nixos-anywhere-example/template/disk-configs/luks-btrfs.nix

# Example taken form https://github.com/nix-community/disko/blob/master/example/luks-btrfs-subvolumes.nix

# cryptsetup luksOpen --allow-discards
#
#   https://wiki.gentoo.org/wiki/Dm-crypt_full_disk_encryption#Dm-crypt_on_SSDs_and_hybrid_drives
#     Cryptsetup can transparently forward discard operations to an SSD. This feature is activated by using the --allow-discards option in combination with cryptsetup open. Enabling discards on an encrypted SSD can be a measure to ensure effective wear leveling and longevity, especially if the full disk is encrypted. For an in detail discussion about the security implications, have a look at the cryptsetup FAQ and the man page of cryptsetup.
#
#   https://man.archlinux.org/man/cryptsetup-luksOpen.8.en
#     Can make filesystem-level operations visible on the physical device. For example, information leaking filesystem type, used space, etc. may be extractable from the physical device.

{ pbkdf-memory, ... }: { lib, ... }: {
  disko.devices.disk = {
    "disk1" = {
      type = "disk";
      device = lib.mkDefault "/dev/nvme0n1";
      content = {
        type = "gpt";
        partitions = {
          ESP = {
            label = "EFI";
            name = "ESP";
            size = "512M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
              mountOptions = [
                "defaults"
              ];
            };
          };
          LUKS = {
            size = "100%";
            content = {
              type = "luks";
              name = "luks-root";
              # Additional arguments passed to luksFormat:
              # - 4GB RAM to unlock disk
              # - 5 seconds to open
              extraFormatArgs = [
               "--cipher" "aes-xts-plain64" "--key-size" "512" "--hash" "sha512"
               "--pbkdf-memory" pbkdf-memory "--iter-time" "7500" "--use-random"
              ];
              extraOpenArgs = [ "--allow-discards" ];
              # If you want to use the key for interactive login be sure there is no trailing newline.
              # For example use `echo -n 'password' > /tmp/secret.key`
              passwordFile = "/tmp/secret.key"; # Interactive login.
              content = {
                type = "btrfs";
                extraArgs = [ "-f" ];
                subvolumes = {
                  "/@" = {
                    mountpoint = "/";
                    mountOptions = [ "compress=zstd" "noatime" ];
                  };
                };
              };
            };
          };
        };
      };
    };
  };
}