feat: idols-ai - add new data disk via disko (#250)

feat: luks automatic unlock via tpm2 chip for all physical hosts feat: enable login manager fix: Rename network interface config back following hardware change
2026-04-28 03:37:06 +02:00 · 2026-03-18 22:26:08 +08:00
parent 3dbc94c3de
commit f6aa45aa00
16 changed files with 121 additions and 81 deletions
--- a/hosts/idols-ai/disko-fs-data.nix
+++ b/hosts/idols-ai/disko-fs-data.nix
@@ -0,0 +1,62 @@
+# Disko layout for idols-ai data disk (LUKS + btrfs, mount at /persistent/data).
+#
+# Destroy, format & mount (wipes disk; from nixos-installer: cd nix-config/nixos-installer):
+#   nix run github:nix-community/disko -- --mode destroy,format,mount ../hosts/idols-ai/disko-fs-data.nix
+# Mount only (after first format):
+#   nix run github:nix-community/disko -- --mode mount ../hosts/idols-ai/disko-fs-data.nix
+#
+{
+  disko.devices = {
+    disk.data = {
+      type = "disk";
+      device = "/dev/disk/by-id/nvme-Fanxiang_S790_2TB_FXS790254050582";
+      content = {
+        type = "gpt";
+        partitions = {
+          datapart = {
+            size = "100%";
+            content = {
+              type = "luks";
+              name = "data-luks"; # Mapper name; match boot.initrd.luks
+              settings = {
+                allowDiscards = true; # TRIM for SSDs; slightly less secure, better performance
+              };
+              # Add boot.initrd.luks.devices so initrd prompts for passphrase at boot
+              initrdUnlock = true;
+              # cryptsetup luksFormat options
+              extraFormatArgs = [
+                "--type luks2"
+                "--cipher aes-xts-plain64"
+                "--hash sha512"
+                "--iter-time 5000"
+                "--key-size 256"
+                "--pbkdf argon2id"
+                "--use-random" # Block until enough entropy from /dev/random
+              ];
+              extraOpenArgs = [
+                "--timeout 10"
+              ];
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ]; # Force overwrite if filesystem already exists
+                subvolumes = {
+                  "@data" = {
+                    mountpoint = "/data";
+                    mountOptions = [
+                      "compress-force=zstd:1"
+                    ];
+                  };
+                };
+                postMountHook = ''
+                  chown ryan:users /mnt/data
+                  # Set SGID + rwx for owner/group, read-only for others; new files inherit group
+                  chmod 2755 /mnt/data
+                '';
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}