mirror of
https://codeberg.org/privacy1st/nixos-anywhere-example
synced 2024-12-23 02:36:05 +01:00
add LUKS BTRFS disko config
This commit is contained in:
parent
d55f0082f8
commit
c5d85e4b4a
58
template/disk-configs/luks-btrfs.nix
Normal file
58
template/disk-configs/luks-btrfs.nix
Normal file
@ -0,0 +1,58 @@
|
||||
# Example taken form https://github.com/nix-community/disko/blob/master/example/luks-btrfs-subvolumes.nix
|
||||
|
||||
# cryptsetup luksOpen --allow-discards
|
||||
#
|
||||
# https://wiki.gentoo.org/wiki/Dm-crypt_full_disk_encryption#Dm-crypt_on_SSDs_and_hybrid_drives
|
||||
# Cryptsetup can transparently forward discard operations to an SSD. This feature is activated by using the --allow-discards option in combination with cryptsetup open. Enabling discards on an encrypted SSD can be a measure to ensure effective wear leveling and longevity, especially if the full disk is encrypted. For an in detail discussion about the security implications, have a look at the cryptsetup FAQ and the man page of cryptsetup.
|
||||
#
|
||||
# https://man.archlinux.org/man/cryptsetup-luksOpen.8.en
|
||||
# Can make filesystem-level operations visible on the physical device. For example, information leaking filesystem type, used space, etc. may be extractable from the physical device.
|
||||
|
||||
{ lib, ... }: {
|
||||
disko.devices.disk = {
|
||||
"disk1" = {
|
||||
type = "disk";
|
||||
device = lib.mkDefault "/dev/nvme0n1";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
ESP = {
|
||||
label = "EFI";
|
||||
name = "ESP";
|
||||
size = "512M";
|
||||
type = "EF00";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
mountOptions = [
|
||||
"defaults"
|
||||
];
|
||||
};
|
||||
};
|
||||
LUKS = {
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "luks";
|
||||
name = "crypted";
|
||||
extraOpenArgs = [ "--allow-discards" ];
|
||||
# If you want to use the key for interactive login be sure there is no trailing newline.
|
||||
# For example use `echo -n 'password' > /tmp/secret.key`
|
||||
passwordFile = "/tmp/secret.key"; # Interactive login.
|
||||
content = {
|
||||
type = "btrfs";
|
||||
extraArgs = [ "-f" ];
|
||||
subvolumes = {
|
||||
"/@" = {
|
||||
mountpoint = "/";
|
||||
mountOptions = [ "compress=zstd" "noatime" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -1,9 +1,9 @@
|
||||
{
|
||||
{ lib, ... }: {
|
||||
disko.devices = {
|
||||
disk = {
|
||||
disk1 = {
|
||||
type = "disk";
|
||||
device = "/dev/sda";
|
||||
device = lib.mkDefault "/dev/nvme0n1";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
@ -22,8 +22,8 @@
|
||||
type = "luks";
|
||||
name = "crypted";
|
||||
extraOpenArgs = [ "--allow-discards" ];
|
||||
# if you want to use the key for interactive login be sure there is no trailing newline
|
||||
# for example use `echo -n "password" > /tmp/secret.key`
|
||||
# If you want to use the key for interactive login be sure there is no trailing newline.
|
||||
# For example use `echo -n 'password' > /tmp/secret.key`
|
||||
settings.keyFile = "/tmp/secret.key";
|
||||
content = {
|
||||
type = "lvm_pv";
|
||||
|
Loading…
Reference in New Issue
Block a user