diff --git a/template/README.md b/template/README.md index cc35075..b1e23f7 100644 --- a/template/README.md +++ b/template/README.md @@ -22,7 +22,7 @@ ls result/iso/*.iso ## Hardware Configuration -Boot the target machine into NixOS live ISO. Then execute the following, ideally while connected via SSH: +Boot the target machine into NixOS live ISO. Then execute the following, ideally while connected as root via SSH: ```shell nixos-generate-config --no-filesystems --root /mnt @@ -33,6 +33,14 @@ Save the output to a new file in [./hardware-configs/](./hardware-configs/). In Note: The hardware configuration should not contain any `fileSystems.` options as these are generated based on your disko configuration. +--- + +Furthermore, in [./flake.nix](./flake.nix) replace `disko.devices.disk.disk1.device` with the id of your target block device. + +--- + +Lastly, in [./flake.nix](./flake.nix) replace `pbkdf-memory` with your amount of RAM - 500 MB. + ## Installation To run the interactive vm test run: diff --git a/template/disk-configs/luks-btrfs.nix b/template/disk-configs/luks-btrfs.nix index 3c9c020..5de4dea 100644 --- a/template/disk-configs/luks-btrfs.nix +++ b/template/disk-configs/luks-btrfs.nix @@ -8,7 +8,7 @@ # https://man.archlinux.org/man/cryptsetup-luksOpen.8.en # Can make filesystem-level operations visible on the physical device. For example, information leaking filesystem type, used space, etc. may be extractable from the physical device. -{ lib, ... }: { +{ pbkdf-memory, ... }: { lib, ... }: { disko.devices.disk = { "disk1" = { type = "disk"; @@ -40,7 +40,7 @@ # - 5 seconds to open extraFormatArgs = [ "--cipher" "aes-xts-plain64" "--key-size" "512" "--hash" "sha512" - "--pbkdf-memory" "4000000" "--iter-time" "5000" "--use-random" + "--pbkdf-memory" pbkdf-memory "--iter-time" "5000" "--use-random" ]; extraOpenArgs = [ "--allow-discards" ]; # If you want to use the key for interactive login be sure there is no trailing newline. diff --git a/template/flake.nix b/template/flake.nix index 305381e..8dba85c 100644 --- a/template/flake.nix +++ b/template/flake.nix @@ -25,9 +25,20 @@ ./hardware-configs/yodaHP.nix # Select disko disk layout configuration. + # + # The way we import the luks-btrfs disk layout and pass an argument is not ideal, + # but keeps this config file shorter. A batter way is to expose options: + # https://discourse.nixos.org/t/passing-parameters-into-import/34082/4 + # #./disk-configs/simple-efi.nix - ./disk-configs/luks-btrfs.nix #./disk-configs/luks-lvm.nix + (import ./disk-configs/luks-btrfs.nix { + # Memory in bytes required to unlock the LUKS partition while booting. + # The default value is 1 GB (1000000). + # Set this as high as possible, but leave some buffer (e.g. 500 MB). + # Example: If you have 4 GB memory, set this to 3500000. + pbkdf-memory = 4000000; + }) # Change device name match your block device. # Running `lsblk` on the target machine can help you here. @@ -53,6 +64,8 @@ (builtins.readFile ./nitrokey.pub) ]; + console.keyMap = "de-latin1-nodeadkeys"; + system.stateVersion = "23.05"; } ];