diff --git a/modules/common/systemd/hardened-configs/common/systemd-remount-fs.nix b/modules/common/systemd/hardened-configs/common/systemd-remount-fs.nix index 050b942da6..6c9b439366 100644 --- a/modules/common/systemd/hardened-configs/common/systemd-remount-fs.nix +++ b/modules/common/systemd/hardened-configs/common/systemd-remount-fs.nix @@ -43,7 +43,7 @@ # Devices # ########### - PrivateDevices = true; + # PrivateDevices = true; # DeviceAllow=/dev/null ########## diff --git a/modules/disko/disko-ab-partitions.nix b/modules/disko/disko-ab-partitions.nix new file mode 100644 index 0000000000..77c40af18c --- /dev/null +++ b/modules/disko/disko-ab-partitions.nix @@ -0,0 +1,161 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# This partition scheme contains three common partitions and ZFS pool. +# Some partitions are duplicated for the future AB SWupdate implementation. +# +# First three partitions are related to the boot process: +# - boot : Bootloader partition +# - ESP-A : (500M) Kernel and initrd +# - ESP-B : (500M) +# +# ZFS datasets do not necessary need to have specified size and can be +# allocated dynamically. Quotas only restrict the maximum size of +# datasets, but do not reserve the space in the pool. +# The ZFS pool contains next datasets: +# - root-A : (30G) Root FS +# - root-B : (30G) +# - vm-storage-A : (30G) Possible standalone pre-built VM images are stored here +# - vm-storage-B : (30G) +# - reserved-A : (10G) Reserved dataset, no use +# - reserved-B : (10G) +# - gp-storage : (50G) General purpose storage for some common insecure cases +# - recovery : (no quota) Recovery factory image is stored here +# - storagevm: (no quota) Dataset is meant to be used for StorageVM +{pkgs, ...}: { + #TODO Probably the 'networking.hostId' should be set + # somewhere else instead. + networking.hostId = "8425e349"; + disko = { + memSize = 4096; + extraPostVM = '' + ${pkgs.zstd}/bin/zstd --compress $out/*raw + rm $out/*raw + ''; + extraRootModules = ["zfs"]; + devices = { + disk.disk1 = { + type = "disk"; + imageSize = "15G"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + priority = 1; # Needs to be first partition + }; + esp_a = { + name = "ESP_A"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "umask=0077" + "nofail" + ]; + }; + }; + esp_b = { + name = "ESP_B"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountOptions = [ + "umask=0077" + "nofail" + ]; + }; + }; + zfs_1 = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot_1"; + }; + }; + }; + }; + }; + zpool = { + zroot_1 = { + type = "zpool"; + rootFsOptions = { + mountpoint = "none"; + acltype = "posixacl"; + }; + datasets = { + "root_a" = { + type = "zfs_fs"; + mountpoint = "/"; + options = { + mountpoint = "/"; + quota = "30G"; + }; + }; + "vm_storage_a" = { + type = "zfs_fs"; + options = { + mountpoint = "/vm_storage"; + quota = "30G"; + }; + }; + "reserved_a" = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + quota = "10G"; + }; + }; + "root_b" = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + quota = "30G"; + }; + }; + "vm_storage_b" = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + quota = "30G"; + }; + }; + "reserved_b" = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + quota = "10G"; + }; + }; + "gp_storage" = { + type = "zfs_fs"; + options = { + mountpoint = "/gp_storage"; + quota = "50G"; + }; + }; + "recovery" = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + }; + }; + "storagevm" = { + type = "zfs_fs"; + options = { + mountpoint = "/storagevm"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/modules/disko/flake-module.nix b/modules/disko/flake-module.nix index e4c5e730b7..36e217f926 100644 --- a/modules/disko/flake-module.nix +++ b/modules/disko/flake-module.nix @@ -7,5 +7,11 @@ ./disko-basic-partition-v1.nix ./disko-basic-postboot.nix ]; + + disko-ab-partitions-v1.imports = [ + inputs.disko.nixosModules.disko + ./disko-ab-partitions.nix + ./disko-basic-postboot.nix + ]; }; } diff --git a/modules/hardware/x86_64-generic/x86_64-linux.nix b/modules/hardware/x86_64-generic/x86_64-linux.nix index 93f44d9027..52e053a0da 100644 --- a/modules/hardware/x86_64-generic/x86_64-linux.nix +++ b/modules/hardware/x86_64-generic/x86_64-linux.nix @@ -32,11 +32,14 @@ in { initrd.availableKernelModules = [ "nvme" "uas" + "zfs" ]; loader = { efi.canTouchEfiVariables = true; systemd-boot.enable = true; }; + supportedFilesystems = ["zfs"]; + kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; }; }; } diff --git a/targets/laptop/flake-module.nix b/targets/laptop/flake-module.nix index 67cf39ff2a..eb424e0102 100644 --- a/targets/laptop/flake-module.nix +++ b/targets/laptop/flake-module.nix @@ -13,7 +13,7 @@ targets = [ (laptop-configuration "lenovo-x1-carbon-gen10" "debug" [ - self.nixosModules.disko-basic-partition-v1 + self.nixosModules.disko-ab-partitions-v1 { ghaf = { hardware.definition.configFile = "/lenovo-x1/definitions/x1-gen10.nix"; @@ -22,7 +22,7 @@ } ]) (laptop-configuration "lenovo-x1-carbon-gen11" "debug" [ - self.nixosModules.disko-basic-partition-v1 + self.nixosModules.disko-ab-partitions-v1 { ghaf = { hardware.definition.configFile = "/lenovo-x1/definitions/x1-gen11.nix"; @@ -31,7 +31,7 @@ } ]) (laptop-configuration "lenovo-x1-carbon-gen10" "release" [ - self.nixosModules.disko-basic-partition-v1 + self.nixosModules.disko-ab-partitions-v1 { ghaf = { hardware.definition.configFile = "/lenovo-x1/definitions/x1-gen10.nix"; @@ -40,7 +40,7 @@ } ]) (laptop-configuration "lenovo-x1-carbon-gen11" "release" [ - self.nixosModules.disko-basic-partition-v1 + self.nixosModules.disko-ab-partitions-v1 { ghaf = { hardware.definition.configFile = "/lenovo-x1/definitions/x1-gen11.nix";