initial nix migration changes
configuration for moving /nix to ZFS Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
This commit is contained in:
parent
4d66e8d1d9
commit
f043a00d51
@ -1,13 +1,32 @@
|
|||||||
{ config, pkgs, ... }:
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}:
|
||||||
let
|
let
|
||||||
keygen = key: {
|
keygen = key: {
|
||||||
"${key}" = {
|
format = "binary";
|
||||||
format = "binary";
|
sopsFile = ./keys/${key};
|
||||||
sopsFile = ./keys/${key};
|
mode = "0400";
|
||||||
mode = "0400";
|
path = "/crypto/keys/${key}";
|
||||||
path = "/crypto/keys/${key}";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
bootkey = key: { "/crypto/keys/${key}" = /crypto/keys/${key}; };
|
||||||
|
zfskeys = [
|
||||||
|
"zfs-attic-key"
|
||||||
|
"zfs-backup-key"
|
||||||
|
"zfs-calibre-key"
|
||||||
|
"zfs-db-key"
|
||||||
|
"zfs-docker-key"
|
||||||
|
"zfs-games-key"
|
||||||
|
"zfs-hydra-key"
|
||||||
|
"zfs-libvirt-key"
|
||||||
|
"zfs-main-key"
|
||||||
|
"zfs-nxtcld-key"
|
||||||
|
"zfs-torr-key"
|
||||||
|
"zfs-var-docker-key"
|
||||||
|
"zfs-nix-store-key"
|
||||||
|
];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
||||||
@ -37,6 +56,7 @@ in
|
|||||||
"vm.swappiness" = 10;
|
"vm.swappiness" = 10;
|
||||||
};
|
};
|
||||||
binfmt.emulatedSystems = [ "aarch64-linux" ];
|
binfmt.emulatedSystems = [ "aarch64-linux" ];
|
||||||
|
initrd.secrets = lib.mergeAttrsList (map bootkey zfskeys);
|
||||||
};
|
};
|
||||||
|
|
||||||
nix = {
|
nix = {
|
||||||
@ -253,33 +273,20 @@ in
|
|||||||
|
|
||||||
sops = {
|
sops = {
|
||||||
defaultSopsFile = ./secrets.yaml;
|
defaultSopsFile = ./secrets.yaml;
|
||||||
secrets =
|
secrets = {
|
||||||
{
|
"hydra/environment".owner = "hydra";
|
||||||
"hydra/environment".owner = "hydra";
|
"nix-serve/secret-key".owner = "root";
|
||||||
"nix-serve/secret-key".owner = "root";
|
"attic/secret-key".owner = "root";
|
||||||
"attic/secret-key".owner = "root";
|
"attic/database-url".owner = "root";
|
||||||
"attic/database-url".owner = "root";
|
"postgres/init".owner = "postgres";
|
||||||
"postgres/init".owner = "postgres";
|
"alice/gha-hydra-token" = {
|
||||||
"alice/gha-hydra-token" = {
|
sopsFile = ../../users/alice/secrets.yaml;
|
||||||
sopsFile = ../../users/alice/secrets.yaml;
|
owner = "hydra";
|
||||||
owner = "hydra";
|
group = "hydra";
|
||||||
group = "hydra";
|
mode = "440";
|
||||||
mode = "440";
|
};
|
||||||
};
|
"upsmon/password".owner = "root";
|
||||||
"upsmon/password".owner = "root";
|
};
|
||||||
}
|
|
||||||
// keygen "zfs-attic-key"
|
|
||||||
// keygen "zfs-backup-key"
|
|
||||||
// keygen "zfs-calibre-key"
|
|
||||||
// keygen "zfs-db-key"
|
|
||||||
// keygen "zfs-docker-key"
|
|
||||||
// keygen "zfs-games-key"
|
|
||||||
// keygen "zfs-hydra-key"
|
|
||||||
// keygen "zfs-libvirt-key"
|
|
||||||
// keygen "zfs-main-key"
|
|
||||||
// keygen "zfs-nxtcld-key"
|
|
||||||
// keygen "zfs-torr-key"
|
|
||||||
// keygen "zfs-var-docker-key";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "23.05";
|
system.stateVersion = "23.05";
|
||||||
|
|||||||
@ -38,5 +38,10 @@
|
|||||||
device = "/dev/disk/by-uuid/4CBA-2451";
|
device = "/dev/disk/by-uuid/4CBA-2451";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
};
|
};
|
||||||
|
"/nix" = {
|
||||||
|
device = "ZFS-primary/nix";
|
||||||
|
fsType = "zfs";
|
||||||
|
depends = [ "/crypto/keys" ];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user