WIP: kommode: use disko to configure disks

flake.nix

@@ -147,7 +147,7 @@
     in {
       bakke = stableNixosConfig "bakke" {
         modules = [
-          disko.nixosModules.disko
+          inputs.disko.nixosModules.disko
         ];
       };
       bicep = stableNixosConfig "bicep" {
@@ -195,6 +195,7 @@
         ];
         modules = [
           inputs.nix-gitea-themes.nixosModules.default
+          inputs.disko.nixosModules.disko
         ];
       };
 

hosts/bekkalokk/services/well-known/root/security.txt

@@ -6,7 +6,11 @@ Contact: mailto:cert@pvv.ntnu.no
 Preferred-Languages: no, en
 
 Expires: 2032-12-31T23:59:59.000Z
-# This file was last updated 2024-09-14.
+# This file was last updated 2026-02-27.
 
 # You can find a wikipage for our security policies at:
 # https://wiki.pvv.ntnu.no/wiki/CERT
+
+# Please note that we are a student organization, and unfortunately we do not
+# have a bug bounty program or offer monetary compensation for disclosure of
+# security vulnerabilities.

hosts/bicep/services/mysql.nix

@@ -1,4 +1,8 @@
-{ pkgs, lib, config, values, ... }:
+{ config, pkgs, lib, values, ... }:
+let
+  cfg = config.services.mysql;
+  dataDir = "/data/mysql";
+in
 {
   sops.secrets."mysql/password" = {
     owner = "mysql";
@@ -9,7 +13,6 @@
 
   services.mysql = {
     enable = true;
-    dataDir = "/data/mysql";
     package = pkgs.mariadb;
     settings = {
       mysqld = {
@@ -36,14 +39,27 @@
     }];
   };
 
-  services.mysqlBackup = {
+  services.mysqlBackup = lib.mkIf cfg.enable {
     enable = true;
     location = "/var/lib/mysql/backups";
   };
 
-  networking.firewall.allowedTCPPorts = [ 3306 ];
+  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
+
+  systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable {
+    inherit (cfg) user group;
+    mode = "0700";
+  };
+
+  systemd.services.mysql = lib.mkIf cfg.enable {
+    after = [
+      "systemd-tmpfiles-setup.service"
+      "systemd-tmpfiles-resetup.service"
+    ];
+
+    serviceConfig = {
+      BindPaths = [ "${dataDir}:${cfg.dataDir}" ];
 
-  systemd.services.mysql.serviceConfig = {
       IPAddressDeny = "any";
       IPAddressAllow = [
         values.ipv4-space
@@ -52,4 +68,5 @@
         values.hosts.ildkule.ipv6
       ];
     };
+  };
 }

hosts/kommode/configuration.nix

@@ -4,6 +4,7 @@
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
     (fp /base)
+    ./disks.nix
 
     ./services/gitea
     ./services/nginx.nix

hosts/kommode/disks.nix

@@ -0,0 +1,80 @@
+{ lib, ... }:
+{
+  disko.devices = {
+    disk = {
+      sda = {
+        type = "disk";
+        device = "/dev/sda";
+        content = {
+          type = "gpt";
+          partitions = {
+            root = {
+              name = "root";
+              label = "root";
+              start = "1MiB";
+              end = "-5G";
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ]; # Override existing partition
+                # subvolumes = let
+                #   makeSnapshottable = subvolPath: mountOptions: let
+                #     name = lib.replaceString "/" "-" subvolPath;
+                #   in {
+                #     "@${name}/active" = {
+                #       mountPoint = subvolPath;
+                #       inherit mountOptions;
+                #     };
+                #     "@${name}/snapshots" = {
+                #       mountPoint = "${subvolPath}/.snapshots";
+                #       inherit mountOptions;
+                #     };
+                #   };
+                # in {
+                #   "@" = { };
+                #   "@/swap" = {
+                #     mountpoint = "/.swapvol";
+                #     swap.swapfile.size = "4G";
+                #   };
+                #   "@/root" = {
+                #     mountpoint = "/";
+                #     mountOptions = [ "compress=zstd" "noatime" ];
+                #   };
+                # }
+                # // (makeSnapshottable "/home" [ "compress=zstd" "noatime" ])
+                # // (makeSnapshottable "/nix" [ "compress=zstd" "noatime" ])
+                # // (makeSnapshottable "/var/lib" [ "compress=zstd" "noatime" ])
+                # // (makeSnapshottable "/var/log" [ "compress=zstd" "noatime" ])
+                # // (makeSnapshottable "/var/cache" [ "compress=zstd" "noatime" ]);
+
+                # swap.swapfile.size = "4G";
+                mountpoint = "/";
+              };
+            };
+
+            swap = {
+              name = "swap";
+              label = "swap";
+              start = "-5G";
+              end = "-1G";
+              content.type = "swap";
+            };
+
+            ESP = {
+              name = "ESP";
+              label = "ESP";
+              start = "-1G";
+              end = "100%";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/kommode/hardware-configuration.nix

@@ -13,21 +13,6 @@
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/d421538f-a260-44ae-8e03-47cac369dcc1";
-      fsType = "btrfs";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/86CD-4C23";
-      fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/4cfbb41e-801f-40dd-8c58-0a0c1a6025f6"; }
-    ];
-
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction