From 077753652fb257d02702e4efda6761755aa94216 Mon Sep 17 00:00:00 2001
From: Kat Inskip <kat@inskip.me>
Date: Thu, 4 Dec 2025 03:40:39 -0800
Subject: [PATCH] feat: fuuuck

---
 TODO.md                                       | 14 ++++
 nixos/hardware/amd.nix                        |  1 +
 .../profiles/bootable/loader-config-limit.nix |  1 +
 systems/koishi.nix                            | 79 ++++++++++++++++++-
 tf/services.tf                                |  2 +-
 5 files changed, 92 insertions(+), 5 deletions(-)
 create mode 100644 TODO.md

diff --git a/TODO.md b/TODO.md
new file mode 100644
index 00000000..5676cc15
--- /dev/null
+++ b/TODO.md
@@ -0,0 +1,14 @@
+# To-dos
+
+## New service deployments
+
+- [ ] Fauna
+- [ ] Immich
+
+## Migrations
+
+- [ ] Move away from flakes to either npins or lon (not that they replied; https://github.com/nikstur/lon/issues/57#issue-3652308987)
+- [ ] Move to a setup similar to https://notashelf.dev/posts/impermanence - investigate encrypted swap WITH hibernation support
+- [ ] Move away from gmail fully
+- [ ] Move away from Discord primarily
+- [ ] Move away from Spotify fully
diff --git a/nixos/hardware/amd.nix b/nixos/hardware/amd.nix
index 8eb8ac9f..541df232 100644
--- a/nixos/hardware/amd.nix
+++ b/nixos/hardware/amd.nix
@@ -3,6 +3,7 @@
     blacklistedKernelModules = ["k10temp"];
     extraModulePackages = [config.boot.kernelPackages.zenpower];
     kernelModules = ["zenpower"];
+    kernelParams = ["microcode.amd_sha_check=off"];
   };
   services.ucodenix.enable = true;
 }
diff --git a/nixos/profiles/bootable/loader-config-limit.nix b/nixos/profiles/bootable/loader-config-limit.nix
index 8c692329..c2acc108 100644
--- a/nixos/profiles/bootable/loader-config-limit.nix
+++ b/nixos/profiles/bootable/loader-config-limit.nix
@@ -4,5 +4,6 @@ _: {
       grub.configurationLimit = 8;
       systemd-boot.configurationLimit = 8;
     };
+    lanzaboote.configurationLimit = 5;
   };
 }
diff --git a/systems/koishi.nix b/systems/koishi.nix
index 91833027..cec359ee 100644
--- a/systems/koishi.nix
+++ b/systems/koishi.nix
@@ -1,6 +1,8 @@
 _: let
   hostConfig = {
     tree,
+    pkgs,
+    utils,
     lib,
     ...
   }: let
@@ -37,9 +39,9 @@ _: let
         };
       };
       swap = rec {
-        raw = "/dev/disk/by-id/nvme-CT1000P5PSSD8_22343AC9A481-part2";
         result = {
-          device = raw;
+          device = "/dev/mapper/cryptswap";
+          options = ["x-systemd.device-timeout=15s" "nofail" "x-systemd.wants=systemd-cryptsetup@cryptswap.service"];
           randomEncryption = false; # fix hibernation
         };
       };
@@ -56,6 +58,7 @@ _: let
         laptop
         gaming
         performance
+        secureboot
       ])
       ++ (with tree.nixos.environments; [
         niri
@@ -88,19 +91,87 @@ _: let
         datasetEntries
         // {
           "/boot" = drives.boot.result;
+          "/boot-keystore" = {
+            #neededForBoot = true;
+            device = "/dev/mapper/boot-keystore";
+            fsType = "ext4";
+            noCheck = true;
+            options = ["ro"];
+          };
         };
 
+      systemd.enableEmergencyMode = true;
+      boot.initrd = {
+        systemd = {
+          emergencyAccess = true;
+          mounts = let
+            inherit (utils) escapeSystemdPath;
+            # maybe add a require for the /dev/mapper
+            sysrooty = escapeSystemdPath "/sysroot";
+            requiredBy = [
+              "${sysrooty}.mount"
+            ]; #"systemd-cryptsetup@cryptswap.service" ];
+            requires = ["systemd-cryptsetup@boot-keystore.service"];
+          in [
+            {
+              where = "/boot-keystore";
+              what = "/dev/mapper/boot-keystore";
+              type = "ext4";
+              options = "ro";
+              unitConfig = {
+              };
+              before = requiredBy;
+              wantedBy = requiredBy;
+              inherit requires;
+              after = requires;
+            }
+            {
+              where = "/sysroot/boot-keystore";
+              what = "/boot-keystore";
+              type = "none";
+              options = "bind";
+              unitConfig = {
+                RequiresMountsFor = [
+                  "/boot-keystore"
+                  "/sysroot"
+                ];
+              };
+            }
+          ];
+        };
+        luks.devices = {
+          "boot-keystore".device = "/dev/disk/by-uuid/d80f77bb-fd82-43dd-9aa4-05da8d2b6154";
+          "cryptswap" = {
+            device = "/dev/disk/by-uuid/94948ee7-8c89-4b60-bd8c-68171b488d19";
+            keyFile = "/boot-keystore/swapkey";
+          };
+        };
+      };
+
+      environment.etc.crypttab = let
+        raw = "/dev/disk/by-uuid/94948ee7-8c89-4b60-bd8c-68171b488d19";
+      in {
+        mode = "0600";
+        text = ''
+          cryptswap ${raw} /boot-keystore/swapkey keyfile-timeout=5s
+        '';
+      };
+
+      #boot.resumeDevice = "/dev/mapper/cryptswap";
+
       swapDevices = [
         drives.swap.result
       ];
 
+      environment.systemPackages = [
+        pkgs.e2fsprogs
+      ];
+
       powerManagement.enable = true;
 
       boot = {
         loader = {
-          grub.useOSProber = true;
           #systemd-boot.enable = lib.mkForce false;
-          systemd-boot.enable = true;
         };
         zfs = {
           forceImportRoot = false;
diff --git a/tf/services.tf b/tf/services.tf
index 20655060..e4a104e1 100644
--- a/tf/services.tf
+++ b/tf/services.tf
@@ -93,7 +93,7 @@ resource "cloudflare_record" "webmail" {
   proxied = false
   ttl     = 3600
   type    = "CNAME"
-  value   = "rinnosukeinskip.me"
+  value   = "rinnosuke.inskip.me"
   zone_id = local.zone_ids.kittywitch
 }