diff --git a/docs/setup.sh b/docs/setup.sh index 0b2d39a4..5b41d84f 100755 --- a/docs/setup.sh +++ b/docs/setup.sh @@ -29,14 +29,14 @@ git add keys/hosts/`hostname`.asc git commit -am "Setup: `whoami`@`hostname`" git push +# Fix gnupg permissions: +find ~/.gnupg -type f -exec chmod 600 {} \; +find ~/.gnupg -type d -exec chmod 700 {} \; + echo echo echo "Complete. Once '.sops.yaml' is updated, " echo "you may run 'update-secrets'" echo "and reboot." -# Update your .sops.yaml with this key -echo "Upd - - popd \ No newline at end of file diff --git a/nixos/hosts/nixos-framework/disks.nix b/nixos/hosts/nixos-framework/disks.nix index b2d6bc72..6cfa6d2c 100644 --- a/nixos/hosts/nixos-framework/disks.nix +++ b/nixos/hosts/nixos-framework/disks.nix @@ -1,72 +1,67 @@ { - boot.loader.grub.device = "/dev/nvme0"; - disko.devices = { - disk = { - nvme0 = { - device = "/dev/nvme0"; - content = { - type = "table"; - format = "gpt"; - partitions = [ - { - name = "BOOT"; - start = "0%"; - end = "550MiB"; - bootable = true; - flags = [ "esp" ]; - fs-type = "fat32"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - } # partition 1 - { - name = "SWAP"; - start = "550 MiB"; - end = "120GiB"; - content = { - type = "luks"; - name = "LUKS-SWAP"; - extraOpenArgs = [ "--allow-discards" ]; - settings.keyFile = ""; - content = { - type = "swap"; - }; - }; - } # partition 2 - { - name = "ROOT"; - start = "120GiB"; - end = "100%"; - content = { - type = "luks"; - name = "LUKS-ROOT"; - extraOpenArgs = [ "--allow-discards" ]; - settings.keyFile = "/tmp/secret.key"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; # root - "/home" = { - mountpoint = "/home"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; # home - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; # nix - }; # subvolumes - }; # content.content - }; # content - } # partition 3 - ]; # partitions - }; # content - }; # sda - }; # disk - }; # disko.devices + boot.loader.grub.device = "/dev/nvme0n1"; + boot.initrd.luks.devices."nvme0n1p2".device = "/dev/nvme0n1p2"; + services.btrfs.autoScrub.enable = true; + services.btrfs.autoScrub.interval = "weekly"; + + disko.devices.disk.nvme0 = { + device = "/dev/nvme0n1"; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "BOOT"; + start = "0%"; + end = "550MiB"; + bootable = true; + flags = [ "esp" ]; + fs-type = "fat32"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } # partition 1 (ESP) + { + name = "LUKS"; + start = "550MiB"; + end = "-64GiB"; + content = { + type = "luks"; + name = "ROOT"; + extraOpenArgs = [ "--allow-discards" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; # root + "/home" = { + mountpoint = "/home"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; # home + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; # nix + }; # subvolumes + }; # content.content + }; # content + } # partition 2 (/ BTRFS) + { + name = "SWAP"; + start = "-64GiB"; + end = "100%"; + content = { + type = "swap"; + randomEncryption = true; + resumeDevice = true; # resume from hiberation from this device + }; + } # partition 3 (SWAP) + ]; # partitions + }; # content + }; # disko.devices.disk.sda } # root \ No newline at end of file