box zfs

2026-01-19 22:37:30 -08:00
parent 3b33575b2a
commit d0cde973e7
21 changed files with 818 additions and 243 deletions
@@ -1,79 +1,73 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
+# and in the NixOS manual (accessible by running 'nixos-help').

 { config, pkgs, ... }:

 {
-  imports =
-    [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-    ];
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./disko.nix
+  ];

  # No systemd emergency mode (can't reliably be accessed over SSH)
  systemd.enableEmergencyMode = false;

-  # Use the GRUB 2 boot loader.
-  boot.loader.efi.canTouchEfiVariables = false;
-  boot.loader.efi.efiSysMountPoint = "/boot/efi";
-  boot.loader.grub = {
-    enable = true;
-    device = "nodev";
-    efiSupport = true;
-    enableCryptodisk = true;
-    efiInstallAsRemovable = true;
+  # ZFS requires a hostId
+  networking.hostId = "bb7d707a";
+
+  # Boot configuration for LUKS + ZFS
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.efi.efiSysMountPoint = "/boot";
+  boot.loader.systemd-boot.enable = true;
+
+  # ZFS support
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.zfs = {
+    requestEncryptionCredentials = [ "tank" ]; # Load key for tank pool
+    forceImportRoot = false;
  };

-  boot.initrd.secrets = {
-    "/keyfile0.bin" = /etc/secrets/initrd/keyfile0.bin;
-    "/keyfile1.bin" = /etc/secrets/initrd/keyfile1.bin;
-  };
-
-  # Remote SSH unlock
-  boot.initrd.network.enable = true;
-  boot.initrd.network.ssh = {
-    enable = true;
-    port = 22;
-    authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDM0Zvei46x/yZl/IeBCq6+IYQQ0avulzVyBysF9cPigZMCybWRV7IEU+E3k9t6JrbdbdGfJkcZIWmsWDdKS8W8mBnZpVoT0ffLynu8JQ/TKdGm4Qv6bgUeKNrGsNv0ZPs2CDaGSLj0oJfRF7Ko10tcLP0vW+yujrh+y6TH/vVzJioaV4TGvtCUpn+wEQah9ROwPQLUUofsSWdnRsDJ/gp37zXWs4l5wyjSKtP3O9RZUP7kBekbSqEgSXiTk0oUQSVqIWl9NDiP6onk/gSOjXsR/JPqsSN/XI/c/yj6gyY0f51Ru2D7iBxuMJIJcWV+rU6coIj+ULcQWLzt/7TI8jq5AOOzI/ll4zbL24Eo84Rz+TP9tvMMhDZ0VaMN22AJ8qQEjc5P09tWKsX7Jg39XelyV1jHXncE4yvIE9F4RSCHzWCeKeXakizQNuzSaxTxIExRFYHjNW5bR6+3MTGwVrEIXU+qML+0yFTR86MT+tdY5AreAJQLwbog79O1NupeXJE= anish@curve " ];
-    hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; # create this file with `ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key`
-  };
-  boot.initrd.availableKernelModules = [ "igc" "iwlwifi" ];
-
-  boot.initrd.luks.devices = {
-    "root" = {
-      #name = "root";
-      device = "/dev/disk/by-uuid/f37f3222-47d7-42d8-b400-363320a31853"; # UUID for /dev/nvme01np2 
-      preLVM = true;
-      allowDiscards = true;
-      keyFile = "/keyfile0.bin";
+  # ZFS services
+  services.zfs = {
+    autoScrub = {
+      enable = true;
+      interval = "weekly";
    };
+    autoSnapshot = {
+      enable = true;
+      frequent = 4; # 15-minute snapshots
+      hourly = 24;
+      daily = 7;
+      weekly = 4;
+      monthly = 12;
+    };
+    trim.enable = true;
  };

-  # Data mount
-  # fileSystems."/data" = {
-  #   device = "/dev/disk/by-uuid/3276a297-9ee4-4998-b262-1ed100366c06"; # UUID for /dev/mapper/crypted-data
-  #   encrypted = {
-  #     enable = true;
-  #     label = "crypted-data";
-  #     blkDev = "/dev/disk/by-uuid/8a317bf4-fe13-4334-a6df-5fe5a5048b5e"; # UUID for /dev/sda1
-  #     keyFile = "/keyfile1.bin";
-  #   };
-  # };
-
  networking.interfaces.enp2s0 = {
-    ipv4.addresses = [{
-      address = "192.168.1.240";
-      prefixLength = 24;
-    }];
-    ipv6.addresses = [{
-      address = "fd7d:587a:4300:1::240";
-      prefixLength = 64;
-    }];
-    ipv4.routes = [{ address = "192.168.1.0"; prefixLength = 24; via = "192.168.1.1"; }];
+    ipv4.addresses = [
+      {
+        address = "192.168.1.240";
+        prefixLength = 24;
+      }
+    ];
+    ipv6.addresses = [
+      {
+        address = "fd7d:587a:4300:1::240";
+        prefixLength = 64;
+      }
+    ];
+    ipv4.routes = [
+      {
+        address = "192.168.1.0";
+        prefixLength = 24;
+        via = "192.168.1.1";
+      }
+    ];
    useDHCP = false;
  };
-  #networking.nameservers = [ "172.16.11.240" ];
  networking.nameservers = [ "192.168.1.1" ];
  networking.defaultGateway = {
    address = "192.168.1.1";
@@ -81,11 +75,8 @@
  };

  networking.hostName = "box"; # Define your hostname.
-  # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.

  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
-  # Per-interface useDHCP will be mandatory in the future, so this generated config
-  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.wlp3s0.useDHCP = true;

@@ -103,4 +94,3 @@
  system.stateVersion = "19.09"; # Did you read the comment?

 }
-