mirror of
https://github.com/ryan4yin/nix-config.git
synced 2026-04-25 09:28:27 +02:00
f6aa45aa00
feat: luks automatic unlock via tpm2 chip for all physical hosts feat: enable login manager fix: Rename network interface config back following hardware change
120 lines
4.0 KiB
Nix
120 lines
4.0 KiB
Nix
{
|
|
# required by preservation
|
|
fileSystems."/persistent".neededForBoot = true;
|
|
|
|
disko.devices = {
|
|
nodev."/" = {
|
|
fsType = "tmpfs";
|
|
mountOptions = [
|
|
"size=4G"
|
|
"defaults"
|
|
# set mode to 755, otherwise systemd will set it to 777, which cause problems.
|
|
# relatime: Update inode access times relative to modify or change time.
|
|
"mode=755"
|
|
];
|
|
};
|
|
|
|
disk.main = {
|
|
type = "disk";
|
|
# When using disko-install, we will overwrite this value from the commandline
|
|
device = "/dev/nvme0n1"; # The device to partition
|
|
content = {
|
|
type = "gpt";
|
|
partitions = {
|
|
# The EFI & Boot partition
|
|
ESP = {
|
|
size = "630M";
|
|
type = "EF00";
|
|
content = {
|
|
type = "filesystem";
|
|
format = "vfat";
|
|
mountpoint = "/boot";
|
|
mountOptions = [
|
|
"fmask=0177" # File mask: 777-177=600 (Owner: rw-, Group/Others: ---)
|
|
"dmask=0077" # Directory mask: 777-077=700 (Owner: rwx, Group/Others: ---)
|
|
"noexec,nosuid,nodev" # Security: Block execution, ignore setuid, and disable device nodes
|
|
];
|
|
};
|
|
};
|
|
# The root partition
|
|
luks = {
|
|
size = "100%";
|
|
content = {
|
|
type = "luks";
|
|
name = "encrypted";
|
|
settings = {
|
|
# fallbackToPassword = true;
|
|
allowDiscards = true;
|
|
};
|
|
# Whether to add a boot.initrd.luks.devices entry for the specified disk.
|
|
initrdUnlock = true;
|
|
|
|
# encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
|
|
# cryptsetup luksFormat
|
|
extraFormatArgs = [
|
|
"--type luks2"
|
|
"--cipher aes-xts-plain64"
|
|
"--hash sha512"
|
|
"--iter-time 5000"
|
|
"--key-size 256"
|
|
"--pbkdf argon2id"
|
|
# use true random data from /dev/random, will block until enough entropy is available
|
|
"--use-random"
|
|
];
|
|
extraOpenArgs = [
|
|
"--timeout 10"
|
|
];
|
|
content = {
|
|
type = "btrfs";
|
|
extraArgs = [ "-f" ]; # Force override existing partition
|
|
subvolumes = {
|
|
# mount the top-level subvolume at /btr_pool
|
|
# it will be used by btrbk to create snapshots
|
|
"/" = {
|
|
mountpoint = "/btr_pool";
|
|
# btrfs's top-level subvolume, internally has an id 5
|
|
# we can access all other subvolumes from this subvolume.
|
|
mountOptions = [ "subvolid=5" ];
|
|
};
|
|
"@nix" = {
|
|
mountpoint = "/nix";
|
|
mountOptions = [
|
|
"compress-force=zstd:1"
|
|
"noatime"
|
|
];
|
|
};
|
|
"@persistent" = {
|
|
mountpoint = "/persistent";
|
|
mountOptions = [
|
|
"compress-force=zstd:1"
|
|
"noatime"
|
|
];
|
|
};
|
|
"@tmp" = {
|
|
mountpoint = "/tmp";
|
|
mountOptions = [
|
|
"compress-force=zstd:1"
|
|
"noatime"
|
|
];
|
|
};
|
|
"@snapshots" = {
|
|
mountpoint = "/snapshots";
|
|
mountOptions = [
|
|
"compress-force=zstd:1"
|
|
"noatime"
|
|
];
|
|
};
|
|
"@swap" = {
|
|
mountpoint = "/swap";
|
|
swap.swapfile.size = "16384M";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|