starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-01-11 12:30:23 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity
Files
13bb77108c9bee6e61ec4023385d8129907653dd
nix-config/hosts/idols-aquamarine/disko-fs.nix

129 lines
4.6 KiB
Nix
Raw Blame History

# auto disk partitioning:
# nix run github:nix-community/disko -- --mode disko ./disko-fs.nix
let
cryptKeyFile = "/etc/agenix/hdd-luks-crypt-key";
unlockDisk = "data-encrypted";
in
{
fileSystems."/data/fileshare/public".depends = [ "/data/fileshare" ];
# By adding this crypttab entry, the disk will be unlocked by systemd-cryptsetup@xxx.service at boot time.
# This systemd service is running after agenix, so that the keyfile is already available.
environment.etc = {
"crypttab".text = ''
${unlockDisk} /dev/disk/by-partlabel/disk-${unlockDisk}-luks ${cryptKeyFile} luks,discard,keyfile-size=32768,keyfile-offset=65536
'';
};
disko.devices = {
disk.data-encrypted = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EZRZ-22GXCB0_WD-WCC7K7VV9613";
content = {
type = "gpt";
partitions = {
luks = {
size = "100%";
content = {
type = "luks";
name = "data-encrypted";
settings = {
keyFile = cryptKeyFile;
# The maximum size of the keyfile is 8192 KiB
# type `cryptsetup --help` to see the compiled-in key and passphrase maximum sizes
# to generate a key file:
# dd bs=512 count=1024 iflag=fullblock if=/dev/random of=./hdd-luks-crypt-key
keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
fallbackToPassword = true;
allowDiscards = true;
};
# Whether to add a boot.initrd.luks.devices entry for the specified disk.
# The keyfile do not exist before agenix decrypts its data, do we have to disable this option.
# Otherwise, the initrd will fail to unlock the disk, which causes the boot process to fail.
initrdUnlock = false;
# encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
# cryptsetup luksFormat
extraFormatArgs = [
"--type luks2"
"--cipher aes-xts-plain64"
"--hash sha512"
"--iter-time 5000"
"--key-size 256"
"--pbkdf argon2id"
# use true random data from /dev/random, will block until enough entropy is available
"--use-random"
];
extraOpenArgs = [
"--timeout 10"
];
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Force override existing partition
subvolumes = {
"@apps" = {
mountpoint = "/data/apps";
mountOptions = [
"compress-force=zstd:1"
# https://www.freedesktop.org/software/systemd/man/latest/systemd.mount.html
"nofail"
];
};
"@fileshare" = {
mountpoint = "/data/fileshare";
mountOptions = [
"compress-force=zstd:1"
"noatime"
"nofail"
];
};
"@backups" = {
mountpoint = "/data/backups";
mountOptions = [
"compress-force=zstd:1"
"noatime"
"nofail"
];
};
"@snapshots" = {
mountpoint = "/data/apps-snapshots";
mountOptions = [
"compress-force=zstd:1"
"noatime"
"nofail"
];
};
};
};
};
};
};
};
};
disk.data-public = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EJRX-89T1XY0_WD-WCC7K0XDCZE6";
content = {
type = "gpt";
partitions.data-fileshare = {
size = "100%";
content = {
type = "btrfs";
# extraArgs = ["-f"]; # Override existing partition
subvolumes = {
"@persistent" = {
mountpoint = "/data/fileshare/public";
mountOptions = [
"compress-force=zstd:1"
"nofail"
];
};
};
};
};
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink