Merge pull request #156 from ryan4yin/data-crypted

feat: data-crypted
2026-04-24 01:38:28 +02:00 · 2024-08-17 02:28:12 +08:00
parent df1f9b0070 d853036fb1
commit e8be41f8e1
5 changed files with 89 additions and 33 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -470,10 +470,10 @@
    "mysecrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1722412796,
+        "lastModified": 1723827270,
-        "narHash": "sha256-bV+DbfqItujekh62XWpqC2ldkw6KqAo6LOpKLh9M7Sc=",
+        "narHash": "sha256-nBq/Sp7u+riKV7xNWq85+owzUGfWdpKdq3qR/0PYTSU=",
        "ref": "refs/heads/main",
-        "rev": "8e3cf78c9f6b016625681f668e154b3705851a0d",
+        "rev": "f80a6c11f7b27e257e07f294b45c64a1369438a4",
        "shallow": true,
        "type": "git",
        "url": "ssh://git@github.com/ryan4yin/nix-secrets.git"
--- a/hosts/idols-aquamarine/disko-fs.nix
+++ b/hosts/idols-aquamarine/disko-fs.nix
@@ -1,42 +1,81 @@
 # auto disk partitioning:
 #   nix run github:nix-community/disko -- --mode disko ./disko-fs.nix
 {
  fileSystems."/data/fileshare/public".depends = ["/data/fileshare"];
  disko.devices = {
-    disk.data-apps = {
+    disk.data-encrypted = {
      type = "disk";
-      device = "/dev/disk/by-id/ata-WDC_WD40EJRX-89T1XY0_WD-WCC7K0XDCZE6";
+      device = "/dev/disk/by-id/ata-WDC_WD40EZRZ-22GXCB0_WD-WCC7K7VV9613";
      content = {
        type = "gpt";
-        partitions.data-apps = {
+        partitions = {
-          size = "100%";
+          luks = {
-          content = {
+            size = "100%";
-            type = "btrfs";
+            content = {
-            # extraArgs = ["-f"]; # Override existing partition
+              type = "luks";
-            subvolumes = {
+              name = "data-encrypted";
-              "@persistent" = {
+              settings = {
-                mountpoint = "/data/apps";
+                keyFile = "/etc/agenix/hdd-luks-crypt-key";
-                mountOptions = [
+                # The maximum size of the keyfile is 8192 KiB
-                  "compress-force=zstd:1"
+                # type `cryptsetup --help` to see the compiled-in key and passphrase maximum sizes
-                  # https://www.freedesktop.org/software/systemd/man/latest/systemd.mount.html
+                # to generate a key file:
-                  "nofail"
+                #    dd bs=512 count=1024 iflag=fullblock if=/dev/random of=./hdd-luks-crypt-key
-                ];
+                keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
                keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
                fallbackToPassword = true;
                allowDiscards = true;
              };
-              "@backups" = {
+
-                mountpoint = "/data/backups";
+              # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
-                mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
+              # cryptsetup luksFormat
-              };
+              extraFormatArgs = [
-              "@snapshots" = {
+                "--type luks2"
-                mountpoint = "/data/apps-snapshots";
+                "--cipher aes-xts-plain64"
-                mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
+                "--hash sha512"
                "--iter-time 5000"
                "--key-size 256"
                "--pbkdf argon2id"
                # use true random data from /dev/random, will block until enough entropy is available
                "--use-random"
              ];
              extraOpenArgs = [
                "--timeout 10"
              ];
              content = {
                type = "btrfs";
                extraArgs = ["-f"]; # Force override existing partition
                subvolumes = {
                  "@apps" = {
                    mountpoint = "/data/apps";
                    mountOptions = [
                      "compress-force=zstd:1"
                      # https://www.freedesktop.org/software/systemd/man/latest/systemd.mount.html
                      "nofail"
                    ];
                  };
                  "@fileshare" = {
                    mountpoint = "/data/fileshare";
                    mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
                  };
                  "@backups" = {
                    mountpoint = "/data/backups";
                    mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
                  };
                  "@snapshots" = {
                    mountpoint = "/data/apps-snapshots";
                    mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
                  };
                };
              };
            };
          };
        };
      };
    };
-    disk.data-fileshare = {
+    disk.data-public = {
      type = "disk";
-      device = "/dev/disk/by-id/ata-WDC_WD40EZRZ-22GXCB0_WD-WCC7K7VV9613";
+      device = "/dev/disk/by-id/ata-WDC_WD40EJRX-89T1XY0_WD-WCC7K0XDCZE6";
      content = {
        type = "gpt";
        partitions.data-fileshare = {
@@ -46,13 +85,9 @@
            # extraArgs = ["-f"]; # Override existing partition
            subvolumes = {
              "@persistent" = {
-                mountpoint = "/data/fileshare";
+                mountpoint = "/data/fileshare/public";
                mountOptions = ["compress-force=zstd:1" "nofail"];
              };
              "@snapshots" = {
                mountpoint = "/data/fileshare-snapshots";
                mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
              };
            };
          };
        };
--- a/hosts/idols-aquamarine/transmission.nix
+++ b/hosts/idols-aquamarine/transmission.nix
@@ -3,7 +3,7 @@
  myvars,
  ...
 }: let
-  dataDir = "/data/apps/transmission";
+  dataDir = "/data/fileshare/public/transmission";
  name = "transmission";
 in {
  # the headless Transmission BitTorrent daemon
--- a/outputs/x86_64-linux/src/idols-aquamarine.nix
+++ b/outputs/x86_64-linux/src/idols-aquamarine.nix
@@ -29,6 +29,7 @@
        {modules.secrets.server.application.enable = true;}
        {modules.secrets.server.operation.enable = true;}
        {modules.secrets.server.webserver.enable = true;}
        {modules.secrets.server.storage.enable = true;}
      ];
    home-modules = map mylib.relativeToRoot [
      "home/linux/tui.nix"
--- a/secrets/nixos.nix
+++ b/secrets/nixos.nix
@@ -35,6 +35,7 @@ in {
    server.operation.enable = mkEnableOption "NixOS Secrets for Operation Servers(Backup, Monitoring, etc)";
    server.kubernetes.enable = mkEnableOption "NixOS Secrets for Kubernetes";
    server.webserver.enable = mkEnableOption "NixOS Secrets for Web Servers(contains tls cert keys)";
    server.storage.enable = mkEnableOption "NixOS Secrets for HDD Data's LUKS Encryption";
    impermanence.enable = mkEnableOption "whether use impermanence and ephemeral root file system";
  };
@@ -249,5 +250,24 @@ in {
          };
        };
      })
      (mkIf cfg.server.storage.enable {
        age.secrets = {
          "hdd-luks-crypt-key" = {
            file = "${mysecrets}/hdd-luks-crypt-key.age";
            mode = "0400";
            owner = "root";
          };
        };
        # place secrets in /etc/
        environment.etc = {
          "agenix/hdd-luks-crypt-key" = {
            source = config.age.secrets."hdd-luks-crypt-key".path;
            mode = "0400";
            user = "root";
          };
        };
      })
    ]);
 }