Bladesy/nixos-config
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
7879431f17
nixos-config/modules/sv2/disk.nix

139 lines
3.8 KiB
Nix
Raw Blame History

{lib, ...}: {
imports = with lib.nixosModules; [
disko
impermanence
];
disko.devices.disk.NixOS = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
BSP = {
type = "EF02";
size = "1M";
};
Crypt = {
size = "100%";
content = {
type = "luks";
name = "crypt";
extraFormatArgs = ["--type luks1"];
content = {
type = "btrfs";
postCreateHook = ''
btrfs="$(mktemp -d)"
mount -o subvol=/ /dev/mapper/crypt "$btrfs"
btrfs subvolume snapshot -r "$btrfs/root" "$btrfs/blank"
umount "$btrfs"
rm -rf "$btrfs"
boot="$(mktemp -d)"
mount -o subvol=/boot /dev/mapper/crypt "$boot"
dd if=/dev/urandom "of=$boot/luks.bin" bs=1024 count=4
cryptsetup luksAddKey \
/dev/disk/by-partlabel/disk-NixOS-Crypt \
"$boot/luks.bin"
umount "$boot"
rm -rf "$boot"
'';
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/boot" = {
mountpoint = "/boot";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/home" = {
mountpoint = "/home";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/persist" = {
mountpoint = "/persist";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/log" = {
mountpoint = "/var/log";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/swap" = {
mountpoint = "/.swap";
swap.swapfile.size = "4G";
};
};
};
};
};
};
};
};
fileSystems = {
"/persist".neededForBoot = true;
"/var/log".neededForBoot = true;
};
boot = {
loader = {
grub = {
enable = true;
enableCryptodisk = true;
};
};
initrd = {
secrets."/luks.bin" = "/boot/luks.bin";
luks.devices.crypt = {
device = "/dev/disk/by-partlabel/disk-NixOS-Crypt";
keyFile = "/luks.bin";
};
postDeviceCommands = lib.mkBefore ''
btrfs="$(mktemp -d)"
mount -o subvol=/ /dev/mapper/crypt "$btrfs"
trap "umount $btrfs_root; rm -rf $btrfs" EXIT
btrfs subvolume list -o "$btrfs/root" \
| cut -f9 -d' ' \
| while read subvolume; do \
btrfs subvolume delete "$btrfs/$subvolume"
done \
&& btrfs subvolume delete "$btrfs/root"
btrfs subvolume snapshot "$btrfs/blank" "$btrfs/root"
'';
};
};
environment.persistence."/persist" = {
hideMounts = true;
directories = [
{
directory = "/var/lib/nixos";
user = "root";
group = "root";
mode = "u=rwx,g=rx,o=rx";
}
];
};
}
Reference in New Issue View Git Blame Copy Permalink