feat: encrypted root partition with btrfs(except /boot partition)

2026-03-20 16:13:53 +01:00 · 2023-11-26 19:15:03 +08:00
parent ada780afc8
commit 5e0c7e90ff
2 changed files with 79 additions and 32 deletions
--- a/hosts/idols/ai/default.nix
+++ b/hosts/idols/ai/default.nix
@@ -37,15 +37,6 @@
  ];

  boot.kernelParams = [ "nvidia.NVreg_PreserveVideoMemoryAllocations=1" ];
-  # Bootloader.
-  boot.loader = {
-    efi = {
-      canTouchEfiVariables = true;
-      efiSysMountPoint = "/boot/efi"; # ← use the same mount point here.
-    };
-    systemd-boot.enable = true;
-
-  };

  networking = {
    hostName = "ai";
@@ -106,5 +97,5 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.11"; # Did you read the comment?
+  system.stateVersion = "23.11"; # Did you read the comment?
 }
--- a/hosts/idols/ai/hardware-configuration.nix
+++ b/hosts/idols/ai/hardware-configuration.nix
@@ -1,34 +1,90 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
 {
-  config,
-  lib,
-  pkgs,
-  modulesPath,
-  ...
-}: {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];

-  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
-  boot.initrd.kernelModules = [];
-  boot.kernelModules = ["kvm-intel"];
-  boot.extraModulePackages = [];
-
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/231466f6-cdf3-40e1-b9d2-6b4e8d10a4d3";
-    fsType = "btrfs";
-    options = ["subvol=@"];
+  # Use the EFI boot loader.
+  boot.loader.efi.canTouchEfiVariables = true;
+  # depending on how you configured your disk mounts, change this to /boot or /boot/efi.
+  boot.loader.efi.efiSysMountPoint = "/boot";
+  boot.loader.grub = {
+    enable = true;
+    device = "nodev";
+    efiSupport = true;
+    useOSProber = true; # automatically add other OSs into grub menu
+    # if you use an encrypted /boot partition, you should enable this option.
+    # grub 2.12-rc1 support only luks1 and luks2+pbkdf2,
+    # so the /boot partition can only use those two luks encrypt format.
+    # enableCryptodisk = true;
  };

-  fileSystems."/boot/efi" = {
-    device = "/dev/disk/by-uuid/87ED-8B2E";
-    fsType = "vfat";
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c";
+      fsType = "btrfs";
+      options = [ "subvol=@root" ];
+    };
+
+  boot.initrd = {
+    # encrypted-nixos is the root filesystem of nixos
+    # it's unlocked by a keyfile or passphrase.
+    # the root filesystem's unlock method is implemented in initrd(initramfs)
+    # since /boot is another separat partition, we can use LUKS2 + argon2 for best security,
+    # and do not need to take care of grub2's compatibility with luks.
+    luks.devices."crypted-nixos" = {
+      device = "/dev/disk/by-uuid/a31454b6-e2ad-4175-8013-70cfdcbfeaac";
+      # the keyfile(or device partition) that should be used as the decryption key for the encrypted device.
+      # if not specified, you will be prompted for a passphrase instead.
+      #keyFile = "/keyfile.bin";
+
+      # whether to allow TRIM requests to the underlying device.
+      # it's less secure, but faster.
+      allowDiscards = true;
+    };
+    # secrets to append to the initrd.
+    # the initrd is located in /boot partition, so only enabled this options when you encryped /boot partition!
+    secrets = {
+      # Format:
+      #   file-path inside initrd  =  the source path it should be copied from.
+      # "/keyfile.bin" = "/etc/secrets/initrd/keyfile.bin";
+    };
  };

-  swapDevices = [{device = "/dev/disk/by-uuid/17391ca0-8cdb-4598-a40b-fd9548fd9b37";}];
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c";
+      fsType = "btrfs";
+      options = [ "subvol=@nix" "noatime" ];
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c";
+      fsType = "btrfs";
+      options = [ "subvol=@home" ];
+    };
+
+  fileSystems."/swap" =
+    { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c";
+      fsType = "btrfs";
+      options = [ "subvol=@swap" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/B63C-4887";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/swap/swapfile"; }
+    ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's