fix disko to actually install

author Preston Pan <ret2pop@gmail.com>

Fri, 19 Sep 2025 07:51:40 +0000 (00:51 -0700)

committer Preston Pan <ret2pop@gmail.com>

Fri, 19 Sep 2025 07:51:40 +0000 (00:51 -0700)
author Preston Pan <ret2pop@gmail.com>
Fri, 19 Sep 2025 07:51:40 +0000 (00:51 -0700)
committer Preston Pan <ret2pop@gmail.com>
Fri, 19 Sep 2025 07:51:40 +0000 (00:51 -0700)
diff --git a/config/nix.org b/config/nix.org

index bdcecb589e1bd8446217c5d4fd49dacf51bd37f9..eceecf38510a8ed7657618fc2763fcb7efdea1a0 100644 (file)
--- a/config/nix.org
+++ b/config/nix.org
@@ -86,6 +86,11 @@ and now for the main flake:
          url = "github:Janik-Haag/nixos-dns";
          inputs.nixpkgs.follows = "nixpkgs";
        };
+
+      nixpak = {
+        url = "github:nixpak/nixpak";
+        inputs.nixpkgs.follows = "nixpkgs";
+      };
      };
  
      outputs = {
@@ -100,6 +105,7 @@ and now for the main flake:
          nixos-dns,
          deep-research,
          impermanence,
+        nixpak,
          ...
      }
        @attrs:
@@ -569,26 +575,26 @@ My SSH daemon configuration.
  This is my tor configuration, used for my cryptocurrency wallets and whatever else I want
  it to do.
  #+begin_src nix :tangle ../nix/modules/tor.nix
-{ config, lib, ... }:
-{
-  services.tor = {
-    enable = lib.mkDefault config.monorepo.profiles.tor.enable;
-    openFirewall = true;
-    client = {
+  { config, lib, ... }:
+  {
+    services.tor = {
        enable = lib.mkDefault config.monorepo.profiles.tor.enable;
-      socksListenAddress = {
-        IsolateDestAddr = true;
-        addr = "127.0.0.1";
-        port = 9050;
+      openFirewall = true;
+      client = {
+        enable = lib.mkDefault config.monorepo.profiles.tor.enable;
+        socksListenAddress = {
+          IsolateDestAddr = true;
+          addr = "127.0.0.1";
+          port = 9050;
+        };
+        dns.enable = true;
+      };
+      torsocks = {
+        enable = lib.mkDefault config.monorepo.profiles.tor.enable;
+        server = "127.0.0.1:9050";
        };
-      dns.enable = true;
-    };
-    torsocks = {
-      enable = lib.mkDefault config.monorepo.profiles.tor.enable;
-      server = "127.0.0.1:9050";
      };
-  };
-}
+  }
  #+end_src
  ** Kubo IPFS
  I use IPFS for my website and also for my ISOs for truly declarative and deterministic
@@ -1190,6 +1196,10 @@ This is my impermanence profile, which removes all files on reboot except for th
        umount /btrfs_tmp
      '' else "");
  
+    boot.initrd.luks.devices = (if config.monorepo.profiles.impermanence.enable then [
+      { name = "crypted"; device = "/dev/disk/by-partlabel/disk-main-luks"; }
+    ] else []);
+
      fileSystems = if (config.monorepo.profiles.impermanence.enable) then {
        "/persistent" = {
          neededForBoot = true;
@@ -1513,6 +1523,12 @@ because they enhance security.
        apparmor = {
           enable = true;
           killUnconfinedConfinables = true;
+        packages = with pkgs; [
+          apparmor-profiles
+        ];
+        policies = {
+          firefox.path = "${pkgs.apparmor-profiles}/share/apparmor/extra-profiles/firefox";
+        };
        };
  
        pam.loginLimits = [
diff --git a/nix/flake.nix b/nix/flake.nix

index 795ab4ba8229035446f3a7333635a86b8feef4da..9102d4057279b22a4e10f8d9f8a2af406207a641 100644 (file)
--- a/nix/flake.nix
+++ b/nix/flake.nix
@@ -36,6 +36,11 @@
        url = "github:Janik-Haag/nixos-dns";
        inputs.nixpkgs.follows = "nixpkgs";
      };
+
+    nixpak = {
+      url = "github:nixpak/nixpak";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    };
  
    outputs = {
@@ -50,6 +55,7 @@
        nixos-dns,
        deep-research,
        impermanence,
+      nixpak,
        ...
    }
      @attrs:
diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix

index a2912ea9c99e488e2b0559fb47f5e8d43bca86bc..5b44fc45fe44c16a3d83f90402563f9d0ccf03cb 100644 (file)
--- a/nix/modules/configuration.nix
+++ b/nix/modules/configuration.nix
@@ -259,6 +259,12 @@
      apparmor = {
           enable = true;
           killUnconfinedConfinables = true;
+      packages = with pkgs; [
+        apparmor-profiles
+      ];
+      policies = {
+        firefox.path = "${pkgs.apparmor-profiles}/share/apparmor/extra-profiles/firefox";
+      };
      };
  
      pam.loginLimits = [
diff --git a/nix/modules/impermanence.nix b/nix/modules/impermanence.nix

index 3bb8f18bfa504477e5db9e8cfc04a3f67ba6b765..e8b4b6f104ef7a7fc179adf68b68241a6fb38e46 100644 (file)
--- a/nix/modules/impermanence.nix
+++ b/nix/modules/impermanence.nix
@@ -32,6 +32,10 @@
      umount /btrfs_tmp
    '' else "");
  
+  boot.initrd.luks.devices = (if config.monorepo.profiles.impermanence.enable then [
+    { name = "crypted"; device = "/dev/disk/by-partlabel/disk-main-luks"; }
+  ] else []);
+
    fileSystems = if (config.monorepo.profiles.impermanence.enable) then {
      "/persistent" = {
        neededForBoot = true;
author	Preston Pan <ret2pop@gmail.com>
	Fri, 19 Sep 2025 07:51:40 +0000 (00:51 -0700)
committer	Preston Pan <ret2pop@gmail.com>
	Fri, 19 Sep 2025 07:51:40 +0000 (00:51 -0700)
config/nix.org		patch \| blob \| history
nix/flake.nix		patch \| blob \| history
nix/modules/configuration.nix		patch \| blob \| history
nix/modules/impermanence.nix		patch \| blob \| history