fix disko to actually install

diff --git a/config/nix.org b/config/nix.org
index bdcecb589e1bd8446217c5d4fd49dacf51bd37f9..eceecf38510a8ed7657618fc2763fcb7efdea1a0 100644 (file)
--- a/config/nix.org
+++ b/config/nix.org
@@ -86,6 +86,11 @@ and now for the main flake:
         url = "github:Janik-Haag/nixos-dns";
         inputs.nixpkgs.follows = "nixpkgs";
       };
         url = "github:Janik-Haag/nixos-dns";
         inputs.nixpkgs.follows = "nixpkgs";
       };

+
+      nixpak = {
+        url = "github:nixpak/nixpak";
+        inputs.nixpkgs.follows = "nixpkgs";
+      };

     };
 
     outputs = {
     };
 
     outputs = {


@@ -100,6 +105,7 @@ and now for the main flake:
         nixos-dns,
         deep-research,
         impermanence,
         nixos-dns,
         deep-research,
         impermanence,

+        nixpak,

         ...
     }
       @attrs:
         ...
     }
       @attrs:


@@ -569,26 +575,26 @@ My SSH daemon configuration.
 This is my tor configuration, used for my cryptocurrency wallets and whatever else I want
 it to do.
 #+begin_src nix :tangle ../nix/modules/tor.nix
 This is my tor configuration, used for my cryptocurrency wallets and whatever else I want
 it to do.
 #+begin_src nix :tangle ../nix/modules/tor.nix

-{ config, lib, ... }:
-{
-  services.tor = {
-    enable = lib.mkDefault config.monorepo.profiles.tor.enable;
-    openFirewall = true;
-    client = {
+  { config, lib, ... }:
+  {
+    services.tor = {

       enable = lib.mkDefault config.monorepo.profiles.tor.enable;
       enable = lib.mkDefault config.monorepo.profiles.tor.enable;

-      socksListenAddress = {
-        IsolateDestAddr = true;
-        addr = "127.0.0.1";
-        port = 9050;
+      openFirewall = true;
+      client = {
+        enable = lib.mkDefault config.monorepo.profiles.tor.enable;
+        socksListenAddress = {
+          IsolateDestAddr = true;
+          addr = "127.0.0.1";
+          port = 9050;
+        };
+        dns.enable = true;
+      };
+      torsocks = {
+        enable = lib.mkDefault config.monorepo.profiles.tor.enable;
+        server = "127.0.0.1:9050";

       };
       };

-      dns.enable = true;
-    };
-    torsocks = {
-      enable = lib.mkDefault config.monorepo.profiles.tor.enable;
-      server = "127.0.0.1:9050";

     };
     };

-  };
-}
+  }

 #+end_src
 ** Kubo IPFS
 I use IPFS for my website and also for my ISOs for truly declarative and deterministic
 #+end_src
 ** Kubo IPFS
 I use IPFS for my website and also for my ISOs for truly declarative and deterministic


@@ -1190,6 +1196,10 @@ This is my impermanence profile, which removes all files on reboot except for th
       umount /btrfs_tmp
     '' else "");
 
       umount /btrfs_tmp
     '' else "");
 

+    boot.initrd.luks.devices = (if config.monorepo.profiles.impermanence.enable then [
+      { name = "crypted"; device = "/dev/disk/by-partlabel/disk-main-luks"; }
+    ] else []);
+

     fileSystems = if (config.monorepo.profiles.impermanence.enable) then {
       "/persistent" = {
         neededForBoot = true;
     fileSystems = if (config.monorepo.profiles.impermanence.enable) then {
       "/persistent" = {
         neededForBoot = true;


@@ -1513,6 +1523,12 @@ because they enhance security.
       apparmor = {
          enable = true;
          killUnconfinedConfinables = true;
       apparmor = {
          enable = true;
          killUnconfinedConfinables = true;

+        packages = with pkgs; [
+          apparmor-profiles
+        ];
+        policies = {
+          firefox.path = "${pkgs.apparmor-profiles}/share/apparmor/extra-profiles/firefox";
+        };

       };
 
       pam.loginLimits = [
       };
 
       pam.loginLimits = [

diff --git a/nix/flake.nix b/nix/flake.nix
index 795ab4ba8229035446f3a7333635a86b8feef4da..9102d4057279b22a4e10f8d9f8a2af406207a641 100644 (file)
--- a/nix/flake.nix
+++ b/nix/flake.nix
@@ -36,6 +36,11 @@
       url = "github:Janik-Haag/nixos-dns";
       inputs.nixpkgs.follows = "nixpkgs";
     };
       url = "github:Janik-Haag/nixos-dns";
       inputs.nixpkgs.follows = "nixpkgs";
     };

+
+    nixpak = {
+      url = "github:nixpak/nixpak";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };

   };
 
   outputs = {
   };
 
   outputs = {


@@ -50,6 +55,7 @@
       nixos-dns,
       deep-research,
       impermanence,
       nixos-dns,
       deep-research,
       impermanence,

+      nixpak,

       ...
   }
     @attrs:
       ...
   }
     @attrs:

diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix
index a2912ea9c99e488e2b0559fb47f5e8d43bca86bc..5b44fc45fe44c16a3d83f90402563f9d0ccf03cb 100644 (file)
--- a/nix/modules/configuration.nix
+++ b/nix/modules/configuration.nix
@@ -259,6 +259,12 @@
     apparmor = {
          enable = true;
          killUnconfinedConfinables = true;
     apparmor = {
          enable = true;
          killUnconfinedConfinables = true;

+      packages = with pkgs; [
+        apparmor-profiles
+      ];
+      policies = {
+        firefox.path = "${pkgs.apparmor-profiles}/share/apparmor/extra-profiles/firefox";
+      };

     };
 
     pam.loginLimits = [
     };
 
     pam.loginLimits = [

diff --git a/nix/modules/impermanence.nix b/nix/modules/impermanence.nix
index 3bb8f18bfa504477e5db9e8cfc04a3f67ba6b765..e8b4b6f104ef7a7fc179adf68b68241a6fb38e46 100644 (file)
--- a/nix/modules/impermanence.nix
+++ b/nix/modules/impermanence.nix
@@ -32,6 +32,10 @@
     umount /btrfs_tmp
   '' else "");
 
     umount /btrfs_tmp
   '' else "");
 

+  boot.initrd.luks.devices = (if config.monorepo.profiles.impermanence.enable then [
+    { name = "crypted"; device = "/dev/disk/by-partlabel/disk-main-luks"; }
+  ] else []);
+

   fileSystems = if (config.monorepo.profiles.impermanence.enable) then {
     "/persistent" = {
       neededForBoot = true;
   fileSystems = if (config.monorepo.profiles.impermanence.enable) then {
     "/persistent" = {
       neededForBoot = true;