diff --git a/nixos/configurations/Tytonidae/default.nix b/nixos/configurations/Tytonidae/default.nix index 3ea087f..e9b0b47 100644 --- a/nixos/configurations/Tytonidae/default.nix +++ b/nixos/configurations/Tytonidae/default.nix @@ -16,6 +16,7 @@ # Include the hardware related config ./hardware-configuration.nix ./networking.nix + ./disk-config.nix ]; youthlic = { diff --git a/nixos/configurations/Tytonidae/disk-config.nix b/nixos/configurations/Tytonidae/disk-config.nix new file mode 100644 index 0000000..0f3efc8 --- /dev/null +++ b/nixos/configurations/Tytonidae/disk-config.nix @@ -0,0 +1,133 @@ +{ ... }: +{ + disko.devices = { + disk = { + disk1 = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + ESP = { + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "umask=0077" + "defaults" + ]; + }; + }; + crypto1 = { + size = "100%"; + content = { + type = "luks"; + name = "crypto1"; + passwordFile = "/tmp/secret.key"; + settings = { + allowDiscards = true; + fallbackToPassword = true; + # keyFile = "/dev/disk/by-label/LUKS_DECR"; + # keyFileSize = 512 * 64; + # keyFileOffset = 512 * 192; + }; + initrdUnlock = true; + extraFormatArgs = [ + "--type luks2" + "--cipher aes-xts-plain64" + "--hash sha512" + "--iter-time 5000" + "--pbkdf argon2id" + "--key-size 256" + "--use-random" + ]; + extraOpenArgs = [ + "--timeout 10" + ]; + }; + }; + }; + }; + }; + disk2 = { + type = "disk"; + device = "/dev/nvme1n1"; + content = { + type = "gpt"; + partitions = { + crypto2 = { + size = "100%"; + content = { + type = "luks"; + name = "crypto2"; + passwordFile = "/tmp/secret.key"; + settings = { + allowDiscards = true; + fallbackToPassword = true; + # keyFile = "/dev/disk/by-label/LUKS_DECR"; + # keyFileSize = 512 * 64; + # keyFileOffset = 512 * 192; + }; + initrdUnlock = true; + extraFormatArgs = [ + "--type luks2" + "--cipher aes-xts-plain64" + "--hash sha512" + "--iter-time 5000" + "--pbkdf argon2id" + "--key-size 256" + "--use-random" + ]; + extraOpenArgs = [ + "--timeout 10" + ]; + content = { + type = "btrfs"; + extraArgs = [ + "-f" + "-m dup" + "-d raid0" + "/dev/mapper/crypto1" + ]; + subvolumes = { + "@root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "@nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "@home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "@swap" = { + mountpoint = "/swap"; + swap = { + swapfile.size = "32G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nixos/configurations/Tytonidae/hardware-configuration.nix b/nixos/configurations/Tytonidae/hardware-configuration.nix index 6c18642..4e6830d 100644 --- a/nixos/configurations/Tytonidae/hardware-configuration.nix +++ b/nixos/configurations/Tytonidae/hardware-configuration.nix @@ -1,57 +1,24 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: +{ config, lib, pkgs, modulesPath, ... }: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ - "xhci_pci" - "thunderbolt" - "nvme" - "usbhid" - "usb_storage" - "sd_mod" - ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = { - device = "/dev/disk/by-uuid/b638dbc9-8945-482d-9d10-193271d3df98"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/A779-6930"; - fsType = "vfat"; - options = [ - "fmask=0077" - "dmask=0077" - ]; - }; - - swapDevices = [ - { device = "/dev/disk/by-uuid/7f7e95f2-8f2a-4998-bd71-01466e8ecc98"; } - ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; # networking.interfaces.eno2.useDHCP = lib.mkDefault true; - # networking.interfaces.enp0s13f0u1u1.useDHCP = lib.mkDefault true; - # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;