Filesystems: scooch LUKS definition over to module

2024-07-03 21:13:13 -04:00 · 2024-07-03 21:13:13 -04:00 · 1d93917d7b
parent 031b719d64
commit 1d93917d7b
5 changed files with 113 additions and 93 deletions
--- a/flake.lock
+++ b/flake.lock
@ -138,11 +138,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1719992360,
+        "lastModified": 1720045378,
-        "narHash": "sha256-SRq0ZRkqagqpMGVf4z9q9CIWRbPYjO7FTqSJyWh7nes=",
+        "narHash": "sha256-lmE7B+QXw7lWdBu5GQlUABSpzPk3YBb9VbV+IYK5djk=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "36e2f9da91ce8b63a549a47688ae60d47c50de4b",
+        "rev": "0a30138c694ab3b048ac300794c2eb599dc40266",
        "type": "github"
      },
      "original": {
--- a/hosts/Dimaga/hardware-configuration.nix
+++ b/hosts/Dimaga/hardware-configuration.nix
@ -15,33 +15,42 @@ in
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
  boot = {
-    initrd = {
+    initrd.availableKernelModules = [
-      availableKernelModules = [
+      "xhci_pci"
-        "xhci_pci"
+      "nvme"
-        "nvme"
+      "usb_storage"
-        "usb_storage"
+      "sd_mod"
-        "sd_mod"
+      "sdhci_pci"
-        "sdhci_pci"
+    ];
      ];
      luks.devices."luks-${luksUUID}" = {
        device = "/dev/disk/by-uuid/${luksUUID}";
        crypttabExtraOpts = [ "tpm2-device=auto" ]; # Enable TPM auto-unlocking
      };
    };
    kernelModules = [ "kvm-intel" ];
    extraModulePackages = [ ];
    # Enable mdadm for Sapana (RAID 5 primary storage).
    swraid = {
      enable = true;
      mdadmConf = ''
        ARRAY /dev/md/Sapana metadata=1.2 UUID=51076daf:efdb34dd:bce48342:3b549fcb
        MAILADDR ${config.secrets.users.aires.email}
      '';
    };
  };
  # Configure the main filesystem.
-  aux.system.filesystem.btrfs = {
+  aux.system.filesystem = {
-    enable = true;
+    btrfs = {
    devices = {
      boot = "/dev/disk/by-uuid/${bootUUID}";
      btrfs = "/dev/disk/by-uuid/${rootUUID}";
    };
    swapFile = {
      enable = true;
-      size = 16384;
+      devices = {
        boot = "/dev/disk/by-uuid/${bootUUID}";
        btrfs = "/dev/disk/by-uuid/${rootUUID}";
      };
      swapFile = {
        enable = true;
        size = 16384;
      };
    };
    luks = {
      enable = true;
      uuid = luksUUID;
    };
  };
--- a/hosts/Khanda/hardware-configuration.nix
+++ b/hosts/Khanda/hardware-configuration.nix
@ -46,11 +46,6 @@ in
        "surface_kbd"
        "pinctrl_tigerlake"
      ];
      luks.devices."luks-${luksUUID}" = {
        device = "/dev/disk/by-uuid/${luksUUID}";
        crypttabExtraOpts = [ "tpm2-device=auto" ]; # Enable TPM auto-unlocking
      };
    };
    kernel.sysctl = {
@ -75,15 +70,21 @@ in
  };
  # Configure the main filesystem.
-  aux.system.filesystem.btrfs = {
+  aux.system.filesystem = {
-    enable = true;
+    btrfs = {
    devices = {
      boot = "/dev/disk/by-uuid/${bootUUID}";
      btrfs = "/dev/disk/by-uuid/${rootUUID}";
    };
    swapFile = {
      enable = true;
-      size = 16384;
+      devices = {
        boot = "/dev/disk/by-uuid/${bootUUID}";
        btrfs = "/dev/disk/by-uuid/${rootUUID}";
      };
      swapFile = {
        enable = true;
        size = 16384;
      };
    };
    luks = {
      enable = true;
      uuid = luksUUID;
    };
  };
--- a/hosts/Shura/hardware-configuration.nix
+++ b/hosts/Shura/hardware-configuration.nix
@ -29,25 +29,27 @@ in
        "sd_mod"
        "rtsx_pci_sdmmc"
      ];
      luks.devices."luks-${luksUUID}" = {
        device = "/dev/disk/by-uuid/${luksUUID}";
        crypttabExtraOpts = [ "tpm2-device=auto" ]; # Enable TPM auto-unlocking
      };
    };
    kernelModules = [ "kvm-amd" ];
  };
  # Configure the main filesystem.
-  aux.system.filesystem.btrfs = {
+  aux.system.filesystem = {
-    enable = true;
+    btrfs = {
    devices = {
      boot = "/dev/disk/by-uuid/${bootUUID}";
      btrfs = "/dev/disk/by-uuid/${rootUUID}";
    };
    swapFile = {
      enable = true;
-      size = 16384;
+      devices = {
        boot = "/dev/disk/by-uuid/${bootUUID}";
        btrfs = "/dev/disk/by-uuid/${rootUUID}";
      };
      swapFile = {
        enable = true;
        size = 16384;
      };
    };
    luks = {
      enable = true;
      uuid = luksUUID;
    };
  };
--- a/modules/system/filesystem.nix
+++ b/modules/system/filesystem.nix
@ -1,63 +1,71 @@
 { lib, config, ... }:
 let
-  cfg = config.aux.system.filesystem.btrfs;
+  cfg = config.aux.system.filesystem;
  standardMountOpts = [ "compress=zstd" ];
 in
 {
  options = {
-    aux.system.filesystem.btrfs = {
+    aux.system.filesystem = {
-      enable = lib.mkEnableOption (lib.mdDoc "Enables standard BTRFS subvolumes and parameters.");
+      btrfs = {
-      devices = {
+        enable = lib.mkEnableOption (lib.mdDoc "Enables standard BTRFS subvolumes and parameters.");
-        boot = lib.mkOption {
+        devices = {
-          type = lib.types.str;
+          boot = lib.mkOption {
-          description = "The ID of your boot partition. Use /dev/disk/by-uuid for best results.";
+            type = lib.types.str;
-          default = "";
+            description = "The ID of your boot partition. Use /dev/disk/by-uuid for best results.";
            default = "";
          };
          btrfs = lib.mkOption {
            type = lib.types.str;
            description = "The ID of your BTRFS partition. Use /dev/disk/by-uuid for best results.";
            default = "";
          };
        };
-        btrfs = lib.mkOption {
+        swapFile = {
-          type = lib.types.str;
+          enable = lib.mkEnableOption (lib.mdDoc "Enables the creation of a swap file.");
-          description = "The ID of your BTRFS partition. Use /dev/disk/by-uuid for best results.";
+          size = lib.mkOption {
-          default = "";
+            type = lib.types.int;
            description = "The size of the swap file to create in MB (defaults to 8192, or ~8 gigabytes).";
            default = 8192;
          };
        };
      };
-      subvolumes = lib.mkOption {
+      luks = {
-        type = lib.types.listOf lib.types.str;
+        enable = lib.mkEnableOption (
-        description = "Which subvolumes to mount. Leave as the default to create all standard subvolumes.";
+          lib.mkDoc "Enables an encrypted LUKS container for the BTRFS partition."
-        default = [
+        );
-          "/"
+        uuid = lib.mkOption {
-          "/home"
+          type = lib.types.str;
-          "/nix"
+          description = "The UUID of the encrypted LUKS volume.";
          "/var/log"
        ];
      };
      swapFile = {
        enable = lib.mkEnableOption (lib.mdDoc "Enables the creation of a swap file.");
        size = lib.mkOption {
          type = lib.types.int;
          description = "The size of the swap file to create in MB (defaults to 8192, or ~8 gigabytes).";
          default = 8192;
        };
      };
    };
  };
-  config = lib.mkIf cfg.enable {
+  config = lib.mkIf cfg.btrfs.enable {
    # Check for blank parameters
    assertions = [
      {
-        assertion = cfg.devices.btrfs != "";
+        assertion = cfg.btrfs.devices.btrfs != "";
        message = "Please specify a BTRFS partition to use as a filesystem.";
      }
      {
-        assertion = cfg.devices.boot != "";
+        assertion = cfg.btrfs.devices.boot != "";
        message = "Please specify a boot partition to use as a filesystem.";
      }
    ];
    boot.initrd.luks.devices = lib.mkIf cfg.luks.enable {
      "luks-${cfg.luks.uuid}" = {
        device = "/dev/disk/by-uuid/${cfg.luks.uuid}";
        # Enable TPM auto-unlocking if configured
        crypttabExtraOpts = lib.mkIf config.aux.system.bootloader.tpm2.enable [ "tpm2-device=auto" ];
      };
    };
    fileSystems =
      {
-        "/" = lib.mkIf (builtins.elem "/" cfg.subvolumes) {
+        "/" = {
-          device = cfg.devices.btrfs;
+          device = cfg.btrfs.devices.btrfs;
          fsType = "btrfs";
          options = [
            "subvol=@"
@ -65,27 +73,27 @@ in
          ];
        };
        "/boot" = {
-          device = cfg.devices.boot;
+          device = cfg.btrfs.devices.boot;
          fsType = "vfat";
        };
-        "/home" = lib.mkIf (builtins.elem "/home" cfg.subvolumes) {
+        "/home" = {
-          device = cfg.devices.btrfs;
+          device = cfg.btrfs.devices.btrfs;
          fsType = "btrfs";
          options = [
            "subvol=@home"
            "compress=zstd"
          ];
        };
-        "/var/log" = lib.mkIf (builtins.elem "/var/log" cfg.subvolumes) {
+        "/var/log" = {
-          device = cfg.devices.btrfs;
+          device = cfg.btrfs.devices.btrfs;
          fsType = "btrfs";
          options = [
            "subvol=@log"
            "compress=zstd"
          ];
        };
-        "/nix" = lib.mkIf (builtins.elem "/nix" cfg.subvolumes) {
+        "/nix" = {
-          device = cfg.devices.btrfs;
+          device = cfg.btrfs.devices.btrfs;
          fsType = "btrfs";
          options = [
            "subvol=@nix"
@ -94,9 +102,9 @@ in
          ];
        };
      }
-      // lib.optionalAttrs cfg.swapFile.enable {
+      // lib.optionalAttrs cfg.btrfs.swapFile.enable {
        "/swap" = {
-          device = cfg.devices.btrfs;
+          device = cfg.btrfs.devices.btrfs;
          fsType = "btrfs";
          options = [
            "subvol=@swap"
@ -105,10 +113,10 @@ in
        };
      };
-    swapDevices = lib.mkIf cfg.swapFile.enable [
+    swapDevices = lib.mkIf cfg.btrfs.swapFile.enable [
      {
        device = "/swap/swapfile";
-        size = cfg.swapFile.size;
+        size = cfg.btrfs.swapFile.size;
      }
    ];
  };