Disk encryption

This commit is contained in:
Daniel Ziltener 2024-07-04 14:24:58 +02:00
parent 2c00610f61
commit 8b94d9c55a
2 changed files with 70 additions and 46 deletions

View file

@ -7,6 +7,7 @@
{ {
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
./bevuta-config/bevuta.nix
./hardware-configuration.nix ./hardware-configuration.nix
"${builtins.fetchTarball "https://github.com/nix-community/disko/archive/master.tar.gz"}/module.nix" "${builtins.fetchTarball "https://github.com/nix-community/disko/archive/master.tar.gz"}/module.nix"
./disko-config.nix ./disko-config.nix
@ -16,7 +17,24 @@
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "ziltis-desktop"; # Define your hostname. boot.initrd.luks.devices."root".preLVM = lib.mkForce false;
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
initrd = {
systemd.enable = true;
luks.devices."crypted" = {
preLVM = lib.mkForce false;
crypttabExtraOpts = [ "fido2-device=auto" ];
device = "/dev/nvme0n1p2";
};
};
};
#networking.hostName = "ziltis-desktop"; # Define your hostname.
# Pick only one of the below networking options. # Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
@ -38,15 +56,20 @@
# Enable the X11 windowing system. # Enable the X11 windowing system.
# services.xserver.enable = true; # services.xserver.enable = true;
services.xserver = {
enable = true;
layout = "de";
xkbOptions = "eurosign;e,caps:escape";
libinput.enable = true;
displayManager = {
sddm.enable = true;
};
};
programs.hyprland.enable = true; programs.hyprland.enable = true;
services.flatpak.enable = true; services.flatpak.enable = true;
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
# Configure keymap in X11
services.xserver.layout = "de";
services.xserver.xkbOptions = "eurosign:e,caps:escape";
# Enable CUPS to print documents. # Enable CUPS to print documents.
# services.printing.enable = true; # services.printing.enable = true;
@ -64,12 +87,6 @@
#jack.enable = true; #jack.enable = true;
}; };
# Enable touchpad support (enabled default in most desktopManager).
services.xserver.enable = true;
services.xserver.libinput.enable = true;
services.xserver.displayManager.sddm.enable = true;
# Define a user account. Don't forget to set a password with passwd. # Define a user account. Don't forget to set a password with passwd.
# users.users.alice = { # users.users.alice = {
# isNormalUser = true; # isNormalUser = true;
@ -100,16 +117,16 @@
libvirtd = { libvirtd = {
enable = true; enable = true;
}; };
podman = { # podman = {
enable = true; # enable = true;
dockerCompat = true; # dockerCompat = true;
defaultNetwork.settings.dns_enabled = true; # defaultNetwork.settings.dns_enabled = true;
}; # };
containers.storage.settings = { # containers.storage.settings = {
storage = { # storage = {
driver = "btrfs"; # driver = "btrfs";
}; # };
}; # };
}; };
# Some programs need SUID wrappers, can be configured further or are # Some programs need SUID wrappers, can be configured further or are
@ -139,12 +156,12 @@
# Or disable the firewall altogether. # Or disable the firewall altogether.
# networking.firewall.enable = false; # networking.firewall.enable = false;
networking.extraHosts = '' # networking.extraHosts = ''
127.0.0.1 l.redsky.io # 127.0.0.1 l.redsky.io
::1 l.redsky.io # ::1 l.redsky.io
''; # '';
security.pam.services.swaylock = {}; # security.pam.services.swaylock = {};
services.btrfs = { services.btrfs = {
autoScrub = { autoScrub = {
@ -165,7 +182,7 @@
# this value at the release version of the first install of this system. # this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option # Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment? system.stateVersion = "24.05"; # Did you read the comment?
} }

View file

@ -19,27 +19,34 @@
mountpoint = "/boot"; mountpoint = "/boot";
}; };
}; };
root = { luks = {
size = "100%"; size = "100%";
content = { content = {
type = "btrfs"; type = "luks";
extraArgs = [ "-f" ]; name = "crypted";
subvolumes = { settings = {
"/rootfs" = { allowDiscards = true;
mountOptions = [ "compress=zstd" ]; };
mountpoint = "/"; content = {
}; type = "btrfs";
"/home" = { extraArgs = [ "-f" ];
mountOptions = [ "compress=zstd" ]; subvolumes = {
mountpoint = "/home"; "/rootfs" = {
}; mountOptions = [ "compress=zstd" "noatime" ];
"/nix" = { mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" ]; };
mountpoint = "/nix"; "/home" = {
}; mountOptions = [ "compress=zstd" "noatime" ];
"/swap" = { mountpoint = "/home";
mountOptions = [ "subvol=swap" ]; };
mountpoint = "/swap"; "/nix" = {
mountOptions = [ "compress=zstd" "noatime" ];
mountpoint = "/nix";
};
"/swap" = {
mountOptions = [ "subvol=swap" ];
mountpoint = "/swap";
};
}; };
}; };
}; };