80 lines
2 KiB
Nix
80 lines
2 KiB
Nix
{device ? throw "Set this to your disk device, e.g. /dev/sda", ...}: {
|
|
disko.devices = {
|
|
disk = {
|
|
main = {
|
|
type = "disk";
|
|
device = device;
|
|
content = {
|
|
type = "gpt";
|
|
partitions = {
|
|
ESP = {
|
|
label = "boot";
|
|
name = "ESP";
|
|
size = "512M";
|
|
type = "EF00";
|
|
content = {
|
|
type = "filesystem";
|
|
format = "vfat";
|
|
mountpoint = "/boot";
|
|
mountOptions = [
|
|
"defaults"
|
|
];
|
|
};
|
|
};
|
|
luks = {
|
|
size = "100%";
|
|
label = "luks";
|
|
content = {
|
|
type = "luks";
|
|
name = "cryptroot";
|
|
extraOpenArgs = [
|
|
"--allow-discards"
|
|
"--perf-no_read_workqueue"
|
|
"--perf-no_write_workqueue"
|
|
];
|
|
# https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
|
|
settings = {crypttabExtraOpts = ["fido2-device=auto" "token-timeout=10"];};
|
|
content = {
|
|
type = "filesystem";
|
|
format = "ext4";
|
|
mountpoint = "/persist";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
nodev = {
|
|
"/" = {
|
|
fsType = "tmpfs";
|
|
mountOptions = ["defaults" "size=8G" "mode=755"];
|
|
};
|
|
};
|
|
};
|
|
|
|
fileSystems."/persist" = {
|
|
depends = ["/"];
|
|
neededForBoot = true;
|
|
};
|
|
fileSystems."/nix" = {
|
|
device = "/persist/nix";
|
|
options = ["bind"];
|
|
depends = ["/persist"];
|
|
neededForBoot = true;
|
|
};
|
|
fileSystems."/tmp" = {
|
|
device = "/persist/tmp";
|
|
options = ["bind"];
|
|
depends = ["/persist"];
|
|
neededForBoot = true;
|
|
};
|
|
swapDevices = [
|
|
{
|
|
device = "/persist/swapfile";
|
|
size = 64 * 1024; # 64 GB
|
|
}
|
|
];
|
|
|
|
boot.resumeDevice = "/persist/swapfile";
|
|
}
|