LUKS memory option; keyboard layout; docs

2024-11-20 21:58:06 +01:00 · 2023-11-03 12:59:04 +01:00 · 2023-11-03 12:59:04 +01:00 · 7b2cbe33bb
commit 7b2cbe33bb
parent 65468de8dc
3 changed files with 25 additions and 4 deletions
--- a/template/README.md
+++ b/template/README.md
@ -22,7 +22,7 @@ ls result/iso/*.iso

 ## Hardware Configuration

-Boot the target machine into NixOS live ISO. Then execute the following, ideally while connected via SSH:
+Boot the target machine into NixOS live ISO. Then execute the following, ideally while connected as root via SSH:

 ```shell
 nixos-generate-config --no-filesystems --root /mnt
@ -33,6 +33,14 @@ Save the output to a new file in [./hardware-configs/](./hardware-configs/). In

 Note: The hardware configuration should not contain any `fileSystems.<name>` options as these are generated based on your disko configuration.

+---
+
+Furthermore, in [./flake.nix](./flake.nix) replace `disko.devices.disk.disk1.device` with the id of your target block device.
+
+---
+
+Lastly, in [./flake.nix](./flake.nix) replace `pbkdf-memory` with your amount of RAM - 500 MB.
+
 ## Installation

 To run the interactive vm test run:
--- a/template/disk-configs/luks-btrfs.nix
+++ b/template/disk-configs/luks-btrfs.nix
@ -8,7 +8,7 @@
 #   https://man.archlinux.org/man/cryptsetup-luksOpen.8.en
 #     Can make filesystem-level operations visible on the physical device. For example, information leaking filesystem type, used space, etc. may be extractable from the physical device.

-{ lib, ... }: {
+{ pbkdf-memory, ... }: { lib, ... }: {
  disko.devices.disk = {
    "disk1" = {
      type = "disk";
@ -40,7 +40,7 @@
              # - 5 seconds to open
              extraFormatArgs = [
               "--cipher" "aes-xts-plain64" "--key-size" "512" "--hash" "sha512"
-               "--pbkdf-memory" "4000000" "--iter-time" "5000" "--use-random"
+               "--pbkdf-memory" pbkdf-memory "--iter-time" "5000" "--use-random"
              ];
              extraOpenArgs = [ "--allow-discards" ];
              # If you want to use the key for interactive login be sure there is no trailing newline.
--- a/template/flake.nix
+++ b/template/flake.nix
@ -25,9 +25,20 @@
        ./hardware-configs/yodaHP.nix

        # Select disko disk layout configuration.
+        #
+        # The way we import the luks-btrfs disk layout and pass an argument is not ideal,
+        # but keeps this config file shorter. A batter way is to expose options:
+        # https://discourse.nixos.org/t/passing-parameters-into-import/34082/4
+        #
        #./disk-configs/simple-efi.nix
-        ./disk-configs/luks-btrfs.nix
        #./disk-configs/luks-lvm.nix
+        (import ./disk-configs/luks-btrfs.nix {
+          # Memory in bytes required to unlock the LUKS partition while booting.
+          # The default value is 1 GB (1000000).
+          # Set this as high as possible, but leave some buffer (e.g. 500 MB).
+          # Example: If you have 4 GB memory, set this to 3500000.
+          pbkdf-memory = 4000000;
+        })

        # Change device name match your block device.
        # Running `lsblk` on the target machine can help you here.
@ -53,6 +64,8 @@
            (builtins.readFile ./nitrokey.pub)
          ];

+          console.keyMap = "de-latin1-nodeadkeys";
+
          system.stateVersion = "23.05";
        }
      ];