = lib.mkForce false;
|
||||
loader.grub.enable = lib.mkOverride 0 false;
|
||||
initrd = {
|
||||
systemd.enable = true;
|
||||
luks.devices."cryptroot".crypttabExtraOpts = [ "tpm2-device=auto" ];
|
||||
};
|
||||
};
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
|
||||
+30
-20
@@ -6,16 +6,13 @@
|
||||
type = "disk";
|
||||
device = "/dev/mmcblk0";
|
||||
content = {
|
||||
type = "table";
|
||||
format = "mbr";
|
||||
partitions = [
|
||||
{
|
||||
# Raspberry Pi firmware partition — must be vfat and first
|
||||
name = "firmware";
|
||||
type = "primary";
|
||||
start = "1MiB";
|
||||
end = "512MiB";
|
||||
bootable = true;
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
# Raspberry Pi firmware partition — must be vfat and first
|
||||
firmware = {
|
||||
size = "256MiB";
|
||||
type = "EF00";
|
||||
priority = 1;
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
@@ -25,20 +22,33 @@
|
||||
"dmask=0077"
|
||||
];
|
||||
};
|
||||
}
|
||||
{
|
||||
# Root filesystem
|
||||
name = "root";
|
||||
type = "primary";
|
||||
start = "512MiB";
|
||||
end = "100%";
|
||||
};
|
||||
# NixOS boot partition — holds kernels/initrds for each generation
|
||||
boot = {
|
||||
size = "1GiB";
|
||||
priority = 2;
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "ext4";
|
||||
mountpoint = "/";
|
||||
mountpoint = "/boot";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
# Root filesystem — LUKS-encrypted, unlocked via TPM 2.0 HAT
|
||||
root = {
|
||||
size = "100%";
|
||||
priority = 3;
|
||||
content = {
|
||||
type = "luks";
|
||||
name = "cryptroot";
|
||||
settings.allowDiscards = true;
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "ext4";
|
||||
mountpoint = "/";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -40,6 +40,9 @@
|
||||
dbus = {
|
||||
enable = true;
|
||||
implementation = "broker";
|
||||
packages = with pkgs; [
|
||||
gcr
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
@@ -207,6 +207,14 @@ in
|
||||
};
|
||||
};
|
||||
};
|
||||
rbw = {
|
||||
enable = true;
|
||||
settings = {
|
||||
lockTimeout = 300;
|
||||
pinentry = pkgs.pinentry-gnome3;
|
||||
email = "snowinginwonderland@gmail.com";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.gnome-keyring.enable = true;
|
||||
@@ -268,7 +276,7 @@ in
|
||||
|
||||
nextcloud-client
|
||||
bitwarden-cli
|
||||
bitwarden-menu
|
||||
rofi-rbw-wayland
|
||||
wtype
|
||||
obsidian
|
||||
libreoffice-qt-fresh
|
||||
|
||||
Reference in New Issue
Block a user