From: Preston Pan Date: Fri, 19 Sep 2025 07:51:40 +0000 (-0700) Subject: fix disko to actually install X-Git-Url: https://ret2pop.net/gitweb/%22./%22/%22../index.html/static/gitweb.css?a=commitdiff_plain;h=56337bd35424b6e9fd131b542b2b5f0c3fb8a1d4;p=monorepo.git fix disko to actually install --- diff --git a/config/nix.org b/config/nix.org index bdcecb5..eceecf3 100644 --- a/config/nix.org +++ b/config/nix.org @@ -86,6 +86,11 @@ and now for the main flake: url = "github:Janik-Haag/nixos-dns"; inputs.nixpkgs.follows = "nixpkgs"; }; + + nixpak = { + url = "github:nixpak/nixpak"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { @@ -100,6 +105,7 @@ and now for the main flake: nixos-dns, deep-research, impermanence, + nixpak, ... } @attrs: @@ -569,26 +575,26 @@ My SSH daemon configuration. This is my tor configuration, used for my cryptocurrency wallets and whatever else I want it to do. #+begin_src nix :tangle ../nix/modules/tor.nix -{ config, lib, ... }: -{ - services.tor = { - enable = lib.mkDefault config.monorepo.profiles.tor.enable; - openFirewall = true; - client = { + { config, lib, ... }: + { + services.tor = { enable = lib.mkDefault config.monorepo.profiles.tor.enable; - socksListenAddress = { - IsolateDestAddr = true; - addr = "127.0.0.1"; - port = 9050; + openFirewall = true; + client = { + enable = lib.mkDefault config.monorepo.profiles.tor.enable; + socksListenAddress = { + IsolateDestAddr = true; + addr = "127.0.0.1"; + port = 9050; + }; + dns.enable = true; + }; + torsocks = { + enable = lib.mkDefault config.monorepo.profiles.tor.enable; + server = "127.0.0.1:9050"; }; - dns.enable = true; - }; - torsocks = { - enable = lib.mkDefault config.monorepo.profiles.tor.enable; - server = "127.0.0.1:9050"; }; - }; -} + } #+end_src ** Kubo IPFS I use IPFS for my website and also for my ISOs for truly declarative and deterministic @@ -1190,6 +1196,10 @@ This is my impermanence profile, which removes all files on reboot except for th umount /btrfs_tmp '' else ""); + boot.initrd.luks.devices = (if config.monorepo.profiles.impermanence.enable then [ + { name = "crypted"; device = "/dev/disk/by-partlabel/disk-main-luks"; } + ] else []); + fileSystems = if (config.monorepo.profiles.impermanence.enable) then { "/persistent" = { neededForBoot = true; @@ -1513,6 +1523,12 @@ because they enhance security. apparmor = { enable = true; killUnconfinedConfinables = true; + packages = with pkgs; [ + apparmor-profiles + ]; + policies = { + firefox.path = "${pkgs.apparmor-profiles}/share/apparmor/extra-profiles/firefox"; + }; }; pam.loginLimits = [ diff --git a/nix/flake.nix b/nix/flake.nix index 795ab4b..9102d40 100644 --- a/nix/flake.nix +++ b/nix/flake.nix @@ -36,6 +36,11 @@ url = "github:Janik-Haag/nixos-dns"; inputs.nixpkgs.follows = "nixpkgs"; }; + + nixpak = { + url = "github:nixpak/nixpak"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { @@ -50,6 +55,7 @@ nixos-dns, deep-research, impermanence, + nixpak, ... } @attrs: diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix index a2912ea..5b44fc4 100644 --- a/nix/modules/configuration.nix +++ b/nix/modules/configuration.nix @@ -259,6 +259,12 @@ apparmor = { enable = true; killUnconfinedConfinables = true; + packages = with pkgs; [ + apparmor-profiles + ]; + policies = { + firefox.path = "${pkgs.apparmor-profiles}/share/apparmor/extra-profiles/firefox"; + }; }; pam.loginLimits = [ diff --git a/nix/modules/impermanence.nix b/nix/modules/impermanence.nix index 3bb8f18..e8b4b6f 100644 --- a/nix/modules/impermanence.nix +++ b/nix/modules/impermanence.nix @@ -32,6 +32,10 @@ umount /btrfs_tmp '' else ""); + boot.initrd.luks.devices = (if config.monorepo.profiles.impermanence.enable then [ + { name = "crypted"; device = "/dev/disk/by-partlabel/disk-main-luks"; } + ] else []); + fileSystems = if (config.monorepo.profiles.impermanence.enable) then { "/persistent" = { neededForBoot = true;