1
0
Fork 0

Filesystems: scooch LUKS definition over to module

This commit is contained in:
Aires 2024-07-03 21:13:13 -04:00
parent 031b719d64
commit 1d93917d7b
5 changed files with 113 additions and 93 deletions

View file

@ -138,11 +138,11 @@
]
},
"locked": {
"lastModified": 1719992360,
"narHash": "sha256-SRq0ZRkqagqpMGVf4z9q9CIWRbPYjO7FTqSJyWh7nes=",
"lastModified": 1720045378,
"narHash": "sha256-lmE7B+QXw7lWdBu5GQlUABSpzPk3YBb9VbV+IYK5djk=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "36e2f9da91ce8b63a549a47688ae60d47c50de4b",
"rev": "0a30138c694ab3b048ac300794c2eb599dc40266",
"type": "github"
},
"original": {

View file

@ -15,25 +15,29 @@ in
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
initrd.availableKernelModules = [
"xhci_pci"
"nvme"
"usb_storage"
"sd_mod"
"sdhci_pci"
];
luks.devices."luks-${luksUUID}" = {
device = "/dev/disk/by-uuid/${luksUUID}";
crypttabExtraOpts = [ "tpm2-device=auto" ]; # Enable TPM auto-unlocking
};
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
# Enable mdadm for Sapana (RAID 5 primary storage).
swraid = {
enable = true;
mdadmConf = ''
ARRAY /dev/md/Sapana metadata=1.2 UUID=51076daf:efdb34dd:bce48342:3b549fcb
MAILADDR ${config.secrets.users.aires.email}
'';
};
};
# Configure the main filesystem.
aux.system.filesystem.btrfs = {
aux.system.filesystem = {
btrfs = {
enable = true;
devices = {
boot = "/dev/disk/by-uuid/${bootUUID}";
@ -44,6 +48,11 @@ in
size = 16384;
};
};
luks = {
enable = true;
uuid = luksUUID;
};
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

View file

@ -46,11 +46,6 @@ in
"surface_kbd"
"pinctrl_tigerlake"
];
luks.devices."luks-${luksUUID}" = {
device = "/dev/disk/by-uuid/${luksUUID}";
crypttabExtraOpts = [ "tpm2-device=auto" ]; # Enable TPM auto-unlocking
};
};
kernel.sysctl = {
@ -75,7 +70,8 @@ in
};
# Configure the main filesystem.
aux.system.filesystem.btrfs = {
aux.system.filesystem = {
btrfs = {
enable = true;
devices = {
boot = "/dev/disk/by-uuid/${bootUUID}";
@ -86,6 +82,11 @@ in
size = 16384;
};
};
luks = {
enable = true;
uuid = luksUUID;
};
};
networking = {
useDHCP = lib.mkDefault true;

View file

@ -29,17 +29,14 @@ in
"sd_mod"
"rtsx_pci_sdmmc"
];
luks.devices."luks-${luksUUID}" = {
device = "/dev/disk/by-uuid/${luksUUID}";
crypttabExtraOpts = [ "tpm2-device=auto" ]; # Enable TPM auto-unlocking
};
};
kernelModules = [ "kvm-amd" ];
};
# Configure the main filesystem.
aux.system.filesystem.btrfs = {
aux.system.filesystem = {
btrfs = {
enable = true;
devices = {
boot = "/dev/disk/by-uuid/${bootUUID}";
@ -50,6 +47,11 @@ in
size = 16384;
};
};
luks = {
enable = true;
uuid = luksUUID;
};
};
networking = {
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking

View file

@ -1,12 +1,13 @@
{ lib, config, ... }:
let
cfg = config.aux.system.filesystem.btrfs;
cfg = config.aux.system.filesystem;
standardMountOpts = [ "compress=zstd" ];
in
{
options = {
aux.system.filesystem.btrfs = {
aux.system.filesystem = {
btrfs = {
enable = lib.mkEnableOption (lib.mdDoc "Enables standard BTRFS subvolumes and parameters.");
devices = {
boot = lib.mkOption {
@ -20,16 +21,6 @@ in
default = "";
};
};
subvolumes = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "Which subvolumes to mount. Leave as the default to create all standard subvolumes.";
default = [
"/"
"/home"
"/nix"
"/var/log"
];
};
swapFile = {
enable = lib.mkEnableOption (lib.mdDoc "Enables the creation of a swap file.");
size = lib.mkOption {
@ -39,25 +30,42 @@ in
};
};
};
luks = {
enable = lib.mkEnableOption (
lib.mkDoc "Enables an encrypted LUKS container for the BTRFS partition."
);
uuid = lib.mkOption {
type = lib.types.str;
description = "The UUID of the encrypted LUKS volume.";
};
};
};
};
config = lib.mkIf cfg.enable {
config = lib.mkIf cfg.btrfs.enable {
# Check for blank parameters
assertions = [
{
assertion = cfg.devices.btrfs != "";
assertion = cfg.btrfs.devices.btrfs != "";
message = "Please specify a BTRFS partition to use as a filesystem.";
}
{
assertion = cfg.devices.boot != "";
assertion = cfg.btrfs.devices.boot != "";
message = "Please specify a boot partition to use as a filesystem.";
}
];
boot.initrd.luks.devices = lib.mkIf cfg.luks.enable {
"luks-${cfg.luks.uuid}" = {
device = "/dev/disk/by-uuid/${cfg.luks.uuid}";
# Enable TPM auto-unlocking if configured
crypttabExtraOpts = lib.mkIf config.aux.system.bootloader.tpm2.enable [ "tpm2-device=auto" ];
};
};
fileSystems =
{
"/" = lib.mkIf (builtins.elem "/" cfg.subvolumes) {
device = cfg.devices.btrfs;
"/" = {
device = cfg.btrfs.devices.btrfs;
fsType = "btrfs";
options = [
"subvol=@"
@ -65,27 +73,27 @@ in
];
};
"/boot" = {
device = cfg.devices.boot;
device = cfg.btrfs.devices.boot;
fsType = "vfat";
};
"/home" = lib.mkIf (builtins.elem "/home" cfg.subvolumes) {
device = cfg.devices.btrfs;
"/home" = {
device = cfg.btrfs.devices.btrfs;
fsType = "btrfs";
options = [
"subvol=@home"
"compress=zstd"
];
};
"/var/log" = lib.mkIf (builtins.elem "/var/log" cfg.subvolumes) {
device = cfg.devices.btrfs;
"/var/log" = {
device = cfg.btrfs.devices.btrfs;
fsType = "btrfs";
options = [
"subvol=@log"
"compress=zstd"
];
};
"/nix" = lib.mkIf (builtins.elem "/nix" cfg.subvolumes) {
device = cfg.devices.btrfs;
"/nix" = {
device = cfg.btrfs.devices.btrfs;
fsType = "btrfs";
options = [
"subvol=@nix"
@ -94,9 +102,9 @@ in
];
};
}
// lib.optionalAttrs cfg.swapFile.enable {
// lib.optionalAttrs cfg.btrfs.swapFile.enable {
"/swap" = {
device = cfg.devices.btrfs;
device = cfg.btrfs.devices.btrfs;
fsType = "btrfs";
options = [
"subvol=@swap"
@ -105,10 +113,10 @@ in
};
};
swapDevices = lib.mkIf cfg.swapFile.enable [
swapDevices = lib.mkIf cfg.btrfs.swapFile.enable [
{
device = "/swap/swapfile";
size = cfg.swapFile.size;
size = cfg.btrfs.swapFile.size;
}
];
};