From 2e8d0680706f15a645e1659563b03e9f3126e5f4 Mon Sep 17 00:00:00 2001 From: ryan4yin Date: Sun, 26 Nov 2023 16:12:38 +0000 Subject: [PATCH] feat: encrypted boot partition, fix nix.gc args --- hosts/idols/ai/hardware-configuration.nix | 37 +++++++++++++++++------ modules/darwin/nix-core.nix | 2 +- modules/nixos/core-server.nix | 2 +- 3 files changed, 30 insertions(+), 11 deletions(-) diff --git a/hosts/idols/ai/hardware-configuration.nix b/hosts/idols/ai/hardware-configuration.nix index 9263872d..8c33b013 100644 --- a/hosts/idols/ai/hardware-configuration.nix +++ b/hosts/idols/ai/hardware-configuration.nix @@ -11,7 +11,7 @@ # Use the EFI boot loader. boot.loader.efi.canTouchEfiVariables = true; # depending on how you configured your disk mounts, change this to /boot or /boot/efi. - boot.loader.efi.efiSysMountPoint = "/boot"; + boot.loader.efi.efiSysMountPoint = "/boot/efi"; boot.loader.grub = { enable = true; device = "nodev"; @@ -20,7 +20,7 @@ # if you use an encrypted /boot partition, you should enable this option. # grub 2.12-rc1 support only luks1 and luks2+pbkdf2, # so the /boot partition can only use those two luks encrypt format. - # enableCryptodisk = true; + enableCryptodisk = true; }; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; @@ -28,12 +28,6 @@ boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c"; - fsType = "btrfs"; - options = [ "subvol=@root" ]; - }; - boot.initrd = { # encrypted-nixos is the root filesystem of nixos # it's unlocked by a keyfile or passphrase. @@ -50,6 +44,19 @@ # it's less secure, but faster. allowDiscards = true; }; + + luks.devices."crypted-boot" = { + device = "/dev/nvme0n1p3"; + # the keyfile(or device partition) that should be used as the decryption key for the encrypted device. + # if not specified, you will be prompted for a passphrase instead. + #keyFile = "/keyfile.bin"; + + # whether to allow TRIM requests to the underlying device. + # it's less secure, but faster. + # boot partition do not require fast speed, so we disable it. + allowDiscards = false; + }; + # secrets to append to the initrd. # the initrd is located in /boot partition, so only enabled this options when you encryped /boot partition! secrets = { @@ -59,6 +66,13 @@ }; }; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c"; + fsType = "btrfs"; + options = [ "subvol=@root" ]; + }; + fileSystems."/nix" = { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c"; fsType = "btrfs"; @@ -78,7 +92,12 @@ }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/B63C-4887"; + { device = "/dev/mapper/crypted-boot"; + fsType = "ext4"; + }; + + fileSystems."/boot/efi" = + { device = "/dev/nvme0n1p1"; fsType = "vfat"; }; diff --git a/modules/darwin/nix-core.nix b/modules/darwin/nix-core.nix index 031277bf..5972628c 100644 --- a/modules/darwin/nix-core.nix +++ b/modules/darwin/nix-core.nix @@ -32,7 +32,7 @@ # do garbage collection weekly to keep disk usage low nix.gc = { automatic = lib.mkDefault true; - options = lib.mkDefault "--delete-older-than 1w"; + options = lib.mkDefault "--delete-older-than 7d"; }; # Manual optimise storage: nix-store --optimise diff --git a/modules/nixos/core-server.nix b/modules/nixos/core-server.nix index d3203e74..a98fbf49 100644 --- a/modules/nixos/core-server.nix +++ b/modules/nixos/core-server.nix @@ -16,7 +16,7 @@ nix.gc = { automatic = lib.mkDefault true; dates = lib.mkDefault "weekly"; - options = lib.mkDefault "--delete-older-than 1w"; + options = lib.mkDefault "--delete-older-than 7d"; }; nix.settings = {