2026-05-03 13:29:39 -04:00
|
|
|
{ lib, ... }:
|
2024-10-22 23:59:13 -04:00
|
|
|
{
|
|
|
|
|
|
2024-08-24 00:48:40 -04:00
|
|
|
boot = {
|
|
|
|
|
initrd = {
|
|
|
|
|
services.lvm.enable = true;
|
|
|
|
|
luks.devices = {
|
|
|
|
|
"nixos-pv" = {
|
|
|
|
|
device = "/dev/disk/by-uuid/614787a6-784a-4932-b787-cb6424725444";
|
|
|
|
|
preLVM = true;
|
|
|
|
|
allowDiscards = true;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2026-05-03 13:29:39 -04:00
|
|
|
clevis = {
|
|
|
|
|
enable = true;
|
|
|
|
|
useTang = true;
|
|
|
|
|
devices = {
|
|
|
|
|
# Unlock LUKS root device via Tang
|
|
|
|
|
"nixos-pv".secretFile = ./nixos-pv.jwe;
|
|
|
|
|
# Unlock ZFS native-encrypted dataset via Tang
|
|
|
|
|
"ZFS-primary/nix".secretFile = ./nix-store.jwe;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# Static networking needed in initrd so Tang is reachable before any disk mounts
|
|
|
|
|
systemd.network = {
|
|
|
|
|
enable = true;
|
|
|
|
|
networks."10-initrd-eno1" = {
|
|
|
|
|
matchConfig.Name = "eno1";
|
|
|
|
|
address = [ "192.168.76.2/24" ];
|
|
|
|
|
routes = [ { Gateway = "192.168.76.1"; } ];
|
|
|
|
|
dns = [ "192.168.76.1" ];
|
|
|
|
|
linkConfig.RequiredForOnline = "routable";
|
|
|
|
|
};
|
|
|
|
|
};
|
2024-08-24 00:48:40 -04:00
|
|
|
};
|
2024-10-22 23:59:13 -04:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
fileSystems = {
|
|
|
|
|
"/".options = [
|
|
|
|
|
"noatime"
|
|
|
|
|
"nodiratime"
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
"/home".options = [
|
|
|
|
|
"noatime"
|
|
|
|
|
"nodiratime"
|
|
|
|
|
];
|
|
|
|
|
|
2024-08-22 01:37:20 -04:00
|
|
|
"/boot".options = [
|
2024-10-22 23:59:13 -04:00
|
|
|
"noatime"
|
|
|
|
|
"nodiratime"
|
2024-08-22 09:35:39 -04:00
|
|
|
"fmask=0077"
|
|
|
|
|
"dmask=0077"
|
2024-10-22 23:59:13 -04:00
|
|
|
];
|
|
|
|
|
|
2026-05-03 13:29:39 -04:00
|
|
|
"/nix".depends = [ "/" ];
|
2024-08-22 03:04:31 -04:00
|
|
|
|
2024-10-22 23:59:13 -04:00
|
|
|
};
|
|
|
|
|
}
|
