feat: encrypted boot partition, fix nix.gc args

2026-03-20 08:34:28 +01:00 · 2023-11-26 16:12:38 +00:00
parent ee606e5518
commit 2e8d068070
3 changed files with 30 additions and 11 deletions
--- a/hosts/idols/ai/hardware-configuration.nix
+++ b/hosts/idols/ai/hardware-configuration.nix
@@ -11,7 +11,7 @@
  # Use the EFI boot loader.
  boot.loader.efi.canTouchEfiVariables = true;
  # depending on how you configured your disk mounts, change this to /boot or /boot/efi.
-  boot.loader.efi.efiSysMountPoint = "/boot";
+  boot.loader.efi.efiSysMountPoint = "/boot/efi";
  boot.loader.grub = {
    enable = true;
    device = "nodev";
@@ -20,7 +20,7 @@
    # if you use an encrypted /boot partition, you should enable this option.
    # grub 2.12-rc1 support only luks1 and luks2+pbkdf2,
    # so the /boot partition can only use those two luks encrypt format.
-    # enableCryptodisk = true;
+    enableCryptodisk = true;
  };

  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
@@ -28,12 +28,6 @@
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c";
-      fsType = "btrfs";
-      options = [ "subvol=@root" ];
-    };
-
  boot.initrd = {
    # encrypted-nixos is the root filesystem of nixos
    # it's unlocked by a keyfile or passphrase.
@@ -50,6 +44,19 @@
      # it's less secure, but faster.
      allowDiscards = true;
    };
+
+    luks.devices."crypted-boot" = {
+      device = "/dev/nvme0n1p3";
+      # the keyfile(or device partition) that should be used as the decryption key for the encrypted device.
+      # if not specified, you will be prompted for a passphrase instead.
+      #keyFile = "/keyfile.bin";
+
+      # whether to allow TRIM requests to the underlying device.
+      # it's less secure, but faster.
+      # boot partition do not require fast speed, so we disable it.
+      allowDiscards = false;
+    };
+
    # secrets to append to the initrd.
    # the initrd is located in /boot partition, so only enabled this options when you encryped /boot partition!
    secrets = {
@@ -59,6 +66,13 @@
    };
  };

+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c";
+      fsType = "btrfs";
+      options = [ "subvol=@root" ];
+    };
+
  fileSystems."/nix" =
    { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c";
      fsType = "btrfs";
@@ -78,7 +92,12 @@
    };

  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/B63C-4887";
+    { device = "/dev/mapper/crypted-boot";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot/efi" =
+    { device = "/dev/nvme0n1p1";
      fsType = "vfat";
    };

--- a/modules/darwin/nix-core.nix
+++ b/modules/darwin/nix-core.nix
@@ -32,7 +32,7 @@
  # do garbage collection weekly to keep disk usage low
  nix.gc = {
    automatic = lib.mkDefault true;
-    options = lib.mkDefault "--delete-older-than 1w";
+    options = lib.mkDefault "--delete-older-than 7d";
  };

  # Manual optimise storage: nix-store --optimise
--- a/modules/nixos/core-server.nix
+++ b/modules/nixos/core-server.nix
@@ -16,7 +16,7 @@
  nix.gc = {
    automatic = lib.mkDefault true;
    dates = lib.mkDefault "weekly";
-    options = lib.mkDefault "--delete-older-than 1w";
+    options = lib.mkDefault "--delete-older-than 7d";
  };

  nix.settings = {