mirror of
https://github.com/ryan4yin/nix-config.git
synced 2026-03-26 03:11:32 +01:00
f6aa45aa00
feat: luks automatic unlock via tpm2 chip for all physical hosts feat: enable login manager fix: Rename network interface config back following hardware change
63 lines
2.2 KiB
Nix
63 lines
2.2 KiB
Nix
# Disko layout for idols-ai data disk (LUKS + btrfs, mount at /persistent/data).
|
|
#
|
|
# Destroy, format & mount (wipes disk; from nixos-installer: cd nix-config/nixos-installer):
|
|
# nix run github:nix-community/disko -- --mode destroy,format,mount ../hosts/idols-ai/disko-fs-data.nix
|
|
# Mount only (after first format):
|
|
# nix run github:nix-community/disko -- --mode mount ../hosts/idols-ai/disko-fs-data.nix
|
|
#
|
|
{
|
|
disko.devices = {
|
|
disk.data = {
|
|
type = "disk";
|
|
device = "/dev/disk/by-id/nvme-Fanxiang_S790_2TB_FXS790254050582";
|
|
content = {
|
|
type = "gpt";
|
|
partitions = {
|
|
datapart = {
|
|
size = "100%";
|
|
content = {
|
|
type = "luks";
|
|
name = "data-luks"; # Mapper name; match boot.initrd.luks
|
|
settings = {
|
|
allowDiscards = true; # TRIM for SSDs; slightly less secure, better performance
|
|
};
|
|
# Add boot.initrd.luks.devices so initrd prompts for passphrase at boot
|
|
initrdUnlock = true;
|
|
# cryptsetup luksFormat options
|
|
extraFormatArgs = [
|
|
"--type luks2"
|
|
"--cipher aes-xts-plain64"
|
|
"--hash sha512"
|
|
"--iter-time 5000"
|
|
"--key-size 256"
|
|
"--pbkdf argon2id"
|
|
"--use-random" # Block until enough entropy from /dev/random
|
|
];
|
|
extraOpenArgs = [
|
|
"--timeout 10"
|
|
];
|
|
content = {
|
|
type = "btrfs";
|
|
extraArgs = [ "-f" ]; # Force overwrite if filesystem already exists
|
|
subvolumes = {
|
|
"@data" = {
|
|
mountpoint = "/data";
|
|
mountOptions = [
|
|
"compress-force=zstd:1"
|
|
];
|
|
};
|
|
};
|
|
postMountHook = ''
|
|
chown ryan:users /mnt/data
|
|
# Set SGID + rwx for owner/group, read-only for others; new files inherit group
|
|
chmod 2755 /mnt/data
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|