Filesystems: remove need for unlocked root partition UUID

2024-07-05 09:36:11 -04:00 · 2024-07-05 09:36:11 -04:00 · 96ddf8fdf0
parent b12f7e2b4a
commit 96ddf8fdf0
5 changed files with 58 additions and 94 deletions
--- a/flake.lock
+++ b/flake.lock
@ -138,11 +138,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1720135141,
-        "narHash": "sha256-1GHh1/WO+f42TXxb1WiZFMuepM7ITA9iT+6yJBbBNsY=",
+        "lastModified": 1720167120,
+        "narHash": "sha256-K9JYdlPiyaXp33JRg7CT8rMwH56e4ncXSsXW/YKnNXc=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "c514e862cd5705e51edb6fe8d01146fdeec661f2",
+        "rev": "bbe6e94737289c8cb92d4d8f9199fbfe4f11c0ba",
        "type": "github"
      },
      "original": {
--- a/hosts/Dimaga/hardware-configuration.nix
+++ b/hosts/Dimaga/hardware-configuration.nix
@ -9,7 +9,6 @@
 let
  bootUUID = "FC20-D155"; # The UUID of the boot partition.
  luksUUID = "9fdc521b-a037-4070-af47-f54da03675e4"; # The UUID of the locked LUKS partition.
-  rootUUID = "dfb4fc8f-e82b-43a1-91c1-a77acb6337cb"; # The UUID of the unlocked filesystem partition.
 in
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
@ -37,22 +36,16 @@ in

  # Configure the main filesystem.
  aux.system.filesystem = {
-    btrfs = {
    enable = true;
-      devices = {
+    partitions = {
      boot = "/dev/disk/by-uuid/${bootUUID}";
-        btrfs = "/dev/disk/by-uuid/${rootUUID}";
+      luks = "/dev/disk/by-uuid/${luksUUID}";
    };
    swapFile = {
      enable = true;
      size = 16384;
    };
  };
-    luks = {
-      enable = true;
-      uuid = luksUUID;
-    };
-  };

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
--- a/hosts/Khanda/hardware-configuration.nix
+++ b/hosts/Khanda/hardware-configuration.nix
@ -9,7 +9,6 @@
 let
  bootUUID = "B2D7-96C3"; # The UUID of the boot partition.
  luksUUID = "f5ff391a-f2ef-4ac3-9ce8-9f5ed950b212"; # The UUID of the locked LUKS partition.
-  rootUUID = "fed155a3-04ae-47c0-996d-0398faaa6a17"; # The UUID of the unlocked filesystem partition.
 in
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
@ -71,22 +70,16 @@ in

  # Configure the main filesystem.
  aux.system.filesystem = {
-    btrfs = {
    enable = true;
-      devices = {
+    partitions = {
      boot = "/dev/disk/by-uuid/${bootUUID}";
-        btrfs = "/dev/disk/by-uuid/${rootUUID}";
+      luks = "/dev/disk/by-uuid/${luksUUID}";
    };
    swapFile = {
      enable = true;
      size = 16384;
    };
  };
-    luks = {
-      enable = true;
-      uuid = luksUUID;
-    };
-  };

  networking = {
    useDHCP = lib.mkDefault true;
--- a/hosts/Shura/hardware-configuration.nix
+++ b/hosts/Shura/hardware-configuration.nix
@ -9,7 +9,6 @@
 let
  bootUUID = "AFCB-D880"; # The UUID of the boot partition.
  luksUUID = "bcf67e34-339e-40b9-8ffd-bec8f7f55248"; # The UUID of the locked LUKS partition.
-  rootUUID = "b801fbea-4cb5-4255-bea9-a2ce77d1a1b7"; # The UUID of the unlocked filesystem partition.
 in
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
@ -36,22 +35,16 @@ in

  # Configure the main filesystem.
  aux.system.filesystem = {
-    btrfs = {
    enable = true;
-      devices = {
+    partitions = {
      boot = "/dev/disk/by-uuid/${bootUUID}";
-        btrfs = "/dev/disk/by-uuid/${rootUUID}";
+      luks = "/dev/disk/by-uuid/${luksUUID}";
    };
    swapFile = {
      enable = true;
      size = 16384;
    };
  };
-    luks = {
-      enable = true;
-      uuid = luksUUID;
-    };
-  };

  networking = {
    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
--- a/modules/system/filesystem.nix
+++ b/modules/system/filesystem.nix
@ -2,22 +2,23 @@
 let
  cfg = config.aux.system.filesystem;

-  standardMountOpts = [ "compress=zstd" ];
+  # LUKS partition will decrypt to /dev/mapper/nixos-root
+  decryptPart = "nixos-root";
+  decryptPath = "/dev/mapper/${decryptPart}";
 in
 {
  options = {
    aux.system.filesystem = {
-      btrfs = {
      enable = lib.mkEnableOption (lib.mdDoc "Enables standard BTRFS subvolumes and parameters.");
-        devices = {
+      partitions = {
        boot = lib.mkOption {
          type = lib.types.str;
          description = "The ID of your boot partition. Use /dev/disk/by-uuid for best results.";
          default = "";
        };
-          btrfs = lib.mkOption {
+        luks = lib.mkOption {
          type = lib.types.str;
-            description = "The ID of your BTRFS partition. Use /dev/disk/by-uuid for best results.";
+          description = "The ID of your LUKS partition. Use /dev/disk/by-uuid for best results.";
          default = "";
        };
      };
@ -30,46 +31,30 @@ in
        };
      };
    };
-      luks = {
-        enable = lib.mkEnableOption (
-          lib.mkDoc "Enables an encrypted LUKS container for the BTRFS partition."
-        );
-        uuid = lib.mkOption {
-          type = lib.types.str;
-          description = "The UUID of the encrypted LUKS volume.";
-        };
-      };
-    };
  };

-  config = lib.mkIf cfg.btrfs.enable {
+  config = lib.mkIf cfg.enable {

    # Check for blank parameters
    assertions = [
      {
-        assertion = cfg.btrfs.devices.btrfs != "";
-        message = "Please specify the BTRFS partition UUID to use as the filesystem.";
+        assertion = cfg.partitions.luks != "";
+        message = "Please specify a LUKS partition to use as the root filesystem.";
      }
      {
-        assertion = cfg.btrfs.devices.boot != "";
-        message = "Please specify the boot partition UUID.";
+        assertion = cfg.partitions.boot != "";
+        message = "Please specify your boot partition.";
      }
-      (lib.mkIf cfg.luks.enable {
-        assertion = cfg.luks.uuid != "";
-        message = "Please enter a valid UUID for the encrypted LUKS volume.";
-      })
    ];
-    boot.initrd.luks.devices = lib.mkIf cfg.luks.enable {
-      "luks-${cfg.luks.uuid}" = {
-        device = "/dev/disk/by-uuid/${cfg.luks.uuid}";
+    boot.initrd.luks.devices.${decryptPart} = {
+      device = cfg.partitions.luks;
      # Enable TPM auto-unlocking if configured
      crypttabExtraOpts = lib.mkIf config.aux.system.bootloader.tpm2.enable [ "tpm2-device=auto" ];
    };
-    };
    fileSystems =
      {
        "/" = {
-          device = cfg.btrfs.devices.btrfs;
+          device = decryptPath;
          fsType = "btrfs";
          options = [
            "subvol=@"
@ -77,11 +62,11 @@ in
          ];
        };
        "/boot" = {
-          device = cfg.btrfs.devices.boot;
+          device = cfg.partitions.boot;
          fsType = "vfat";
        };
        "/home" = {
-          device = cfg.btrfs.devices.btrfs;
+          device = decryptPath;
          fsType = "btrfs";
          options = [
            "subvol=@home"
@ -89,7 +74,7 @@ in
          ];
        };
        "/var/log" = {
-          device = cfg.btrfs.devices.btrfs;
+          device = decryptPath;
          fsType = "btrfs";
          options = [
            "subvol=@log"
@ -97,7 +82,7 @@ in
          ];
        };
        "/nix" = {
-          device = cfg.btrfs.devices.btrfs;
+          device = decryptPath;
          fsType = "btrfs";
          options = [
            "subvol=@nix"
@ -106,9 +91,9 @@ in
          ];
        };
      }
-      // lib.optionalAttrs cfg.btrfs.swapFile.enable {
+      // lib.optionalAttrs cfg.swapFile.enable {
        "/swap" = {
-          device = cfg.btrfs.devices.btrfs;
+          device = decryptPath;
          fsType = "btrfs";
          options = [
            "subvol=@swap"
@ -117,10 +102,10 @@ in
        };
      };

-    swapDevices = lib.mkIf cfg.btrfs.swapFile.enable [
+    swapDevices = lib.mkIf cfg.swapFile.enable [
      {
        device = "/swap/swapfile";
-        size = cfg.btrfs.swapFile.size;
+        size = cfg.swapFile.size;
      }
    ];
  };