From 82f3a797872df889703aa77152d6fb64b7fb06c2 Mon Sep 17 00:00:00 2001 From: fleaz Date: Sun, 5 Jun 2022 02:12:55 +0200 Subject: [PATCH] move grub and full-disk-encryption into seperate files --- machines/cray/configuration.nix | 40 ++------------------ machines/jimbo/configuration.nix | 32 +--------------- machines/milhouse/configuration.nix | 24 +----------- machines/milhouse/hardware-configuration.nix | 2 +- modules/grub.nix | 13 +++++++ modules/luks.nix | 15 ++++++++ roles/all.nix | 3 ++ 7 files changed, 40 insertions(+), 89 deletions(-) create mode 100644 modules/grub.nix create mode 100644 modules/luks.nix diff --git a/machines/cray/configuration.nix b/machines/cray/configuration.nix index 9467352..cfa5e4d 100644 --- a/machines/cray/configuration.nix +++ b/machines/cray/configuration.nix @@ -2,51 +2,19 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ sources ? import ../../nix -, pkgs ? sources.pkgs { } -, lib -, ... -}: - -let - home-manager = (import ./nix/sources.nix).home-manager; - secretsFile = "/root.key"; -in +{ pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ../../roles/all.nix + ../../modules/luks.nix + ../../modules/grub.nix ]; - # Use the systemd-boot EFI boot loader. - boot.loader.efi.canTouchEfiVariables = true; - boot.loader.efi.efiSysMountPoint = "/boot/efi"; - - boot.loader.systemd-boot.enable = false; - boot.loader.grub = { - enable = true; - version = 2; - device = "nodev"; - efiSupport = true; - enableCryptodisk = true; - configurationLimit = 5; - }; - - # enable passing of keyfile between grub and initrd - boot.initrd.luks.devices."cryptroot" = { - fallbackToPassword = true; - keyFile = secretsFile; - }; - # copy the secret into the additional initramfs. `null` means same path - boot.initrd.secrets."${secretsFile}" = null; - services.xserver.videoDrivers = [ "amdgpu" ]; - # Set your time zone. - time.timeZone = "Europe/Berlin"; - time.hardwareClockInLocalTime = true; #Be compatible with Windows - + time.hardwareClockInLocalTime = true; #Be compatible with Windows Dualboot # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config diff --git a/machines/jimbo/configuration.nix b/machines/jimbo/configuration.nix index 8f0d228..9508695 100644 --- a/machines/jimbo/configuration.nix +++ b/machines/jimbo/configuration.nix @@ -3,45 +3,17 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, lib, ... }: - -let - secretsFile = "/root.key"; -in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ../../roles/all.nix + ../../modules/luks.nix + ../../modules/grub.nix ]; - - # Use the systemd-boot EFI boot loader. - boot.loader.efi.canTouchEfiVariables = true; - boot.loader.efi.efiSysMountPoint = "/boot/efi"; - - boot.loader.systemd-boot.enable = false; - boot.loader.grub = { - enable = true; - version = 2; - device = "nodev"; - efiSupport = true; - enableCryptodisk = true; - configurationLimit = 5; - }; - - # enable passing of keyfile between grub and initrd - boot.initrd.luks.devices."cryptroot" = { - fallbackToPassword = true; - keyFile = secretsFile; - }; - # copy the secret into the additional initramfs. `null` means same path - boot.initrd.secrets."${secretsFile}" = null; - networking.hostName = "jimbo"; # Define your hostname. - # Set your time zone. - time.timeZone = "Europe/Berlin"; - # The global useDHCP flag is deprecated, therefore explicitly set to false here. networking.useDHCP = false; networking.networkmanager.enable = true; diff --git a/machines/milhouse/configuration.nix b/machines/milhouse/configuration.nix index 2929dd3..2096848 100644 --- a/machines/milhouse/configuration.nix +++ b/machines/milhouse/configuration.nix @@ -3,35 +3,18 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: - { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ../../roles/all.nix + ../../modules/luks.nix + ../../modules/grub.nix ]; - # Use the systemd-boot EFI boot loader. - boot.loader.efi.canTouchEfiVariables = true; - - boot.loader.efi.efiSysMountPoint = "/boot/efi"; - - boot.loader.systemd-boot.enable = false; - boot.loader.grub = { - enable = true; - version = 2; - device = "nodev"; - efiSupport = true; - enableCryptodisk = true; - configurationLimit = 5; - }; - networking.hostName = "milhouse"; # Define your hostname. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # Set your time zone. - # time.timeZone = "Europe/Amsterdam"; - # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. @@ -53,9 +36,6 @@ # Enable the X11 windowing system. # services.xserver.enable = true; - - - # Configure keymap in X11 # services.xserver.layout = "us"; # services.xserver.xkbOptions = "eurosign:e"; diff --git a/machines/milhouse/hardware-configuration.nix b/machines/milhouse/hardware-configuration.nix index 445d623..2063922 100644 --- a/machines/milhouse/hardware-configuration.nix +++ b/machines/milhouse/hardware-configuration.nix @@ -18,7 +18,7 @@ fsType = "ext4"; }; - boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/19bd5375-ca55-427e-baaa-a3ec0f519441"; + boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/19bd5375-ca55-427e-baaa-a3ec0f519441"; fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/E497-94F9"; diff --git a/modules/grub.nix b/modules/grub.nix new file mode 100644 index 0000000..5500c3f --- /dev/null +++ b/modules/grub.nix @@ -0,0 +1,13 @@ +{ + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.efi.efiSysMountPoint = "/boot/efi"; + + boot.loader.systemd-boot.enable = false; + boot.loader.grub = { + enable = true; + version = 2; + device = "nodev"; + efiSupport = true; + configurationLimit = 5; + }; +} diff --git a/modules/luks.nix b/modules/luks.nix new file mode 100644 index 0000000..b5cd16c --- /dev/null +++ b/modules/luks.nix @@ -0,0 +1,15 @@ +let + secretsFile = "/root.key"; +in +{ + boot.loader.grub.enableCryptodisk = true; + + # enable passing of keyfile between grub and initrd + boot.initrd.luks.devices."cryptroot" = { + fallbackToPassword = true; + keyFile = secretsFile; + }; + + # copy the secret into the additional initramfs. `null` means same path + boot.initrd.secrets."${secretsFile}" = null; +} diff --git a/roles/all.nix b/roles/all.nix index aba68fe..e704784 100644 --- a/roles/all.nix +++ b/roles/all.nix @@ -17,6 +17,9 @@ ../users/fleaz.nix ]; + # Set your time zone. + time.timeZone = "Europe/Berlin"; + # needed for Steam and VIA nixpkgs.config.allowUnfree = true;