chore: enable luks encryption for anubis

desktops/anubis/boot.nix

@@ -16,19 +16,21 @@
         canTouchEfiVariables = true;
       };
 
-      systemd-boot = {
+      grub = {
         enable = true;
-        consoleMode = "2";
+        version = 2;
-        configurationLimit = 5;
+        device = "nodev";
-        editor = false;
+        efiSupport = true;
       };
     };
 
+    # kernelParams = [ "intel_pstate=no_hwp" ];
+
     kernelModules = [ ];
     extraModulePackages = with config.boot.kernelPackages; [ acpi_call ];
 
     initrd = {
-      availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "acpi_call" ];
+      availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "acpi_call" "cryptd" ];
       kernelModules = [ "dm-snapshot" ];
     };
   };

desktops/anubis/filesystems.nix

@@ -1,6 +1,21 @@
 { config, lib, pkgs, ... }:
 
 {
+  boot = {
+    initrd = {
+      luks = {
+        devices = {
+          luks = {
+            name = "luks";
+            device = "/dev/disk/by-partlabel/system";
+            preLVM = true;
+            allowDiscards = true;
+          };
+        };
+      };
+    };
+  };
+
   swapDevices = [{
     device = "/dev/disk/by-label/swap";
   }];

desktops/anubis/partitions.sh

@@ -61,11 +61,17 @@ echo "-----> Wait for partitions"
 sleep 3
 sync
 
+echo "-----> Format encrypted container"
+cryptsetup luksFormat /dev/disk/by-partlabel/system
+
+echo "-----> Open encrypted container"
+cryptsetup luksOpen /dev/disk/by-partlabel/system crypted
+
 echo "-----> Create data pv"
-pvcreate /dev/disk/by-partlabel/system
+pvcreate /dev/mapper/crypted
 
 echo "-----> Create data vg"
-vgcreate system /dev/disk/by-partlabel/system
+vgcreate system /dev/mapper/crypted
 
 echo "-----> Create swap volume"
 lvcreate -y --size $(cat /proc/meminfo | grep MemTotal | cut -d':' -f2 | sed 's/ //g') --name swap system