initial nix migration changes

configuration for moving /nix to ZFS Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
2024-04-29 15:42:44 -04:00 · 2024-04-29 15:42:44 -04:00 · f043a00d51
commit f043a00d51
parent 4d66e8d1d9
2 changed files with 46 additions and 34 deletions
--- a/systems/palatine-hill/configuration.nix
+++ b/systems/palatine-hill/configuration.nix
@ -1,13 +1,32 @@
-{ config, pkgs, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 let
  keygen = key: {
-    "${key}" = {
-      format = "binary";
-      sopsFile = ./keys/${key};
-      mode = "0400";
-      path = "/crypto/keys/${key}";
-    };
+    format = "binary";
+    sopsFile = ./keys/${key};
+    mode = "0400";
+    path = "/crypto/keys/${key}";
  };
+  bootkey = key: { "/crypto/keys/${key}" = /crypto/keys/${key}; };
+  zfskeys = [
+    "zfs-attic-key"
+    "zfs-backup-key"
+    "zfs-calibre-key"
+    "zfs-db-key"
+    "zfs-docker-key"
+    "zfs-games-key"
+    "zfs-hydra-key"
+    "zfs-libvirt-key"
+    "zfs-main-key"
+    "zfs-nxtcld-key"
+    "zfs-torr-key"
+    "zfs-var-docker-key"
+    "zfs-nix-store-key"
+  ];
 in
 {

@ -37,6 +56,7 @@ in
      "vm.swappiness" = 10;
    };
    binfmt.emulatedSystems = [ "aarch64-linux" ];
+    initrd.secrets = lib.mergeAttrsList (map bootkey zfskeys);
  };

  nix = {
@ -253,33 +273,20 @@ in

  sops = {
    defaultSopsFile = ./secrets.yaml;
-    secrets =
-      {
-        "hydra/environment".owner = "hydra";
-        "nix-serve/secret-key".owner = "root";
-        "attic/secret-key".owner = "root";
-        "attic/database-url".owner = "root";
-        "postgres/init".owner = "postgres";
-        "alice/gha-hydra-token" = {
-          sopsFile = ../../users/alice/secrets.yaml;
-          owner = "hydra";
-          group = "hydra";
-          mode = "440";
-        };
-        "upsmon/password".owner = "root";
-      }
-      // keygen "zfs-attic-key"
-      // keygen "zfs-backup-key"
-      // keygen "zfs-calibre-key"
-      // keygen "zfs-db-key"
-      // keygen "zfs-docker-key"
-      // keygen "zfs-games-key"
-      // keygen "zfs-hydra-key"
-      // keygen "zfs-libvirt-key"
-      // keygen "zfs-main-key"
-      // keygen "zfs-nxtcld-key"
-      // keygen "zfs-torr-key"
-      // keygen "zfs-var-docker-key";
+    secrets = {
+      "hydra/environment".owner = "hydra";
+      "nix-serve/secret-key".owner = "root";
+      "attic/secret-key".owner = "root";
+      "attic/database-url".owner = "root";
+      "postgres/init".owner = "postgres";
+      "alice/gha-hydra-token" = {
+        sopsFile = ../../users/alice/secrets.yaml;
+        owner = "hydra";
+        group = "hydra";
+        mode = "440";
+      };
+      "upsmon/password".owner = "root";
+    };
  };

  system.stateVersion = "23.05";
--- a/systems/palatine-hill/hardware.nix
+++ b/systems/palatine-hill/hardware.nix
@ -38,5 +38,10 @@
      device = "/dev/disk/by-uuid/4CBA-2451";
      fsType = "vfat";
    };
+    "/nix" = {
+      device = "ZFS-primary/nix";
+      fsType = "zfs";
+      depends = [ "/crypto/keys" ];
+    };
  };
 }