From c5d85e4b4a06fde2ac9a333b7b24e652d3ca6ddb Mon Sep 17 00:00:00 2001
From: Daniel Langbein <daniel@systemli.org>
Date: Mon, 16 Oct 2023 18:30:32 +0200
Subject: [PATCH] add LUKS BTRFS disko config

---
 template/disk-configs/luks-btrfs.nix | 58 ++++++++++++++++++++++++++++
 template/disk-configs/luks-lvm.nix   |  8 ++--
 2 files changed, 62 insertions(+), 4 deletions(-)
 create mode 100644 template/disk-configs/luks-btrfs.nix

diff --git a/template/disk-configs/luks-btrfs.nix b/template/disk-configs/luks-btrfs.nix
new file mode 100644
index 0000000..0da314f
--- /dev/null
+++ b/template/disk-configs/luks-btrfs.nix
@@ -0,0 +1,58 @@
+# Example taken form https://github.com/nix-community/disko/blob/master/example/luks-btrfs-subvolumes.nix
+
+# cryptsetup luksOpen --allow-discards
+#
+#   https://wiki.gentoo.org/wiki/Dm-crypt_full_disk_encryption#Dm-crypt_on_SSDs_and_hybrid_drives
+#     Cryptsetup can transparently forward discard operations to an SSD. This feature is activated by using the --allow-discards option in combination with cryptsetup open. Enabling discards on an encrypted SSD can be a measure to ensure effective wear leveling and longevity, especially if the full disk is encrypted. For an in detail discussion about the security implications, have a look at the cryptsetup FAQ and the man page of cryptsetup.
+#
+#   https://man.archlinux.org/man/cryptsetup-luksOpen.8.en
+#     Can make filesystem-level operations visible on the physical device. For example, information leaking filesystem type, used space, etc. may be extractable from the physical device.
+
+{ lib, ... }: {
+  disko.devices.disk = {
+    "disk1" = {
+      type = "disk";
+      device = lib.mkDefault "/dev/nvme0n1";
+      content = {
+        type = "gpt";
+        partitions = {
+          ESP = {
+            label = "EFI";
+            name = "ESP";
+            size = "512M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+          LUKS = {
+            size = "100%";
+            content = {
+              type = "luks";
+              name = "crypted";
+              extraOpenArgs = [ "--allow-discards" ];
+              # If you want to use the key for interactive login be sure there is no trailing newline.
+              # For example use `echo -n 'password' > /tmp/secret.key`
+              passwordFile = "/tmp/secret.key"; # Interactive login.
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ];
+                subvolumes = {
+                  "/@" = {
+                    mountpoint = "/";
+                    mountOptions = [ "compress=zstd" "noatime" ];
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/template/disk-configs/luks-lvm.nix b/template/disk-configs/luks-lvm.nix
index af08719..33957d1 100644
--- a/template/disk-configs/luks-lvm.nix
+++ b/template/disk-configs/luks-lvm.nix
@@ -1,9 +1,9 @@
-{
+{ lib, ... }: {
   disko.devices = {
     disk = {
       disk1 = {
         type = "disk";
-        device = "/dev/sda";
+        device = lib.mkDefault "/dev/nvme0n1";
         content = {
           type = "gpt";
           partitions = {
@@ -22,8 +22,8 @@
                 type = "luks";
                 name = "crypted";
                 extraOpenArgs = [ "--allow-discards" ];
-                # if you want to use the key for interactive login be sure there is no trailing newline
-                # for example use `echo -n "password" > /tmp/secret.key`
+                # If you want to use the key for interactive login be sure there is no trailing newline.
+                # For example use `echo -n 'password' > /tmp/secret.key`
                 settings.keyFile = "/tmp/secret.key";
                 content = {
                   type = "lvm_pv";