ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
dotfiles/hosts/i001/hardware-mounts.nix
RingOfStorms (Joshua Bell) a55b2dbebd reset root on reboot
2025-12-13 17:27:28 -06:00

211 lines
6 KiB
Nix
Raw Blame History

{ lib, pkgs, ... }:
let
BOOT = "/dev/disk/by-uuid/ABDB-2A38";
PRIMARY = "/dev/disk/by-uuid/08610781-26d3-456f-9026-35dd4a40846f";
USB_KEY = "/dev/disk/by-uuid/9985-EBD1";
in
{
# BOOT
fileSystems."/boot" = {
device = BOOT;
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
# PRIMARY
fileSystems."/" = {
device = PRIMARY;
fsType = "bcachefs";
options = [
"X-mount.subdir=@root"
];
};
# TODO optional?
# fileSystems."/.old_roots" = {
# device = PRIMARY;
# fsType = "bcachefs";
# options = [
# "X-mount.mkdir"
# "X-mount.subdir=@old_roots"
# ];
# };
fileSystems."/nix" = {
device = PRIMARY;
fsType = "bcachefs";
options = [
"X-mount.mkdir"
"X-mount.subdir=@nix"
"relatime"
];
};
fileSystems."/.snapshots" = {
device = PRIMARY;
fsType = "bcachefs";
options = [
"X-mount.mkdir"
"X-mount.subdir=@root"
"relatime"
];
};
fileSystems."/.swap" = {
device = PRIMARY;
fsType = "bcachefs";
options = [
"X-mount.mkdir"
"X-mount.subdir=@swap"
"noatime"
];
};
# (optional) for preservation/impermanence
fileSystems."/persist" = {
device = PRIMARY;
fsType = "bcachefs";
options = [
"X-mount.mkdir"
"X-mount.subdir=@persist"
];
};
# SWAP
swapDevices = [
# {
# device = "/.swap/swapfile";
# size = 8 * 1024; # Creates an 8GB swap file
# }
];
# PRIMARY unencrypt
# TODO how to auto unencrypt with options...
# - USB key
# - TPM
# boot.initrd.availableKernelModules = [ "bcachefs" ];
# boot.initrd.extraUtilsCommands = ''
# copy_bin_and_libs ${pkgs.bcachefs-tools}/bin/bcachefs
# '';
#
# # Method 1, prompt user for password on boot
# boot.initrd.preDeviceCommands = ''
# ${pkgs.bcachefs-tools}/bin/bcachefs unlock ${PRIMARY}
# '';
# # Run unlock before devices are scanned/mounted
# boot.initrd.preDeviceCommands = ''
# echo "Unlocking bcachefs..."
# # Example: ask for a passphrase
# /bin/echo -n "Bcachefs passphrase: "
# /bin/stty -echo
# read PASSPHRASE
# /bin/stty echo
# echo
#
# # Use the passphrase to unlock the device
# # Replace /dev/disk/by-uuid/XXXX with your actual device
# echo "$PASSPHRASE" | ${pkgs.bcachefs-tools}/bin/bcachefs unlock /dev/disk/by-uuid/XXXX
# '';
boot.initrd.systemd.enable = true;
boot.supportedFilesystems = [
"bcachefs"
"vfat"
];
# boot.initrd.extraUtilsCommands = ''
# copy_bin_and_libs ${pkgs.bcachefs-tools}/bin/bcachefs
# copy_bin_and_libs ${pkgs.keyutils}/bin/keyctl
# '';
# boot.initrd.systemd.services.unlock-primary = {
# description = "Unlock bcachefs root with key";
# wantedBy = [ "initrd-root-device.target" ];
# before = [ "initrd-root-device.target" ];
# unitConfig.DefaultDependencies = "no";
# serviceConfig = {
# Type = "oneshot";
# # Wait for USB disk; you can refine this with udev-based Wants=/Requires=
# ExecStart = pkgs.writeShellScript "bcachefs-unlock-initrd" ''
# set -eu
# ${pkgs.keyutils}/bin/keyctl link @u @s
# echo "test" | ${pkgs.bcachefs-tools}/bin/bcachefs unlock ${PRIMARY}
# exit 0
# '';
# };
# };
# boot.initrd.systemd.services.unlock-primary = {
# description = "Unlock bcachefs root with key";
# wantedBy = [ "initrd-root-device.target" ];
# before = [ "initrd-root-device.target" ];
# unitConfig.DefaultDependencies = "no";
# serviceConfig = {
# Type = "oneshot";
# # Wait for USB disk; you can refine this with udev-based Wants=/Requires=
# ExecStart = pkgs.writeShellScript "bcachefs-unlock-initrd" ''
# echo "Waiting for USB key with label SECRETKEY..."
# for i in $(seq 1 20); do
# if [ -e /dev/disk/by-label/SECRETKEY ]; then
# break
# fi
# sleep 0.5
# done
#
# if [ ! -e /dev/disk/by-label/SECRETKEY ]; then
# echo "USB key not found; failing."
# exit 1
# fi
#
# mkdir -p /mnt-key
# mount -t vfat /dev/disk/by-label/SECRETKEY /mnt-key
#
# echo "Unlocking bcachefs..."
# ${pkgs.bcachefs-tools}/bin/bcachefs unlock \
# --keyfile /mnt-key/bcachefs.key \
# /dev/disk/by-uuid/YOUR_BCACHEFS_UUID
#
# umount /mnt-key
# '';
# };
# };
boot.initrd.postResumeCommands = lib.mkAfter ''
echo "test" | bcachefs unlock ${PRIMARY}
mkdir /primary_tmp
mount ${PRIMARY} primary_tmp/
if [[ -e /primary_tmp/@root ]]; then
mkdir -p /primary_tmp/@old_roots
bcachefs set-file-option /primary_tmp/@old_roots --compression=zstd
timestamp=$(date --date="@$(stat -c %Y /primary_tmp/@root)" "+%Y-%m-%-d_%H:%M:%S")
bcachefs subvolume snapshot /primary_tmp/@root "/primary_tmp/@old_roots/$timestamp"
bcachefs subvolume delete /primary_tmp/@root
fi
for i in $(find /primary_tmp/old_roots/ -maxdepth 1 -mtime +30); do
bcachefs subvolume delete "$i"
done
bcachefs subvolume create /primary_tmp/@root
umount /primary_tmp
'';
# Reset root
# TODO
# boot.initrd.systemd.services.rollback-root = {
# description = "Rollback Root Filesystem to Blank Snapshot";
# wantedBy = [ "initrd.target" ];
# after = [ "persist.mount" ];
# requires = [ "persist.mount" ];
# before = [ "sysroot.mount" ];
# unitConfig.DefaultDependencies = false;
# serviceConfig = {
# Type = "oneshot";
# ExecStart = """
# ${pkgs.bcachefs-tools}/bin/bcachefs subvolume snapshot @root @snapshots/root_$()
# ${pkgs.bcachefs-tools}/bin/bcachefs subvolume delete @root
# ${pkgs.bcachefs-tools}/bin/bcachefs subvolume create @root
# ${pkgs.bcachefs-tools}/bin/bcachefs unlock
# """;
# "/bin/sh -c 'bcachefs subvolume delete /persist/@root; bcachefs subvolume snapshot /persist/@root-blank /persist/@root'";
# };
# };
}
Reference in a new issue View git blame Copy permalink