fix: include modifications missed by 528447c

Previous commit only picked up the new files (branding.nix, hardware-db.sh). This adds the matching wires: - core/system/default.nix: import branding.nix - flake.nix: expose overlays.default = nomarchyOverlay for downstream flakes - installer/disko-golden.nix: 1 GiB /boot, @snapshots subvolume, LUKS key via /dev/shm - installer/install.sh: hardware auto-detect, hostname prompt, pinned nomarchy commit, shared pkgs in generated flake, flake.lock generation, post-install home-manager switch via nixos-enter Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 10:07:17 +01:00
parent 528447cc19
commit 04512eabcd
4 changed files with 299 additions and 106 deletions
--- a/installer/disko-golden.nix
+++ b/installer/disko-golden.nix
@@ -17,12 +17,13 @@
        content = {
          type = "gpt";
          partitions = {
-            # EFI System Partition
+            # EFI System Partition. 1 GiB leaves room for several kernel
+            # generations + initrd + Plymouth assets without filling up.
            ESP = {
              priority = 1;
              name = "ESP";
              start = "1M";
-              end = "512M";
+              end = "1G";
              type = "EF00";
              content = {
                type = "filesystem";
@@ -32,16 +33,17 @@
              };
            };

-            # LUKS-encrypted root partition
+            # LUKS-encrypted root partition. The installer writes the
+            # passphrase to an in-memory tmpfs (/dev/shm/nomarchy-luks.key)
+            # rather than the spinning /tmp so the secret never touches disk.
            luks = {
              size = "100%";
              content = {
                type = "luks";
                name = "crypted";
-                # Password will be provided via /tmp/secret.key
                settings = {
                  allowDiscards = true;  # Enable TRIM for SSDs
-                  passwordFile = "/tmp/secret.key";
+                  passwordFile = "/dev/shm/nomarchy-luks.key";
                };
                content = {
                  type = "btrfs";
@@ -76,6 +78,13 @@
                      mountpoint = "/var/log";
                      mountOptions = [ "compress=zstd" "noatime" ];
                    };
+
+                    # Snapshots — kept off the rolled-back root so tools like
+                    # snapper / btrbk / nomarchy-rollback have a stable home.
+                    "@snapshots" = {
+                      mountpoint = "/.snapshots";
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                    };
                  };

                  # Create a read-only snapshot of root for impermanence rollback