diff --git a/common/encrypted-btrfs-layout.nix b/common/encrypted-btrfs-layout.nix new file mode 100644 index 0000000..844dd38 --- /dev/null +++ b/common/encrypted-btrfs-layout.nix @@ -0,0 +1,93 @@ +{ lib, config, ... }: + +let + cfg = config.diskLayout; +in +{ + options.diskLayout = { + mainDiskDevice = lib.mkOption { + type = lib.types.str; + description = "The device ID for the main disk"; + }; + keyDiskDevice = lib.mkOption { + type = lib.types.str; + description = "The device ID for the key disk"; + }; + }; + + config = { + disko.devices = { + disk.main = { + device = cfg.mainDiskDevice; + type = "disk"; + content = { + type = "gpt"; + partitions = { + esp = { + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + luksroot = { + end = "-8G"; + content = { + type = "luks"; + name = "luksroot"; + settings = { + allowDiscards = true; + keyFile = cfg.keyDiskDevice; + keyFileSize = 4096; + }; + content = { + type = "btrfs"; + subvolumes = { + "root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "persist" = { + mountpoint = "/persist"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "log" = { + mountpoint = "/var/log"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + }; + }; + }; + }; + swap = { + size = "8G"; + content = { + type = "swap"; + randomEncryption = true; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/chilly/default.nix b/hosts/chilly/default.nix index 7e42575..e24bf77 100644 --- a/hosts/chilly/default.nix +++ b/hosts/chilly/default.nix @@ -3,10 +3,16 @@ imports = [ ../../common/global ../../common/base-node.nix - ./disk-config.nix + ../../common/encrypted-btrfs-layout.nix ./hardware.nix ]; + diskLayout = { + mainDiskDevice = "/dev/disk/by-id/ata-FORESEE_512GB_SSD_MP15B03900928"; + #keyDiskDevice = "/dev/disk/by-id/usb-Intenso_Micro_Line_22080777660586-0:0"; + keyDiskDevice = "/dev/sdb"; + }; + networking.hostName = "chilly"; services.tailscaleAutoconnect.authkey = "tskey-auth-kRXS9oPyPm11CNTRL-BE6YnbP9J6ZZuV9dHkX17ZMnm1JGdu93"; services.consul.interface.advertise = lib.mkForce "enp1s0"; diff --git a/hosts/chilly/disk-config.nix b/hosts/chilly/disk-config.nix deleted file mode 100644 index 4a50b8d..0000000 --- a/hosts/chilly/disk-config.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ lib, ... }: -{ - disko.devices = { - disk.main = { - device = "/dev/disk/by-id/ata-FORESEE_512GB_SSD_MP15B03900928"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - esp = { - name = "ESP"; - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; - luksroot = { - end = "-8G"; - content = { - type = "luks"; - name = "luksroot"; - settings = { - allowDiscards = true; - #keyFile = "/dev/disk/by-id/usb-Intenso_Micro_Line_22080777660586-0:0"; - keyFile = "/dev/sdb"; - keyFileSize = 4096; - }; - content = { - type = "btrfs"; - subvolumes = { - "root" = { - mountpoint = "/"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "nix" = { - mountpoint = "/nix"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "persist" = { - mountpoint = "/persist"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "log" = { - mountpoint = "/var/log"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - }; - }; - }; - }; - swap = { - size = "8G"; - content = { - type = "swap"; - randomEncryption = true; - }; - }; - }; - }; - }; - }; -} diff --git a/setup-host.txt b/setup-host.txt index 4eb43ce..0d5d293 100644 --- a/setup-host.txt +++ b/setup-host.txt @@ -6,6 +6,6 @@ * on target: dd if=/dev/disk/by-id/ of=key.bin bs=4096 count=1 * copy key.bin to hosts// * use the generated config to create new config in hosts/ -* set the actual device IDs in hosts//disk-config.nix +* set the actual device IDs in hosts//default.nix * on base host: nix run github:nix-community/nixos-anywhere -- --flake '.#' nixos@ * after confirmed working, update hosts/disk-config.nix to set keyFile to /dev/sdX (otherwise when the USB drive fails it's harder to replace)