From 1d93917d7b5adec950054220b572e4237ac1b3ba Mon Sep 17 00:00:00 2001 From: Andre Date: Wed, 3 Jul 2024 21:13:13 -0400 Subject: [PATCH] Filesystems: scooch LUKS definition over to module --- flake.lock | 6 +- hosts/Dimaga/hardware-configuration.nix | 51 +++++++------ hosts/Khanda/hardware-configuration.nix | 27 +++---- hosts/Shura/hardware-configuration.nix | 26 +++---- modules/system/filesystem.nix | 96 +++++++++++++------------ 5 files changed, 113 insertions(+), 93 deletions(-) diff --git a/flake.lock b/flake.lock index fd2e9dc..8e8c06b 100644 --- a/flake.lock +++ b/flake.lock @@ -138,11 +138,11 @@ ] }, "locked": { - "lastModified": 1719992360, - "narHash": "sha256-SRq0ZRkqagqpMGVf4z9q9CIWRbPYjO7FTqSJyWh7nes=", + "lastModified": 1720045378, + "narHash": "sha256-lmE7B+QXw7lWdBu5GQlUABSpzPk3YBb9VbV+IYK5djk=", "owner": "nix-community", "repo": "home-manager", - "rev": "36e2f9da91ce8b63a549a47688ae60d47c50de4b", + "rev": "0a30138c694ab3b048ac300794c2eb599dc40266", "type": "github" }, "original": { diff --git a/hosts/Dimaga/hardware-configuration.nix b/hosts/Dimaga/hardware-configuration.nix index 844fe94..5efca4d 100644 --- a/hosts/Dimaga/hardware-configuration.nix +++ b/hosts/Dimaga/hardware-configuration.nix @@ -15,33 +15,42 @@ in imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot = { - initrd = { - availableKernelModules = [ - "xhci_pci" - "nvme" - "usb_storage" - "sd_mod" - "sdhci_pci" - ]; - luks.devices."luks-${luksUUID}" = { - device = "/dev/disk/by-uuid/${luksUUID}"; - crypttabExtraOpts = [ "tpm2-device=auto" ]; # Enable TPM auto-unlocking - }; - }; + initrd.availableKernelModules = [ + "xhci_pci" + "nvme" + "usb_storage" + "sd_mod" + "sdhci_pci" + ]; kernelModules = [ "kvm-intel" ]; extraModulePackages = [ ]; + + # Enable mdadm for Sapana (RAID 5 primary storage). + swraid = { + enable = true; + mdadmConf = '' + ARRAY /dev/md/Sapana metadata=1.2 UUID=51076daf:efdb34dd:bce48342:3b549fcb + MAILADDR ${config.secrets.users.aires.email} + ''; + }; }; # Configure the main filesystem. - aux.system.filesystem.btrfs = { - enable = true; - devices = { - boot = "/dev/disk/by-uuid/${bootUUID}"; - btrfs = "/dev/disk/by-uuid/${rootUUID}"; - }; - swapFile = { + aux.system.filesystem = { + btrfs = { enable = true; - size = 16384; + devices = { + boot = "/dev/disk/by-uuid/${bootUUID}"; + btrfs = "/dev/disk/by-uuid/${rootUUID}"; + }; + swapFile = { + enable = true; + size = 16384; + }; + }; + luks = { + enable = true; + uuid = luksUUID; }; }; diff --git a/hosts/Khanda/hardware-configuration.nix b/hosts/Khanda/hardware-configuration.nix index 545cd5d..caf4f36 100644 --- a/hosts/Khanda/hardware-configuration.nix +++ b/hosts/Khanda/hardware-configuration.nix @@ -46,11 +46,6 @@ in "surface_kbd" "pinctrl_tigerlake" ]; - - luks.devices."luks-${luksUUID}" = { - device = "/dev/disk/by-uuid/${luksUUID}"; - crypttabExtraOpts = [ "tpm2-device=auto" ]; # Enable TPM auto-unlocking - }; }; kernel.sysctl = { @@ -75,15 +70,21 @@ in }; # Configure the main filesystem. - aux.system.filesystem.btrfs = { - enable = true; - devices = { - boot = "/dev/disk/by-uuid/${bootUUID}"; - btrfs = "/dev/disk/by-uuid/${rootUUID}"; - }; - swapFile = { + aux.system.filesystem = { + btrfs = { enable = true; - size = 16384; + devices = { + boot = "/dev/disk/by-uuid/${bootUUID}"; + btrfs = "/dev/disk/by-uuid/${rootUUID}"; + }; + swapFile = { + enable = true; + size = 16384; + }; + }; + luks = { + enable = true; + uuid = luksUUID; }; }; diff --git a/hosts/Shura/hardware-configuration.nix b/hosts/Shura/hardware-configuration.nix index be4eaab..7202124 100644 --- a/hosts/Shura/hardware-configuration.nix +++ b/hosts/Shura/hardware-configuration.nix @@ -29,25 +29,27 @@ in "sd_mod" "rtsx_pci_sdmmc" ]; - luks.devices."luks-${luksUUID}" = { - device = "/dev/disk/by-uuid/${luksUUID}"; - crypttabExtraOpts = [ "tpm2-device=auto" ]; # Enable TPM auto-unlocking - }; }; kernelModules = [ "kvm-amd" ]; }; # Configure the main filesystem. - aux.system.filesystem.btrfs = { - enable = true; - devices = { - boot = "/dev/disk/by-uuid/${bootUUID}"; - btrfs = "/dev/disk/by-uuid/${rootUUID}"; - }; - swapFile = { + aux.system.filesystem = { + btrfs = { enable = true; - size = 16384; + devices = { + boot = "/dev/disk/by-uuid/${bootUUID}"; + btrfs = "/dev/disk/by-uuid/${rootUUID}"; + }; + swapFile = { + enable = true; + size = 16384; + }; + }; + luks = { + enable = true; + uuid = luksUUID; }; }; diff --git a/modules/system/filesystem.nix b/modules/system/filesystem.nix index 3fee506..75b3c13 100644 --- a/modules/system/filesystem.nix +++ b/modules/system/filesystem.nix @@ -1,63 +1,71 @@ { lib, config, ... }: let - cfg = config.aux.system.filesystem.btrfs; + cfg = config.aux.system.filesystem; standardMountOpts = [ "compress=zstd" ]; in { options = { - aux.system.filesystem.btrfs = { - enable = lib.mkEnableOption (lib.mdDoc "Enables standard BTRFS subvolumes and parameters."); - devices = { - boot = lib.mkOption { - type = lib.types.str; - description = "The ID of your boot partition. Use /dev/disk/by-uuid for best results."; - default = ""; + aux.system.filesystem = { + btrfs = { + enable = lib.mkEnableOption (lib.mdDoc "Enables standard BTRFS subvolumes and parameters."); + devices = { + boot = lib.mkOption { + type = lib.types.str; + description = "The ID of your boot partition. Use /dev/disk/by-uuid for best results."; + default = ""; + }; + btrfs = lib.mkOption { + type = lib.types.str; + description = "The ID of your BTRFS partition. Use /dev/disk/by-uuid for best results."; + default = ""; + }; }; - btrfs = lib.mkOption { - type = lib.types.str; - description = "The ID of your BTRFS partition. Use /dev/disk/by-uuid for best results."; - default = ""; + swapFile = { + enable = lib.mkEnableOption (lib.mdDoc "Enables the creation of a swap file."); + size = lib.mkOption { + type = lib.types.int; + description = "The size of the swap file to create in MB (defaults to 8192, or ~8 gigabytes)."; + default = 8192; + }; }; }; - subvolumes = lib.mkOption { - type = lib.types.listOf lib.types.str; - description = "Which subvolumes to mount. Leave as the default to create all standard subvolumes."; - default = [ - "/" - "/home" - "/nix" - "/var/log" - ]; - }; - swapFile = { - enable = lib.mkEnableOption (lib.mdDoc "Enables the creation of a swap file."); - size = lib.mkOption { - type = lib.types.int; - description = "The size of the swap file to create in MB (defaults to 8192, or ~8 gigabytes)."; - default = 8192; + luks = { + enable = lib.mkEnableOption ( + lib.mkDoc "Enables an encrypted LUKS container for the BTRFS partition." + ); + uuid = lib.mkOption { + type = lib.types.str; + description = "The UUID of the encrypted LUKS volume."; }; }; }; }; - config = lib.mkIf cfg.enable { + config = lib.mkIf cfg.btrfs.enable { # Check for blank parameters assertions = [ { - assertion = cfg.devices.btrfs != ""; + assertion = cfg.btrfs.devices.btrfs != ""; message = "Please specify a BTRFS partition to use as a filesystem."; } { - assertion = cfg.devices.boot != ""; + assertion = cfg.btrfs.devices.boot != ""; message = "Please specify a boot partition to use as a filesystem."; } ]; + boot.initrd.luks.devices = lib.mkIf cfg.luks.enable { + "luks-${cfg.luks.uuid}" = { + device = "/dev/disk/by-uuid/${cfg.luks.uuid}"; + # Enable TPM auto-unlocking if configured + crypttabExtraOpts = lib.mkIf config.aux.system.bootloader.tpm2.enable [ "tpm2-device=auto" ]; + }; + }; fileSystems = { - "/" = lib.mkIf (builtins.elem "/" cfg.subvolumes) { - device = cfg.devices.btrfs; + "/" = { + device = cfg.btrfs.devices.btrfs; fsType = "btrfs"; options = [ "subvol=@" @@ -65,27 +73,27 @@ in ]; }; "/boot" = { - device = cfg.devices.boot; + device = cfg.btrfs.devices.boot; fsType = "vfat"; }; - "/home" = lib.mkIf (builtins.elem "/home" cfg.subvolumes) { - device = cfg.devices.btrfs; + "/home" = { + device = cfg.btrfs.devices.btrfs; fsType = "btrfs"; options = [ "subvol=@home" "compress=zstd" ]; }; - "/var/log" = lib.mkIf (builtins.elem "/var/log" cfg.subvolumes) { - device = cfg.devices.btrfs; + "/var/log" = { + device = cfg.btrfs.devices.btrfs; fsType = "btrfs"; options = [ "subvol=@log" "compress=zstd" ]; }; - "/nix" = lib.mkIf (builtins.elem "/nix" cfg.subvolumes) { - device = cfg.devices.btrfs; + "/nix" = { + device = cfg.btrfs.devices.btrfs; fsType = "btrfs"; options = [ "subvol=@nix" @@ -94,9 +102,9 @@ in ]; }; } - // lib.optionalAttrs cfg.swapFile.enable { + // lib.optionalAttrs cfg.btrfs.swapFile.enable { "/swap" = { - device = cfg.devices.btrfs; + device = cfg.btrfs.devices.btrfs; fsType = "btrfs"; options = [ "subvol=@swap" @@ -105,10 +113,10 @@ in }; }; - swapDevices = lib.mkIf cfg.swapFile.enable [ + swapDevices = lib.mkIf cfg.btrfs.swapFile.enable [ { device = "/swap/swapfile"; - size = cfg.swapFile.size; + size = cfg.btrfs.swapFile.size; } ]; };