Disk encryption

This commit is contained in:
Daniel Ziltener 2024-07-04 14:24:58 +02:00
parent 2c00610f61
commit 8b94d9c55a
2 changed files with 70 additions and 46 deletions

View file

@ -7,6 +7,7 @@
{
imports =
[ # Include the results of the hardware scan.
./bevuta-config/bevuta.nix
./hardware-configuration.nix
"${builtins.fetchTarball "https://github.com/nix-community/disko/archive/master.tar.gz"}/module.nix"
./disko-config.nix
@ -16,7 +17,24 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "ziltis-desktop"; # Define your hostname.
boot.initrd.luks.devices."root".preLVM = lib.mkForce false;
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
initrd = {
systemd.enable = true;
luks.devices."crypted" = {
preLVM = lib.mkForce false;
crypttabExtraOpts = [ "fido2-device=auto" ];
device = "/dev/nvme0n1p2";
};
};
};
#networking.hostName = "ziltis-desktop"; # Define your hostname.
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
@ -38,15 +56,20 @@
# Enable the X11 windowing system.
# services.xserver.enable = true;
services.xserver = {
enable = true;
layout = "de";
xkbOptions = "eurosign;e,caps:escape";
libinput.enable = true;
displayManager = {
sddm.enable = true;
};
};
programs.hyprland.enable = true;
services.flatpak.enable = true;
nixpkgs.config.allowUnfree = true;
# Configure keymap in X11
services.xserver.layout = "de";
services.xserver.xkbOptions = "eurosign:e,caps:escape";
# Enable CUPS to print documents.
# services.printing.enable = true;
@ -64,12 +87,6 @@
#jack.enable = true;
};
# Enable touchpad support (enabled default in most desktopManager).
services.xserver.enable = true;
services.xserver.libinput.enable = true;
services.xserver.displayManager.sddm.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# users.users.alice = {
# isNormalUser = true;
@ -100,16 +117,16 @@
libvirtd = {
enable = true;
};
podman = {
enable = true;
dockerCompat = true;
defaultNetwork.settings.dns_enabled = true;
};
containers.storage.settings = {
storage = {
driver = "btrfs";
};
};
# podman = {
# enable = true;
# dockerCompat = true;
# defaultNetwork.settings.dns_enabled = true;
# };
# containers.storage.settings = {
# storage = {
# driver = "btrfs";
# };
# };
};
# Some programs need SUID wrappers, can be configured further or are
@ -139,12 +156,12 @@
# Or disable the firewall altogether.
# networking.firewall.enable = false;
networking.extraHosts = ''
127.0.0.1 l.redsky.io
::1 l.redsky.io
'';
# networking.extraHosts = ''
# 127.0.0.1 l.redsky.io
# ::1 l.redsky.io
# '';
security.pam.services.swaylock = {};
# security.pam.services.swaylock = {};
services.btrfs = {
autoScrub = {
@ -165,7 +182,7 @@
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?
system.stateVersion = "24.05"; # Did you read the comment?
}

View file

@ -19,18 +19,24 @@
mountpoint = "/boot";
};
};
root = {
luks = {
size = "100%";
content = {
type = "luks";
name = "crypted";
settings = {
allowDiscards = true;
};
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"/rootfs" = {
mountOptions = [ "compress=zstd" ];
mountOptions = [ "compress=zstd" "noatime" ];
mountpoint = "/";
};
"/home" = {
mountOptions = [ "compress=zstd" ];
mountOptions = [ "compress=zstd" "noatime" ];
mountpoint = "/home";
};
"/nix" = {
@ -49,4 +55,5 @@
};
};
};
};
}