Filesystems: remove need for unlocked root partition UUID
This commit is contained in:
parent
b12f7e2b4a
commit
96ddf8fdf0
|
@ -138,11 +138,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1720135141,
|
"lastModified": 1720167120,
|
||||||
"narHash": "sha256-1GHh1/WO+f42TXxb1WiZFMuepM7ITA9iT+6yJBbBNsY=",
|
"narHash": "sha256-K9JYdlPiyaXp33JRg7CT8rMwH56e4ncXSsXW/YKnNXc=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "c514e862cd5705e51edb6fe8d01146fdeec661f2",
|
"rev": "bbe6e94737289c8cb92d4d8f9199fbfe4f11c0ba",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -9,7 +9,6 @@
|
||||||
let
|
let
|
||||||
bootUUID = "FC20-D155"; # The UUID of the boot partition.
|
bootUUID = "FC20-D155"; # The UUID of the boot partition.
|
||||||
luksUUID = "9fdc521b-a037-4070-af47-f54da03675e4"; # The UUID of the locked LUKS partition.
|
luksUUID = "9fdc521b-a037-4070-af47-f54da03675e4"; # The UUID of the locked LUKS partition.
|
||||||
rootUUID = "dfb4fc8f-e82b-43a1-91c1-a77acb6337cb"; # The UUID of the unlocked filesystem partition.
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
|
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
|
||||||
|
@ -37,22 +36,16 @@ in
|
||||||
|
|
||||||
# Configure the main filesystem.
|
# Configure the main filesystem.
|
||||||
aux.system.filesystem = {
|
aux.system.filesystem = {
|
||||||
btrfs = {
|
|
||||||
enable = true;
|
enable = true;
|
||||||
devices = {
|
partitions = {
|
||||||
boot = "/dev/disk/by-uuid/${bootUUID}";
|
boot = "/dev/disk/by-uuid/${bootUUID}";
|
||||||
btrfs = "/dev/disk/by-uuid/${rootUUID}";
|
luks = "/dev/disk/by-uuid/${luksUUID}";
|
||||||
};
|
};
|
||||||
swapFile = {
|
swapFile = {
|
||||||
enable = true;
|
enable = true;
|
||||||
size = 16384;
|
size = 16384;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
luks = {
|
|
||||||
enable = true;
|
|
||||||
uuid = luksUUID;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
|
|
@ -9,7 +9,6 @@
|
||||||
let
|
let
|
||||||
bootUUID = "B2D7-96C3"; # The UUID of the boot partition.
|
bootUUID = "B2D7-96C3"; # The UUID of the boot partition.
|
||||||
luksUUID = "f5ff391a-f2ef-4ac3-9ce8-9f5ed950b212"; # The UUID of the locked LUKS partition.
|
luksUUID = "f5ff391a-f2ef-4ac3-9ce8-9f5ed950b212"; # The UUID of the locked LUKS partition.
|
||||||
rootUUID = "fed155a3-04ae-47c0-996d-0398faaa6a17"; # The UUID of the unlocked filesystem partition.
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
|
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
|
||||||
|
@ -71,22 +70,16 @@ in
|
||||||
|
|
||||||
# Configure the main filesystem.
|
# Configure the main filesystem.
|
||||||
aux.system.filesystem = {
|
aux.system.filesystem = {
|
||||||
btrfs = {
|
|
||||||
enable = true;
|
enable = true;
|
||||||
devices = {
|
partitions = {
|
||||||
boot = "/dev/disk/by-uuid/${bootUUID}";
|
boot = "/dev/disk/by-uuid/${bootUUID}";
|
||||||
btrfs = "/dev/disk/by-uuid/${rootUUID}";
|
luks = "/dev/disk/by-uuid/${luksUUID}";
|
||||||
};
|
};
|
||||||
swapFile = {
|
swapFile = {
|
||||||
enable = true;
|
enable = true;
|
||||||
size = 16384;
|
size = 16384;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
luks = {
|
|
||||||
enable = true;
|
|
||||||
uuid = luksUUID;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
useDHCP = lib.mkDefault true;
|
useDHCP = lib.mkDefault true;
|
||||||
|
|
|
@ -9,7 +9,6 @@
|
||||||
let
|
let
|
||||||
bootUUID = "AFCB-D880"; # The UUID of the boot partition.
|
bootUUID = "AFCB-D880"; # The UUID of the boot partition.
|
||||||
luksUUID = "bcf67e34-339e-40b9-8ffd-bec8f7f55248"; # The UUID of the locked LUKS partition.
|
luksUUID = "bcf67e34-339e-40b9-8ffd-bec8f7f55248"; # The UUID of the locked LUKS partition.
|
||||||
rootUUID = "b801fbea-4cb5-4255-bea9-a2ce77d1a1b7"; # The UUID of the unlocked filesystem partition.
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
|
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
|
||||||
|
@ -36,22 +35,16 @@ in
|
||||||
|
|
||||||
# Configure the main filesystem.
|
# Configure the main filesystem.
|
||||||
aux.system.filesystem = {
|
aux.system.filesystem = {
|
||||||
btrfs = {
|
|
||||||
enable = true;
|
enable = true;
|
||||||
devices = {
|
partitions = {
|
||||||
boot = "/dev/disk/by-uuid/${bootUUID}";
|
boot = "/dev/disk/by-uuid/${bootUUID}";
|
||||||
btrfs = "/dev/disk/by-uuid/${rootUUID}";
|
luks = "/dev/disk/by-uuid/${luksUUID}";
|
||||||
};
|
};
|
||||||
swapFile = {
|
swapFile = {
|
||||||
enable = true;
|
enable = true;
|
||||||
size = 16384;
|
size = 16384;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
luks = {
|
|
||||||
enable = true;
|
|
||||||
uuid = luksUUID;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
|
|
@ -2,22 +2,23 @@
|
||||||
let
|
let
|
||||||
cfg = config.aux.system.filesystem;
|
cfg = config.aux.system.filesystem;
|
||||||
|
|
||||||
standardMountOpts = [ "compress=zstd" ];
|
# LUKS partition will decrypt to /dev/mapper/nixos-root
|
||||||
|
decryptPart = "nixos-root";
|
||||||
|
decryptPath = "/dev/mapper/${decryptPart}";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options = {
|
options = {
|
||||||
aux.system.filesystem = {
|
aux.system.filesystem = {
|
||||||
btrfs = {
|
|
||||||
enable = lib.mkEnableOption (lib.mdDoc "Enables standard BTRFS subvolumes and parameters.");
|
enable = lib.mkEnableOption (lib.mdDoc "Enables standard BTRFS subvolumes and parameters.");
|
||||||
devices = {
|
partitions = {
|
||||||
boot = lib.mkOption {
|
boot = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
description = "The ID of your boot partition. Use /dev/disk/by-uuid for best results.";
|
description = "The ID of your boot partition. Use /dev/disk/by-uuid for best results.";
|
||||||
default = "";
|
default = "";
|
||||||
};
|
};
|
||||||
btrfs = lib.mkOption {
|
luks = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
description = "The ID of your BTRFS partition. Use /dev/disk/by-uuid for best results.";
|
description = "The ID of your LUKS partition. Use /dev/disk/by-uuid for best results.";
|
||||||
default = "";
|
default = "";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -30,46 +31,30 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
luks = {
|
|
||||||
enable = lib.mkEnableOption (
|
|
||||||
lib.mkDoc "Enables an encrypted LUKS container for the BTRFS partition."
|
|
||||||
);
|
|
||||||
uuid = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
description = "The UUID of the encrypted LUKS volume.";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.btrfs.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
|
||||||
# Check for blank parameters
|
# Check for blank parameters
|
||||||
assertions = [
|
assertions = [
|
||||||
{
|
{
|
||||||
assertion = cfg.btrfs.devices.btrfs != "";
|
assertion = cfg.partitions.luks != "";
|
||||||
message = "Please specify the BTRFS partition UUID to use as the filesystem.";
|
message = "Please specify a LUKS partition to use as the root filesystem.";
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
assertion = cfg.btrfs.devices.boot != "";
|
assertion = cfg.partitions.boot != "";
|
||||||
message = "Please specify the boot partition UUID.";
|
message = "Please specify your boot partition.";
|
||||||
}
|
}
|
||||||
(lib.mkIf cfg.luks.enable {
|
|
||||||
assertion = cfg.luks.uuid != "";
|
|
||||||
message = "Please enter a valid UUID for the encrypted LUKS volume.";
|
|
||||||
})
|
|
||||||
];
|
];
|
||||||
boot.initrd.luks.devices = lib.mkIf cfg.luks.enable {
|
boot.initrd.luks.devices.${decryptPart} = {
|
||||||
"luks-${cfg.luks.uuid}" = {
|
device = cfg.partitions.luks;
|
||||||
device = "/dev/disk/by-uuid/${cfg.luks.uuid}";
|
|
||||||
# Enable TPM auto-unlocking if configured
|
# Enable TPM auto-unlocking if configured
|
||||||
crypttabExtraOpts = lib.mkIf config.aux.system.bootloader.tpm2.enable [ "tpm2-device=auto" ];
|
crypttabExtraOpts = lib.mkIf config.aux.system.bootloader.tpm2.enable [ "tpm2-device=auto" ];
|
||||||
};
|
};
|
||||||
};
|
|
||||||
fileSystems =
|
fileSystems =
|
||||||
{
|
{
|
||||||
"/" = {
|
"/" = {
|
||||||
device = cfg.btrfs.devices.btrfs;
|
device = decryptPath;
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [
|
options = [
|
||||||
"subvol=@"
|
"subvol=@"
|
||||||
|
@ -77,11 +62,11 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
"/boot" = {
|
"/boot" = {
|
||||||
device = cfg.btrfs.devices.boot;
|
device = cfg.partitions.boot;
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
};
|
};
|
||||||
"/home" = {
|
"/home" = {
|
||||||
device = cfg.btrfs.devices.btrfs;
|
device = decryptPath;
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [
|
options = [
|
||||||
"subvol=@home"
|
"subvol=@home"
|
||||||
|
@ -89,7 +74,7 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
"/var/log" = {
|
"/var/log" = {
|
||||||
device = cfg.btrfs.devices.btrfs;
|
device = decryptPath;
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [
|
options = [
|
||||||
"subvol=@log"
|
"subvol=@log"
|
||||||
|
@ -97,7 +82,7 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
"/nix" = {
|
"/nix" = {
|
||||||
device = cfg.btrfs.devices.btrfs;
|
device = decryptPath;
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [
|
options = [
|
||||||
"subvol=@nix"
|
"subvol=@nix"
|
||||||
|
@ -106,9 +91,9 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
// lib.optionalAttrs cfg.btrfs.swapFile.enable {
|
// lib.optionalAttrs cfg.swapFile.enable {
|
||||||
"/swap" = {
|
"/swap" = {
|
||||||
device = cfg.btrfs.devices.btrfs;
|
device = decryptPath;
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [
|
options = [
|
||||||
"subvol=@swap"
|
"subvol=@swap"
|
||||||
|
@ -117,10 +102,10 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = lib.mkIf cfg.btrfs.swapFile.enable [
|
swapDevices = lib.mkIf cfg.swapFile.enable [
|
||||||
{
|
{
|
||||||
device = "/swap/swapfile";
|
device = "/swap/swapfile";
|
||||||
size = cfg.btrfs.swapFile.size;
|
size = cfg.swapFile.size;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue