kalipso/infrastructure
1
1
Fork 1
Code Issues 42 Pull Requests 2 Actions Projects 2 Releases Wiki Activity
Files
dd0499d64d6781626615e2aa1783538e22c412b8
infrastructure/machines/modules/disko/fanny.nix
ahtlon a10fb33c29
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m40s
Details
[fanny] disable mounting root datasets and add encrypted swap
2024-12-16 16:58:07 +01:00

151 lines
3.5 KiB
Nix
Raw Blame History

{
disko.devices = {
disk = {
ssd = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
ESP = {
size = "1024M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
encryptedSwap = {
size = "8G"; #set to 100M for testing
content = {
type = "swap";
randomEncryption = true;
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
hdd0 = {
type = "disk";
device = "/dev/sdb";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "storage";
};
};
};
};
};
hdd1 = {
type = "disk";
device = "/dev/sdc";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "storage";
};
};
};
};
};
};
zpool = {
zroot = {
type = "zpool";
mode = "";
# Workaround: cannot import 'zroot': I/O error in disko tests
options.cachefile = "none";
rootFsOptions = {
mountpoint = "none";
compression = "zstd";
"com.sun:auto-snapshot" = "false";
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = "aes-256-gcm";
keyformat = "passphrase";
keylocation = "file:///tmp/root.key";
};
# use this to read the key during boot
postCreateHook = ''
zfs set keylocation="prompt" "zroot/$name";
'';
};
"encrypted/root" = {
type = "zfs_fs";
mountpoint = "/";
};
"encrypted/var" = {
type = "zfs_fs";
mountpoint = "/var";
};
"encrypted/etc" = {
type = "zfs_fs";
mountpoint = "/etc";
};
"encrypted/home" = {
type = "zfs_fs";
mountpoint = "/home";
};
"encrypted/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
};
};
};
storage = {
type = "zpool";
mode = "mirror";
rootFsOptions = { mountpoint = "none"; };
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = "aes-256-gcm";
keyformat = "passphrase";
keylocation = "file:///tmp/storage.key";
};
# use this to read the key during boot
postCreateHook = ''
zfs set keylocation="prompt" "zroot/$name";
'';
};
"encrypted/data" = {
type = "zfs_fs";
mountpoint = "/data";
};
};
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink