surtur
10243fe4eb
meaning reencrypt shared secrets to the new key... also, make use of nixos-hardware's module for t14
163 lines
4.4 KiB
Nix
163 lines
4.4 KiB
Nix
{
|
|
config,
|
|
disks ? ["/dev/nvme0n1"],
|
|
lib,
|
|
...
|
|
}: {
|
|
disko.devices = {
|
|
disk = {
|
|
nvme0n1 = {
|
|
type = "disk";
|
|
device = "/dev/nvme0n1";
|
|
content = {
|
|
type = "gpt";
|
|
partitions = {
|
|
ESP = {
|
|
type = "EF00";
|
|
size = "1G";
|
|
content = {
|
|
type = "filesystem";
|
|
format = "vfat";
|
|
mountpoint = "/boot";
|
|
};
|
|
};
|
|
zfs = {
|
|
size = "100%";
|
|
content = {
|
|
type = "zfs";
|
|
pool = "zroot";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
zpool = {
|
|
zroot = {
|
|
type = "zpool";
|
|
mode = ""; # == single disk
|
|
options = {
|
|
ashift = "12";
|
|
autotrim = "on";
|
|
};
|
|
rootFsOptions = {
|
|
encryption = "aes-256-gcm";
|
|
keyformat = "passphrase";
|
|
keylocation = "file:///root/.zfs-zroot-pool.key";
|
|
#postCreateHook = ''
|
|
# "zfs change-key -o keylocation=prompt zroot/$name"
|
|
#'';
|
|
checksum = "sha512";
|
|
atime = "off";
|
|
compression = "zstd";
|
|
"com.sun:auto-snapshot" = "false";
|
|
};
|
|
mountpoint = null;
|
|
postCreateHook = "zfs snapshot zroot@blank";
|
|
|
|
datasets = {
|
|
# can be rebuilt.
|
|
local = {
|
|
type = "zfs_fs";
|
|
mountpoint = null;
|
|
options."com.sun:auto-snapshot" = "false";
|
|
};
|
|
"local/nix" = {
|
|
type = "zfs_fs";
|
|
mountpoint = "/nix";
|
|
};
|
|
"system" = {
|
|
type = "zfs_fs";
|
|
mountpoint = null;
|
|
options = {
|
|
"com.sun:auto-snapshot" = "false";
|
|
};
|
|
};
|
|
# system root.
|
|
"system/nixos" = {
|
|
type = "zfs_fs";
|
|
mountpoint = "/";
|
|
options = {
|
|
"com.sun:auto-snapshot" = "true";
|
|
};
|
|
};
|
|
"system/nixos/var" = {
|
|
type = "zfs_fs";
|
|
mountpoint = "/var";
|
|
options = {
|
|
"com.sun:auto-snapshot" = "true";
|
|
};
|
|
};
|
|
"system/nixos/var/log" = {
|
|
type = "zfs_fs";
|
|
mountpoint = "/var/log";
|
|
options = {
|
|
"com.sun:auto-snapshot" = "true";
|
|
};
|
|
};
|
|
"system/nixos/var/cache" = {
|
|
type = "zfs_fs";
|
|
mountpoint = "/var/cache";
|
|
options = {
|
|
"com.sun:auto-snapshot" = "true";
|
|
};
|
|
};
|
|
"system/nixos/var/containers-storage" = {
|
|
type = "zfs_fs";
|
|
mountpoint = "/var/lib/containers/storage";
|
|
options = {
|
|
"com.sun:auto-snapshot" = "false";
|
|
acltype = "posixacl";
|
|
};
|
|
};
|
|
# frequently snapshot and backed up data.
|
|
userdata = {
|
|
type = "zfs_fs";
|
|
mountpoint = "/DATA";
|
|
options = {
|
|
# encryption = "aes-256-gcm";
|
|
# keyformat = "passphrase";
|
|
# keylocation = "file:///root/.zfs-DATA.key";
|
|
"com.sun:auto-snapshot" = "false";
|
|
};
|
|
};
|
|
"userdata/home" = {
|
|
type = "zfs_fs";
|
|
mountpoint = "/DATA/home";
|
|
options = {
|
|
# encryption = "aes-256-gcm";
|
|
# keyformat = "passphrase";
|
|
# keylocation = "file:///root/.zfs-DATA-home.key";
|
|
"com.sun:auto-snapshot" = "true";
|
|
};
|
|
};
|
|
"userdata/home/root" = {
|
|
type = "zfs_fs";
|
|
mountpoint = "/root";
|
|
options = {
|
|
"com.sun:auto-snapshot" = "true";
|
|
};
|
|
};
|
|
"userdata/home/root-cache" = {
|
|
type = "zfs_fs";
|
|
mountpoint = "/root/.cache";
|
|
options."com.sun:auto-snapshot" = "false";
|
|
};
|
|
"userdata/home/root-config" = {
|
|
type = "zfs_fs";
|
|
mountpoint = "/root/.config";
|
|
options = {
|
|
"com.sun:auto-snapshot" = "true";
|
|
};
|
|
};
|
|
"userdata/services" = {
|
|
type = "zfs_fs";
|
|
mountpoint = "/DATA/services";
|
|
options."com.sun:auto-snapshot" = "false";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|