From c854f7145c47bd63408f2c2beb492f67f440f596 Mon Sep 17 00:00:00 2001
From: Thomas Boerger <thomas@webhippie.de>
Date: Tue, 22 Nov 2022 20:59:46 +0100
Subject: [PATCH] chore: enable luks encryption for anubis

---
 desktops/anubis/boot.nix        | 12 +++++++-----
 desktops/anubis/filesystems.nix | 15 +++++++++++++++
 desktops/anubis/partitions.sh   | 10 ++++++++--
 3 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/desktops/anubis/boot.nix b/desktops/anubis/boot.nix
index 4445b3c..528acea 100644
--- a/desktops/anubis/boot.nix
+++ b/desktops/anubis/boot.nix
@@ -16,19 +16,21 @@
         canTouchEfiVariables = true;
       };
 
-      systemd-boot = {
+      grub = {
         enable = true;
-        consoleMode = "2";
-        configurationLimit = 5;
-        editor = false;
+        version = 2;
+        device = "nodev";
+        efiSupport = true;
       };
     };
 
+    # kernelParams = [ "intel_pstate=no_hwp" ];
+
     kernelModules = [ ];
     extraModulePackages = with config.boot.kernelPackages; [ acpi_call ];
 
     initrd = {
-      availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "acpi_call" ];
+      availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "acpi_call" "cryptd" ];
       kernelModules = [ "dm-snapshot" ];
     };
   };
diff --git a/desktops/anubis/filesystems.nix b/desktops/anubis/filesystems.nix
index 97ea542..36497f0 100644
--- a/desktops/anubis/filesystems.nix
+++ b/desktops/anubis/filesystems.nix
@@ -1,6 +1,21 @@
 { config, lib, pkgs, ... }:
 
 {
+  boot = {
+    initrd = {
+      luks = {
+        devices = {
+          luks = {
+            name = "luks";
+            device = "/dev/disk/by-partlabel/system";
+            preLVM = true;
+            allowDiscards = true;
+          };
+        };
+      };
+    };
+  };
+
   swapDevices = [{
     device = "/dev/disk/by-label/swap";
   }];
diff --git a/desktops/anubis/partitions.sh b/desktops/anubis/partitions.sh
index f495638..c54f5f7 100755
--- a/desktops/anubis/partitions.sh
+++ b/desktops/anubis/partitions.sh
@@ -61,11 +61,17 @@ echo "-----> Wait for partitions"
 sleep 3
 sync
 
+echo "-----> Format encrypted container"
+cryptsetup luksFormat /dev/disk/by-partlabel/system
+
+echo "-----> Open encrypted container"
+cryptsetup luksOpen /dev/disk/by-partlabel/system crypted
+
 echo "-----> Create data pv"
-pvcreate /dev/disk/by-partlabel/system
+pvcreate /dev/mapper/crypted
 
 echo "-----> Create data vg"
-vgcreate system /dev/disk/by-partlabel/system
+vgcreate system /dev/mapper/crypted
 
 echo "-----> Create swap volume"
 lvcreate -y --size $(cat /proc/meminfo | grep MemTotal | cut -d':' -f2 | sed 's/ //g') --name swap system