LUKS memory option; keyboard layout; docs

template/README.md

@@ -22,7 +22,7 @@ ls result/iso/*.iso
 
 ## Hardware Configuration
 
-Boot the target machine into NixOS live ISO. Then execute the following, ideally while connected via SSH:
+Boot the target machine into NixOS live ISO. Then execute the following, ideally while connected as root via SSH:
 
 ```shell
 nixos-generate-config --no-filesystems --root /mnt
@@ -33,6 +33,14 @@ Save the output to a new file in [./hardware-configs/](./hardware-configs/). In
 
 Note: The hardware configuration should not contain any `fileSystems.<name>` options as these are generated based on your disko configuration.
 
+---
+
+Furthermore, in [./flake.nix](./flake.nix) replace `disko.devices.disk.disk1.device` with the id of your target block device.
+
+---
+
+Lastly, in [./flake.nix](./flake.nix) replace `pbkdf-memory` with your amount of RAM - 500 MB.
+
 ## Installation
 
 To run the interactive vm test run:

template/disk-configs/luks-btrfs.nix

@@ -8,7 +8,7 @@
 #   https://man.archlinux.org/man/cryptsetup-luksOpen.8.en
 #     Can make filesystem-level operations visible on the physical device. For example, information leaking filesystem type, used space, etc. may be extractable from the physical device.
 
-{ lib, ... }: {
+{ pbkdf-memory, ... }: { lib, ... }: {
   disko.devices.disk = {
     "disk1" = {
       type = "disk";
@@ -40,7 +40,7 @@
               # - 5 seconds to open
               extraFormatArgs = [
                "--cipher" "aes-xts-plain64" "--key-size" "512" "--hash" "sha512"
-               "--pbkdf-memory" "4000000" "--iter-time" "5000" "--use-random"
+               "--pbkdf-memory" pbkdf-memory "--iter-time" "5000" "--use-random"
               ];
               extraOpenArgs = [ "--allow-discards" ];
               # If you want to use the key for interactive login be sure there is no trailing newline.

template/flake.nix

@@ -25,9 +25,20 @@
         ./hardware-configs/yodaHP.nix
 
         # Select disko disk layout configuration.
+        #
+        # The way we import the luks-btrfs disk layout and pass an argument is not ideal,
+        # but keeps this config file shorter. A batter way is to expose options:
+        # https://discourse.nixos.org/t/passing-parameters-into-import/34082/4
+        #
         #./disk-configs/simple-efi.nix
-        ./disk-configs/luks-btrfs.nix
         #./disk-configs/luks-lvm.nix
+        (import ./disk-configs/luks-btrfs.nix {
+          # Memory in bytes required to unlock the LUKS partition while booting.
+          # The default value is 1 GB (1000000).
+          # Set this as high as possible, but leave some buffer (e.g. 500 MB).
+          # Example: If you have 4 GB memory, set this to 3500000.
+          pbkdf-memory = 4000000;
+        })
 
         # Change device name match your block device.
         # Running `lsblk` on the target machine can help you here.
@@ -53,6 +64,8 @@
             (builtins.readFile ./nitrokey.pub)
           ];
 
+          console.keyMap = "de-latin1-nodeadkeys";
+
           system.stateVersion = "23.05";
         }
       ];