139 lines
3.8 KiB
Nix
139 lines
3.8 KiB
Nix
{lib, ...}: {
|
|
imports = with lib.nixosModules; [
|
|
disko
|
|
impermanence
|
|
];
|
|
|
|
disko.devices.disk.NixOS = {
|
|
device = "/dev/sda";
|
|
type = "disk";
|
|
content = {
|
|
type = "gpt";
|
|
partitions = {
|
|
BSP = {
|
|
type = "EF02";
|
|
size = "1M";
|
|
};
|
|
Crypt = {
|
|
size = "100%";
|
|
content = {
|
|
type = "luks";
|
|
name = "crypt";
|
|
extraFormatArgs = ["--type luks1"];
|
|
content = {
|
|
type = "btrfs";
|
|
postCreateHook = ''
|
|
btrfs="$(mktemp -d)"
|
|
mount -o subvol=/ /dev/mapper/crypt "$btrfs"
|
|
btrfs subvolume snapshot -r "$btrfs/root" "$btrfs/blank"
|
|
umount "$btrfs"
|
|
rm -rf "$btrfs"
|
|
boot="$(mktemp -d)"
|
|
mount -o subvol=/boot /dev/mapper/crypt "$boot"
|
|
dd if=/dev/urandom "of=$boot/luks.bin" bs=1024 count=4
|
|
cryptsetup luksAddKey \
|
|
/dev/disk/by-partlabel/disk-NixOS-Crypt \
|
|
"$boot/luks.bin"
|
|
umount "$boot"
|
|
rm -rf "$boot"
|
|
'';
|
|
subvolumes = {
|
|
"/root" = {
|
|
mountpoint = "/";
|
|
mountOptions = [
|
|
"compress=zstd"
|
|
"noatime"
|
|
];
|
|
};
|
|
"/boot" = {
|
|
mountpoint = "/boot";
|
|
mountOptions = [
|
|
"compress=zstd"
|
|
"noatime"
|
|
];
|
|
};
|
|
"/home" = {
|
|
mountpoint = "/home";
|
|
mountOptions = [
|
|
"compress=zstd"
|
|
"noatime"
|
|
];
|
|
};
|
|
"/nix" = {
|
|
mountpoint = "/nix";
|
|
mountOptions = [
|
|
"compress=zstd"
|
|
"noatime"
|
|
];
|
|
};
|
|
"/persist" = {
|
|
mountpoint = "/persist";
|
|
mountOptions = [
|
|
"compress=zstd"
|
|
"noatime"
|
|
];
|
|
};
|
|
"/log" = {
|
|
mountpoint = "/var/log";
|
|
mountOptions = [
|
|
"compress=zstd"
|
|
"noatime"
|
|
];
|
|
};
|
|
"/swap" = {
|
|
mountpoint = "/.swap";
|
|
swap.swapfile.size = "4G";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
fileSystems = {
|
|
"/persist".neededForBoot = true;
|
|
"/var/log".neededForBoot = true;
|
|
};
|
|
|
|
boot = {
|
|
loader = {
|
|
grub = {
|
|
enable = true;
|
|
enableCryptodisk = true;
|
|
};
|
|
};
|
|
initrd = {
|
|
secrets."/luks.bin" = "/boot/luks.bin";
|
|
luks.devices.crypt = {
|
|
device = "/dev/disk/by-partlabel/disk-NixOS-Crypt";
|
|
keyFile = "/luks.bin";
|
|
};
|
|
postDeviceCommands = lib.mkBefore ''
|
|
btrfs="$(mktemp -d)"
|
|
mount -o subvol=/ /dev/mapper/crypt "$btrfs"
|
|
trap "umount $btrfs_root; rm -rf $btrfs" EXIT
|
|
btrfs subvolume list -o "$btrfs/root" \
|
|
| cut -f9 -d' ' \
|
|
| while read subvolume; do \
|
|
btrfs subvolume delete "$btrfs/$subvolume"
|
|
done \
|
|
&& btrfs subvolume delete "$btrfs/root"
|
|
btrfs subvolume snapshot "$btrfs/blank" "$btrfs/root"
|
|
'';
|
|
};
|
|
};
|
|
|
|
environment.persistence."/persist" = {
|
|
hideMounts = true;
|
|
directories = [
|
|
{
|
|
directory = "/var/lib/nixos";
|
|
user = "root";
|
|
group = "root";
|
|
mode = "u=rwx,g=rx,o=rx";
|
|
}
|
|
];
|
|
};
|
|
}
|