From c869557f1f15c2674247428ac06d862b10fd4cc8 Mon Sep 17 00:00:00 2001
From: ItsDrike <itsdrike@protonmail.com>
Date: Sun, 7 Apr 2024 12:38:24 +0000
Subject: [PATCH] Add herogrim host

---
 hosts/default.nix                         |   8 ++
 hosts/herugrim/default.nix                |  44 +++++++++
 hosts/herugrim/hardware-configuration.nix |  69 ++++++++++++++
 hosts/herugrim/impermanence.nix           | 110 ++++++++++++++++++++++
 4 files changed, 231 insertions(+)
 create mode 100644 hosts/herugrim/default.nix
 create mode 100644 hosts/herugrim/hardware-configuration.nix
 create mode 100644 hosts/herugrim/impermanence.nix

diff --git a/hosts/default.nix b/hosts/default.nix
index a8930e9..81cd2b5 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -17,4 +17,12 @@ in
       inputs.home-manager.nixosModules.home-manager
     ] ++ shared;
   };
+
+  herugrim = lib.nixosSystem {
+    system = "x86_64-linux";
+    modules = [
+      ./herugrim
+      inputs.home-manager.nixosModules.home-manager
+    ] ++ shared;
+  };
 }
diff --git a/hosts/herugrim/default.nix b/hosts/herugrim/default.nix
new file mode 100644
index 0000000..d6686ba
--- /dev/null
+++ b/hosts/herugrim/default.nix
@@ -0,0 +1,44 @@
+{ lib, pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./impermanence.nix
+  ];
+
+  boot.supportedFilesystems = [ "btrfs" ];
+
+  nix.settings = {
+    max-jobs = 6;
+    cores = 6;
+  };
+
+  # NixOS release from which this machine was first installed.
+  # (for stateful data, like file locations and db versions)
+  # Leave this alone!
+  system.stateVersion = lib.mkForce "23.11";
+
+  services.openssh.settings.PasswordAuthentication = lib.mkForce true;
+
+  myOptions = {
+    system = {
+      hostname = "herugrim";
+      username = "itsdrike";
+    };
+    device = {
+      virtual-machine = false;
+      cpu.type = "intel";
+    };
+    home-manager = {
+      enabled = true;
+      stateVersion = "23.11";
+      git = {
+        userName = "ItsDrike";
+        userEmail = "itsdrike@protonmail.com";
+        signing = {
+          enabled = true;
+          key = "FA2745890B7048C0";
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/herugrim/hardware-configuration.nix b/hosts/herugrim/hardware-configuration.nix
new file mode 100644
index 0000000..c785643
--- /dev/null
+++ b/hosts/herugrim/hardware-configuration.nix
@@ -0,0 +1,69 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  boot.initrd.luks.devices."cryptfs".device = "/dev/disk/by-label/NIXCRYPTROOT";
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-label/NIXROOT";
+      fsType = "btrfs";
+      options = [ "subvol=root" "noatime" "compress=zstd:3" ];
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-label/NIXROOT";
+      fsType = "btrfs";
+      options = [ "subvol=home" "noatime" "compress=zstd:3" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-label/NIXROOT";
+      fsType = "btrfs";
+      options = [ "subvol=nix" "noatime" "compress=zstd:3" ];
+    };
+
+  fileSystems."/var/log" =
+    { device = "/dev/disk/by-label/NIXROOT";
+      fsType = "btrfs";
+      options = [ "subvol=log" "noatime" "compress=zstd:3" ];
+      neededForBoot = true;
+    };
+
+  fileSystems."/persist" =
+    { device = "/dev/disk/by-label/NIXROOT";
+      fsType = "btrfs";
+      options = [ "subvol=persist" "noatime" "compress=zstd:3" ];
+      neededForBoot = true;
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-label/NIXBOOT";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-label/SWAP"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/hosts/herugrim/impermanence.nix b/hosts/herugrim/impermanence.nix
new file mode 100644
index 0000000..9059d69
--- /dev/null
+++ b/hosts/herugrim/impermanence.nix
@@ -0,0 +1,110 @@
+{ config, pkgs, ... }:
+let
+  impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
+in
+{
+  imports = [ "${impermanence}/nixos.nix" ];
+
+  users = {
+    # This option makes it that users are not mutable outside our configuration
+    # If you are using impermanence, this will actually be the case regardless of this setting,
+    # however, setting this explicitly is a good idea, because nix will warn us if
+    # our users don't have passwords set
+    mutableUsers = false;
+  
+    # Each existing user needs to have a password file defined here
+    # otherwise, they will not be available to login.
+    # These password files can be generated using the following command:
+    # mkpasswd -m sha-512 > /persist/system/passwords/myuser
+    users = {
+      root = {
+        # password file needs to be in a volume marked `neededForRoot = true`
+        hashedPasswordFile = "/persist/passwords/root";
+      };
+      itsdrike = {
+        hashedPasswordFile = "/persist/passwords/itsdrike";
+      };
+    };
+  };
+
+  # Some people use /nix/persist/system instead, leaving the persistent files in /nix subvolume
+  # I much prefer using a standalone subvolume for this though.
+  environment.persistence."/persist/system" = {
+    hideMounts = true;
+    directories = [
+      "/etc/nixos" # nixos configuration source
+      "/etc/NetworkManager/system-connections" # saved network connections
+      "/var/db/sudo" # keeps track of who got the sudo lecture already
+      "/var/lib/systemd/coredump" # recorded coredumps
+    ];
+    files = [
+      "/etc/machine-id"
+
+      # ssh stuff
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+    ];
+  };
+
+  # For some reason, NetworkManager needs this instead of the impermanence mode to not get screwed up
+  systemd.tmpfiles.rules = [
+    "L /var/lib/NetworkManager/secret_key - - - - /persist/system/var/lib/NetworkManager/secret_key"
+    "L /var/lib/NetworkManager/seen-bssids - - - - /persist/system/var/lib/NetworkManager/seen-bssids"
+    "L /var/lib/NetworkManager/timestamps - - - - /persist/system/var/lib/NetworkManager/timestamps"
+  ];
+
+  boot.initrd.systemd = {
+    enable = true; # This enables systemd support in stage 1 - required for below setup
+    services.rollback = {
+      description = "Rollback BTRFS root subvolume to a pristine state";
+      wantedBy = [ "initrd.target" ];
+      # make sure it's done after decryption (i.e. LUKS/TPM process)
+      after = [ "systemd-cryptsetup@cryptfs.service" ];
+      # mount the root fs before clearing
+      before = [ "sysroot.mount" ];
+      unitConfig.DefaultDependencies = "no";
+      serviceConfig.Type = "oneshot";
+      script = ''
+        mkdir -p /mnt
+  
+        # We first mount the btrfs root to /mnt
+        # so we can manipulate btrfs subvolumes.
+        mount /dev/mapper/cryptfs /mnt
+
+        # While we're tempted to just delete /root and create
+        # a new snapshot from /root-blank, /root is already
+        # populated at this point with a number of subvolumes,
+        # which makes `btrfs subvolume delete` fail.
+        # So, we remove them first.
+        #
+        # /root contains subvolumes:
+        # - /root/var/lib/portables
+        # - /root/var/lib/machines
+        #
+        # These are probably related to systemd-nspawn, but
+        # since I don't use it, I'm not 100% sure.
+        # Anyhow, deleting these subvolumes hasn't resulted in
+        # any issues so far, except for fairly benign-looking
+        # errors from systemd-tmpfiles.
+        btrfs subvolume list -o /mnt/root |
+          cut -f9 -d' ' |
+          while read subvolume; do
+            echo "deleting /$subvolume subvolume..."
+            btrfs subvolume delete "/mnt/$subvolume"
+          done &&
+          echo "deleting /root subvolume..." &&
+          btrfs subvolume delete /mnt/root
+  
+        echo "restoring blank /root subvolume..."
+        btrfs subvolume snapshot /mnt/root-blank /mnt/root
+  
+        # Once we're done rolling back to a blank snapshot,
+        # we can unmount /mnt and continue on the boot process.
+        umount /mnt
+      '';
+    };
+  };
+}
+