ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues 1 Pull Requests 3 Actions 1 Packages Projects Releases Wiki Activity

Compare commits

merge into: ahuston-0/nix-dotfiles:feature/tang-zfs
Branches Tags
ahuston-0/nix-dotfiles:main ahuston-0/nix-dotfiles:feature/otel-fixes ahuston-0/nix-dotfiles:feature/tang-zfs ahuston-0/nix-dotfiles:feature/kanidm ahuston-0/nix-dotfiles:feature/mvpf ahuston-0/nix-dotfiles:feature/stoneblock ahuston-0/nix-dotfiles:feature/add-jessica ahuston-0/nix-dotfiles:feature/hetzner-bridge ahuston-0/nix-dotfiles:feature/setting-up-greylog ahuston-0/nix-dotfiles:feature/add-unpackerr ahuston-0/nix-dotfiles:feature/onboarding-kubernetes
..
pull from: ahuston-0/nix-dotfiles:feature/otel-fixes
Branches Tags
ahuston-0/nix-dotfiles:feature/otel-fixes ahuston-0/nix-dotfiles:feature/tang-zfs ahuston-0/nix-dotfiles:main ahuston-0/nix-dotfiles:feature/kanidm ahuston-0/nix-dotfiles:feature/mvpf ahuston-0/nix-dotfiles:feature/stoneblock ahuston-0/nix-dotfiles:feature/add-jessica ahuston-0/nix-dotfiles:feature/hetzner-bridge ahuston-0/nix-dotfiles:feature/setting-up-greylog ahuston-0/nix-dotfiles:feature/add-unpackerr ahuston-0/nix-dotfiles:feature/onboarding-kubernetes

6 Commits
feature/tang-zfs .. feature/otel-fixes

Author SHA1 Message Date
ahuston-0 5b6dddaccd garage fixes 2026-05-05 01:08:00 -04:00
ahuston-0 5aabaeb40a garage fixes 2026-05-05 01:04:40 -04:00
ahuston-0 0bad146c8d otel fixes 2026-05-05 00:58:27 -04:00
ahuston-0 5a788af829 update key 2026-05-05 00:51:49 -04:00
ahuston-0 240fb983c9 garage fixes 2026-05-05 00:40:12 -04:00
ahuston-0 b056a52273 otel fixes 2026-05-05 00:36:35 -04:00
18 changed files with 150 additions and 448 deletions
Expand all files Collapse all files
.github/instructions/sops-secrets-readonly.instructions.md
-32
View File
@@ -1,32 +0,0 @@
---
description: "Use when working with SOPS secrets files (secrets.yaml). Never modify secrets.yaml files directly — always prompt the user to make changes using sops edit."
applyTo: "**"
---
# SOPS Secrets Files — Read-Only
Never modify any `secrets.yaml` file in this repository. These files are SOPS-encrypted and editing them directly (without `sops edit`) will corrupt the encryption and make the secrets unrecoverable.
## Rules
- **Do NOT edit `secrets.yaml` files** using file editing tools, even for renaming keys, restructuring blocks, or adding new entries.
- **Do NOT suggest patches or diffs** that target `secrets.yaml` files.
- **Always prompt the user** to make the change themselves using:
```bash
sops edit <path-to-secrets.yaml>
```
- When a new secret key is needed (e.g., for a new SOPS reference in Nix code), tell the user the exact key name and value to add, and ask them to add it via `sops edit`.
- You may **read** `secrets.yaml` files (e.g., with grep to check key names) — reading is safe. Only writing is forbidden.
## Example
Instead of editing `systems/palatine-hill/secrets.yaml` directly, say:
> Please run `sops edit systems/palatine-hill/secrets.yaml` and add the following under the `kanidm:` block:
>
> ```yaml
> kanidm:
> gitea_oidc_client_secret: "<your-generated-secret>"
> ```
.sops.yaml
-10
View File
@@ -9,10 +9,6 @@ keys:
- &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
- &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
- &selinunte age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
# argiletum: replace placeholder after first boot with:
# nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# then run: sops updatekeys systems/argiletum/secrets.yaml
- &argiletum age1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
# cspell:enable
# add new users by executing: sops users/<user>/secrets.yaml
# then have someone already in the repo run the below
@@ -59,9 +55,3 @@ creation_rules:
- *admin_alice
age:
- *palatine-hill
- path_regex: systems/argiletum/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *argiletum
docs/ADRs/0001-zfs-initrd-key-design.md
-206
View File
@@ -1,206 +0,0 @@
> Note: This document was AI-generated and reviewed by a maintainer.
# ADR 0001 — ZFS Native Encryption: Non-Interactive initrd Key Loading
| | |
|---|---|
| **Status** | Accepted |
| **Date** | 2026-05-03 |
| **Deciders** | Alice Huston |
| **Affects** | `systems/palatine-hill/hardware-changes.nix`, `systems/palatine-hill/zfs.nix` |
---
## Context
`palatine-hill` uses ZFS native encryption for the `/nix` dataset (`ZFS-primary/nix`). The ZFS encryption key was stored on a separate LVM volume (`/crypto/keys/zfs-nix-store-key`) inside the same LUKS container as root.
This created a forced ordering dependency: the `/nix` dataset could not be unlocked until root (`/`) and `/crypto` were both mounted, even though logically they are independent. Two custom initrd units worked around this:
- `zfs-import-zfs-primary` — polling import loop (duplicates NixOS-native logic)
- `zfs-load-nix-key` — reads key from `/sysroot/crypto/keys/zfs-nix-store-key` after `sysroot.mount`
Additionally, `boot.zfs.requestEncryptionCredentials` was forced off entirely, and a `postBootCommands` fallback ran
`zfs load-key -a` after stage 2 as a belt-and-suspenders measure. LUKS unlock was also interactive, requiring manual
passphrase entry at boot.
### Current initrd dependency graph (before this ADR)
```mermaid
flowchart TD
A([initrd start]) --> B[systemd-udev-settle]
A --> C["LUKS unlock nixos-pv\n⚠ interactive"]
C --> D[LVM activate]
D --> E["sysroot.mount\n/ on ext4"]
D --> F["sysroot-crypto.mount\n/crypto on LVM volume"]
B --> G["zfs-import-zfs-primary\n(custom polling loop, 60s timeout)"]
E --> H["zfs-load-nix-key\n(reads /sysroot/crypto/keys/zfs-nix-store-key)"]
F --> H
G --> H
H --> I["sysroot-nix.mount\nZFS-primary/nix"]
I --> J([initrd-fs.target])
E --> J
J --> K([stage 2])
K --> L["postBootCommands:\nzfs load-key -a"]
```
### Problems with the old approach
1. **Cross-filesystem key dependency**: `/nix` unlock depends on root mount, coupling two logically independent operations.
2. **Duplicated pool import logic**: the custom unit reimplements a polling loop that NixOS already generates natively; upstream fixes don't apply automatically.
3. **Native credential handling fully disabled**: `requestEncryptionCredentials = false` makes the configuration opaque to NixOS module evaluation.
4. **Double key load**: `postBootCommands` is a workaround indicating the initrd path is not reliable.
5. **Interactive LUKS unlock**: manual passphrase entry required at every boot — defeats unattended operation.
---
## Options Considered
### Option A — Key embedded in initrd (`boot.initrd.secrets`)
Store the ZFS key directly inside the initrd cpio archive. The key is available from the very start of stage 1 without mounting anything.
**Pro**: Eliminates the cross-mount dependency; re-enables native NixOS ZFS handling; zero new infrastructure.
**Con**: Key lives in the initrd on `/boot`, which is an unencrypted vfat partition. Anyone with physical or boot-partition read access has the key. Does not solve interactive LUKS unlock.
### Option B — Tang network key fetch (Clevis) ✅ Chosen
Encrypt both secrets (LUKS passphrase and ZFS key) as Clevis JWE blobs. At boot, the initrd reaches a Tang server
on the LAN to decrypt them. NixOS's `boot.initrd.clevis` module natively supports `luks`, `zfs`, and `bcachefs`
**no custom unit is needed for ZFS**.
**Pro**: Key never present on disk in plaintext; unified unlock surface for both LUKS and ZFS; no cross-mount dependency; JWE blobs on disk are useless without the Tang server.
**Con**: Adds Tang server as a boot dependency; server won't boot if Tang is unreachable.
---
## Decision
**Option B (Tang/Clevis) is adopted** for both the LUKS root device and the ZFS `/nix` dataset.
`boot.initrd.clevis.devices` handles both unlock targets natively. The custom `zfs-load-nix-key` unit is deleted
entirely. The `zfs-import-zfs-primary` unit is retained — the pool must still be imported before Clevis can load the
dataset key.
Static networking is configured in the initrd using systemd-networkd with a static IP (`192.168.76.2/24`). DNS
resolution (`192.168.76.1`, the OPNsense router running Unbound) allows the Tang URL to be `http://tang.lan`.
### New initrd dependency graph
```mermaid
flowchart TD
A([initrd start]) --> N["initrd-networkd\neno1: 192.168.76.2/24\nDNS: 192.168.76.1"]
A --> B[systemd-udev-settle]
N --> T["Tang server\ntang.lan"]
T -->|"boot.initrd.clevis\n.devices.nixos-pv"| C["LUKS unlock nixos-pv\n(Clevis/Tang — unattended)"]
T -->|"boot.initrd.clevis\n.devices.ZFS-primary/nix"| Z["ZFS-primary/nix key load\n(Clevis/Tang — unattended)"]
C --> D[LVM activate]
D --> E["sysroot.mount\n/ on ext4"]
B --> G["zfs-import-zfs-primary\n(custom polling loop — retained)"]
G --> Z
Z --> I["sysroot-nix.mount\nZFS-primary/nix"]
E --> J([initrd-fs.target])
I --> J
J --> L([stage 2 — fully unattended])
```
### Files changed
| File | Change |
|---|---|
| `systems/palatine-hill/hardware-changes.nix` | Removed `requestEncryptionCredentials = mkForce false`, removed `postBootCommands`, added `boot.initrd.clevis` block for both devices, added `boot.initrd.systemd.network` with static IP + DNS, removed `/crypto` from `/nix` depends |
| `systems/palatine-hill/zfs.nix` | Removed `zfs-load-nix-key` unit, added `boot.zfs.requestEncryptionCredentials = false` |
### Comparison
| | Before | After |
|---|---|---|
| Custom initrd units | 2 (import + key load) | 1 (import only; key load is native Clevis) |
| Key source | `/crypto` LVM volume (disk) | Tang server (network) |
| Disk-based key exposure | Key on LVM volume inside LUKS | `.jwe` blob only; useless without Tang |
| Cross-mount dependency | Yes | No |
| LUKS interactive unlock | Yes | No (Clevis/Tang) |
| Unattended boot | No | Yes (when Tang reachable) |
---
## Consequences
- Boot requires Tang server to be reachable on `tang.lan`. If Tang is down, boot stalls at the Clevis timeout. Maintain Tang server uptime accordingly.
- The `.jwe` files are safe to commit to the repository — they are encrypted blobs that are useless without the Tang server's private key.
- Rolling back to a generation without Clevis (pre-ADR) requires manual LUKS passphrase entry at the console; ensure prior generations remain in the bootloader during initial cutover.
---
## Implementation Notes
### Prerequisites
1. Deploy a Tang server on the LAN and create a DNS host override in OPNsense:
- Services → Unbound DNS → Host Overrides → `tang` / `lan` / `<tang IP>`
2. Verify DNS from palatine-hill before rebooting:
```bash
resolvectl query tang.lan
```
### Create the JWE files
Run from the repository root on a machine that has the LUKS passphrase and access to the running `/crypto` volume:
```bash
# LUKS passphrase JWE — substitute your actual passphrase
echo -n "your-luks-passphrase" | \
clevis encrypt tang '{"url":"http://tang.lan"}' \
> systems/palatine-hill/nixos-pv.jwe
# ZFS dataset key JWE — key file from the running system
clevis encrypt tang '{"url":"http://tang.lan"}' \
< /crypto/keys/zfs-nix-store-key \
> systems/palatine-hill/nix-store.jwe
```
### Commit and build
```bash
git add systems/palatine-hill/nixos-pv.jwe systems/palatine-hill/nix-store.jwe
git commit -m "feat(palatine-hill): add Clevis JWE files for Tang-based boot unlock"
nix build .#palatine-hill # verify build succeeds
```
### Deploy
```bash
nh os switch # keep previous generation in bootloader for rollback
```
### Verify after reboot
```bash
# Confirm ZFS dataset was unlocked automatically
zfs get keystatus ZFS-primary/nix
# Expected: keystatus = available
# Check Clevis log output
journalctl -b | grep -i clevis
# Confirm Tang was reached during initrd
journalctl -b | grep -i tang
```
### Rollback procedure (if needed)
Select the previous generation from the systemd-boot menu at boot. You will be prompted interactively for the LUKS passphrase — this is expected for the old generation.
flake.lock
Generated
-21
View File
@@ -68,26 +68,6 @@
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1777713215,
"narHash": "sha256-8GzXDOXckDWwST8TY5DbwYFjdvQLlP7K9CLSVx6iTTo=",
"owner": "nix-community",
"repo": "disko",
"rev": "63b4e7e6cf75307c1d26ac3762b886b5b0247267",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"firefox-addons": {
"inputs": {
"nixpkgs": [
@@ -585,7 +565,6 @@
},
"root": {
"inputs": {
"disko": "disko",
"firefox-addons": "firefox-addons",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
flake.nix
-5
View File
@@ -38,11 +38,6 @@
systems.url = "github:nix-systems/default";
# flake inputs with dependencies (in alphabetic order)
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
firefox-addons = {
url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
inputs = {
lib/systems.nix
-1
View File
@@ -167,7 +167,6 @@ rec {
outputs
server
system
home
;
};
modules = [
modules/base.nix
+1 -4
View File
@@ -3,7 +3,6 @@
inputs,
outputs,
server,
home,
system,
...
}:
@@ -23,9 +22,6 @@
mutableUsers = lib.mkDefault false;
};
networking.firewall.enable = lib.mkDefault true;
}
// lib.optionalAttrs home {
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
@@ -38,4 +34,5 @@
};
};
networking.firewall.enable = lib.mkDefault true;
}
systems/argiletum/configuration.nix
-37
View File
@@ -1,37 +0,0 @@
{ lib, ... }:
{
imports = [ ./disk.nix ];
time.timeZone = "America/New_York";
networking = {
hostId = "c3798ccc";
firewall = {
enable = true;
allowedTCPPorts = [ 80 ];
};
useNetworkd = true;
};
# Raspberry Pi 4 uses U-Boot / extlinux — disable both GRUB and systemd-boot
# TPM 2.0 HAT: systemd initrd required for tpm2-device auto-unlock
# After first install, enroll with:
# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --recovery-key /dev/mmcblk0p3
boot = {
useSystemdBoot = lib.mkForce false;
loader.grub.enable = lib.mkOverride 0 false;
initrd = {
systemd.enable = true;
luks.devices."cryptroot".crypttabExtraOpts = [ "tpm2-device=auto" ];
};
};
sops = {
defaultSopsFile = ./secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
services.tang.enable = true;
system.stateVersion = "26.11";
}
systems/argiletum/default.nix
-12
View File
@@ -1,12 +0,0 @@
{ inputs, ... }:
{
system = "aarch64-linux";
server = true;
home = false;
sops = true;
users = [ "alice" ];
modules = [
inputs.nixos-hardware.nixosModules.raspberry-pi-4
inputs.disko.nixosModules.disko
];
}
systems/argiletum/disk.nix
-56
View File
@@ -1,56 +0,0 @@
{
disko.devices = {
disk = {
# SD card — change device to /dev/sda if booting from USB instead
main = {
type = "disk";
device = "/dev/mmcblk0";
content = {
type = "gpt";
partitions = {
# Raspberry Pi firmware partition — must be vfat and first
firmware = {
size = "256MiB";
type = "EF00";
priority = 1;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot/firmware";
mountOptions = [
"fmask=0077"
"dmask=0077"
];
};
};
# NixOS boot partition — holds kernels/initrds for each generation
boot = {
size = "1GiB";
priority = 2;
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/boot";
};
};
# Root filesystem — LUKS-encrypted, unlocked via TPM 2.0 HAT
root = {
size = "100%";
priority = 3;
content = {
type = "luks";
name = "cryptroot";
settings.allowDiscards = true;
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
};
}
systems/argiletum/hardware.nix
-7
View File
@@ -1,7 +0,0 @@
# TODO: after first boot, regenerate with:
# sudo nixos-generate-config --no-filesystems
# (disko owns fileSystems; do not add them here)
{ ... }:
{
swapDevices = [ ];
}
systems/artemision/desktop.nix
-3
View File
@@ -40,9 +40,6 @@
dbus = {
enable = true;
implementation = "broker";
packages = with pkgs; [
gcr
];
};
};
systems/palatine-hill/garage.nix
+37 -2
View File
@@ -41,8 +41,43 @@ in
"d ${basePath}/data 0750 garage garage -"
];
systemd.services.garage = {
unitConfig.RequiresMountsFor = [
vars.primary_minio
basePath
"${basePath}/meta"
"${basePath}/data"
];
preStart = ''
mkdir -p ${basePath}/meta ${basePath}/data
chown -R garage:garage ${basePath}/meta ${basePath}/data
'';
serviceConfig = {
PermissionsStartOnly = true;
DynamicUser = false;
User = "garage";
Group = "garage";
};
};
users.groups.garage = { };
users.users.garage = {
isSystemUser = true;
group = "garage";
};
sops.secrets = {
"garage/rpc-secret" = { };
"garage/admin-token" = { };
"garage/rpc-secret" = {
owner = "garage";
group = "garage";
mode = "0400";
restartUnits = [ "garage.service" ];
};
"garage/admin-token" = {
owner = "garage";
group = "garage";
mode = "0400";
restartUnits = [ "garage.service" ];
};
};
}
systems/palatine-hill/hardware-changes.nix
+9 -24
View File
@@ -1,7 +1,11 @@
{ lib, ... }:
{ lib, pkgs, ... }:
{
boot = {
zfs.requestEncryptionCredentials = lib.mkForce false;
postBootCommands = ''
${pkgs.zfs}/bin/zfs load-key -a
'';
initrd = {
services.lvm.enable = true;
luks.devices = {
@@ -12,28 +16,6 @@
};
};
clevis = {
enable = true;
useTang = true;
devices = {
# Unlock LUKS root device via Tang
"nixos-pv".secretFile = ./nixos-pv.jwe;
# Unlock ZFS native-encrypted dataset via Tang
"ZFS-primary/nix".secretFile = ./nix-store.jwe;
};
};
# Static networking needed in initrd so Tang is reachable before any disk mounts
systemd.network = {
enable = true;
networks."10-initrd-eno1" = {
matchConfig.Name = "eno1";
address = [ "192.168.76.2/24" ];
routes = [ { Gateway = "192.168.76.1"; } ];
dns = [ "192.168.76.1" ];
linkConfig.RequiredForOnline = "routable";
};
};
};
};
@@ -55,7 +37,10 @@
"dmask=0077"
];
"/nix".depends = [ "/" ];
"/nix".depends = [
"/"
"/crypto"
];
};
}
systems/palatine-hill/otel.nix
+72 -15
View File
@@ -1,5 +1,6 @@
{
config,
pkgs,
...
}:
{
@@ -8,8 +9,17 @@
services.opentelemetry-collector = {
enable = true;
package = pkgs.opentelemetry-collector-contrib;
settings = {
receivers = {
# Accept OTLP traces/metrics from local services and containers.
otlp = {
protocols = {
grpc.endpoint = "127.0.0.1:4317";
http.endpoint = "127.0.0.1:4318";
};
};
# Host-level system metrics
hostmetrics = {
collection_interval = "60s";
@@ -70,21 +80,55 @@
};
processors = {
batch = { };
memory_limiter = {
check_interval = "1s";
limit_percentage = 75;
spike_limit_percentage = 15;
};
# Attach hostname and other system resource attributes
"resourcedetection/system" = {
detectors = [ "system" ];
system.hostname_sources = [ "os" ];
batch = {
send_batch_size = 8192;
timeout = "5s";
};
attributes = {
actions = [
{
action = "upsert";
key = "deployment.environment";
value = "palatine-hill";
}
];
};
# Attach hostname using the standard resource processor
resource = {
attributes = [
{
action = "upsert";
key = "host.name";
value = "palatine-hill";
}
];
};
};
exporters = {
"otlp/honeycomb" = {
"otlp/honeycomb-metrics" = {
endpoint = "api.honeycomb.io:443";
compression = "gzip";
headers = {
# Expanded at runtime from the environment file
"x-honeycomb-team" = "\${HONEYCOMB_API_KEY}";
"x-honeycomb-team" = "\${file:" + config.sops.secrets."honeycomb/api-key".path + "}";
"x-honeycomb-dataset" = "palatine-hill-metrics";
};
};
"otlp/honeycomb-traces" = {
endpoint = "api.honeycomb.io:443";
compression = "gzip";
headers = {
"x-honeycomb-team" = "\${file:" + config.sops.secrets."honeycomb/api-key".path + "}";
"x-honeycomb-dataset" = "palatine-hill-traces";
};
};
};
@@ -93,25 +137,38 @@
pipelines = {
metrics = {
receivers = [
"otlp"
"hostmetrics"
"prometheus"
];
processors = [
"resourcedetection/system"
"memory_limiter"
"resource"
"attributes"
"batch"
];
exporters = [ "otlp/honeycomb" ];
exporters = [ "otlp/honeycomb-metrics" ];
};
traces = {
receivers = [ "otlp" ];
processors = [
"memory_limiter"
"resource"
"attributes"
"batch"
];
exporters = [ "otlp/honeycomb-traces" ];
};
};
};
};
};
# Inject the Honeycomb API key at runtime — never stored in the Nix store
systemd.services.opentelemetry-collector.serviceConfig.EnvironmentFile =
config.sops.secrets."honeycomb/api-key".path;
sops.secrets = {
"honeycomb/api-key".owner = "root";
"honeycomb/api-key" = {
owner = "root";
restartUnits = [ "opentelemetry-collector.service" ];
};
};
}
systems/palatine-hill/secrets.yaml
+3 -3
View File
@@ -46,7 +46,7 @@ garage:
rpc-secret: ENC[AES256_GCM,data:Q2ZaAXcntD3yK6DynEpxab2TITByMZ7ECVrq1pb0ZU7hXOZnhaBmjdty/Os6len8l+GBl6+WaC0An6cFkhQTlQ==,iv:E8C4bnxMLXK9fky+KC7q8sHpmrEU5un0TEAwxVUBiLk=,tag:PiSiU+9NpyilH2aMs2Qc/Q==,type:str]
admin-token: ENC[AES256_GCM,data:Xjm8Xq99aDseR0jN50Uj3gLpeDaq2IGXzJCS0o1H0RgKX9LGdP8w508nWWE=,iv:+L9T3TEUSbIz+jo08ykjGHVhuz5ecmzrlhzD2iv48HE=,tag:7P2rY4F8cWFdG4Lm9n/etQ==,type:str]
honeycomb:
api-key: ENC[AES256_GCM,data:k+Z3tmF8pYwD6RokdZauQ/fMlhD5GbW1ekxzRnj0gEpQFlfGB8gQ6BPwbd7qk12ZhsCA4XdqmvsysAWJldYWrPo=,iv:dNAK/vbQYL7ir4UXhZMTWraZF1E6ps9EOF3skYe5wOk=,tag:5UJfCji/RmB5DIuR4179uw==,type:str]
api-key: ENC[AES256_GCM,data:sDhWmpaxLBb+qv/REDEbqpVsTNZBNuuLBGRvv0RYmdAzYBAZUn2OnBTHwgS7Bgv7xRDKgsGW8cOm0gQ8NUdWkmrdwUWvXO8IvDoz3/jzT3y1tw==,iv:mcqnkq3f0FfCnqnN7AdWAE5gDLO7+5PgWyOcK8ZAabs=,tag:+EIMFrp/0LEaf0sFzczK2g==,type:str]
sops:
age:
- recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
@@ -58,8 +58,8 @@ sops:
cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-03T16:28:04Z"
mac: ENC[AES256_GCM,data:dJ00o+Ny6btbOn7Pt5dc4iLx6FHJiTTx7onZDhjxya7Ywg2qAwHTiNP2q2aP6348w5uenlEGrgnV0Dc8xyHfApNCkJwj4G6UnI17jxEGn3lc0ZFNzJJ7jO2CJcwHir0E2G4XdPjmbZUdB3aKmM34dI9EEUWWhNFXdps4X0dNQcM=,iv:vOU3kHq0axRBrkNfVicQ/8H77nF0DGIJlpoDuJmwRGQ=,tag:uvoFkmaaTM8zpr1g2FpCMA==,type:str]
lastmodified: "2026-05-05T04:51:42Z"
mac: ENC[AES256_GCM,data:6o9xR1B6/AhkHu6E2FlgoPjYY3fUaLY/au0pxLVMweNK3F0/C2FZdnnm0HNwb2cRhEdlWcpbYZ5CyZ6CllVMHlJEGZI/SYXmMzkMx19O5E7AQ85T4GXLWlQl1dksIQ4q3p7fhlZ7uSIy83zRYYXEER9yV/35M1UYjIKC19NLcpY=,iv:meYHkoWnaU4iBLckq0HdpwGcabL0fgSBbtHXUNFoM3Y=,tag:AjLqzIFsCGNk60GO9yQVQw==,type:str]
pgp:
- created_at: "2024-11-28T18:56:39Z"
enc: |-
systems/palatine-hill/zfs.nix
+27 -1
View File
@@ -7,7 +7,6 @@
{
boot = {
zfs.extraPools = [ "ZFS-primary" ];
zfs.requestEncryptionCredentials = false;
filesystem = "zfs";
extraModprobeConfig = ''
options zfs zfs_arc_min=82463372083
@@ -86,6 +85,33 @@
fi
'';
};
zfs-load-nix-key = {
description = "Load ZFS key for ZFS-primary/nix in initrd";
wantedBy = [ "initrd-fs.target" ];
requires = [
"sysroot.mount"
"zfs-import-zfs-primary.service"
];
after = [
"sysroot.mount"
"zfs-import-zfs-primary.service"
];
before = [
"initrd-fs.target"
"sysroot-nix.mount"
];
unitConfig.DefaultDependencies = "no";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
path = with pkgs; [ zfs ];
script = ''
key_file="/sysroot/crypto/keys/zfs-nix-store-key"
zfs load-key -L "file://$key_file" "ZFS-primary/nix"
'';
};
};
};
users/alice/non-server.nix
+1 -9
View File
@@ -207,14 +207,6 @@ in
};
};
};
rbw = {
enable = true;
settings = {
lockTimeout = 300;
pinentry = pkgs.pinentry-gnome3;
email = "snowinginwonderland@gmail.com";
};
};
};
services.gnome-keyring.enable = true;
@@ -276,7 +268,7 @@ in
nextcloud-client
bitwarden-cli
rofi-rbw-wayland
bitwarden-menu
wtype
obsidian
libreoffice-qt-fresh