48 lines
1.9 KiB
Nix
48 lines
1.9 KiB
Nix
{ pkgs, ... }:{
|
|
boot = {
|
|
kernelPackages = pkgs.linuxPackages_latest;
|
|
supportedFilesystems = [ "btrfs" ];
|
|
|
|
initrd = {
|
|
kernelModules = ["uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1"];
|
|
# Mount USB key before trying to decrypt root filesystem
|
|
# postDeviceCommands = pkgs.lib.mkBefore ''
|
|
# mkdir -m 0755 -p /key
|
|
# sleep 2 # To make sure the usb key has been loaded
|
|
# mount -n -t vfat -o ro `findfs UUID=${PRIMARYUSBID}` /key || mount -n -t vfat -o ro `findfs UUID=${BACKUPUSBID}` /key
|
|
# '';
|
|
### ----> Instead use systemd mount unit
|
|
systemd = {
|
|
enable = true; # tpm2 unlock requires systemd initrd
|
|
mounts = [{
|
|
what = "";
|
|
where = "/key";
|
|
type = "btrfs";
|
|
}];
|
|
};
|
|
luks.devices."crypted" = {
|
|
bypassWorkqueues = true;
|
|
# ~~~> Define this in system configuration <~~~ search by uuid, partuuid, id, or other stable identification ~> lsblk, blkid or ls -l
|
|
# device = lib.mkDefault "/dev/disk/by-partuuid/5e65cc4c-eb35-4d62-8fcd-387d6a87c067";
|
|
|
|
# crypttabExtraOpts = [ "tpm2-device=auto" ]; # tpm2 unlock
|
|
preLVM = true;
|
|
allowDiscards = true;
|
|
|
|
# If using a USB or SD Card :
|
|
keyFileSize = 4096;
|
|
keyFile = "/key/hdd.key";
|
|
|
|
# Use this if you want to fallback to the encryption password when the drive can't be found. HIGHLY RECCOMENDED!!!!
|
|
fallbackToPassword = true;
|
|
|
|
};
|
|
};
|
|
resumeDevice = "/dev/nvme0n1"; # should be pointing to disk/dev where swap resides, for some reason my disk does not have uuid
|
|
kernelParams = [
|
|
# hibernation
|
|
"resume_offset=533760"
|
|
];
|
|
};
|
|
}
|