rekey secrets for h003 users, update h003 config and hardware

2025-08-05 17:48:33 -05:00 · 2025-08-05 17:48:33 -05:00 · 59070a754d
commit 59070a754d
parent cb259c04d7
24 changed files with 971 additions and 837 deletions
--- a/hosts/h003/configuration.nix
+++ b/hosts/h003/configuration.nix
@ -1,8 +1,6 @@
 {
-  pkgs,
-  config,
  ...
 }:
 {
-
+  system.stateVersion = "25.05"; # Did you read the comment?
 }
--- a/hosts/h003/hardware-configuration.nix
+++ b/hosts/h003/hardware-configuration.nix
@ -4,6 +4,7 @@
 {
  config,
  lib,
+  pkgs,
  modulesPath,
  ...
 }:
@ -14,33 +15,69 @@
  ];

  boot.initrd.availableKernelModules = [
-    "ehci_pci"
-    "ahci"
+    "nvme"
    "xhci_pci"
-    "firewire_ohci"
-    "usb_storage"
    "usbhid"
+    "usb_storage"
    "sd_mod"
-    "sr_mod"
  ];
  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" = {
-    device = "/dev/disk/by-label/NIXROOT";
-    fsType = "ext4";
-  };
-
  fileSystems."/boot" = {
    device = "/dev/disk/by-label/NIXBOOT";
    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };
+
+  boot.initrd.secrets = {
+    "/keyfile_nvme0n1p1" = "/boot/keyfile_nvme0n1p1";
+  };
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    keyFile = "/keyfile_nvme0n1p1";
+    allowDiscards = true; # Allows SSD TRIM to manage wear on SSD
+  };
+
+  fileSystems."/" = {
+    device = "/dev/mapper/cryptroot";
+    fsType = "btrfs";
+    options = [
+      "subvol=root"
+      "compress=zstd"
+      "noatime"
+    ];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/mapper/cryptroot";
+    fsType = "btrfs";
+    options = [
+      "subvol=nix"
+      "compress=zstd"
+      "noatime"
+    ];
+  };
+
+  fileSystems."/.snapshots" = {
+    device = "/dev/mapper/cryptroot";
+    fsType = "btrfs";
+    options = [
+      "subvol=snapshots"
+      "compress=zstd"
+      "noatime"
+    ];
  };

  swapDevices = [
    {
      device = "/.swapfile";
-      size = 18 * 1024; # 18GB
+      size = 32 * 1024; # 32 GiB
    }
  ];

@ -49,8 +86,10 @@
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }