luks migration, home migration fixes

2026-05-03 17:33:56 -04:00
parent 43c026c451
commit b4233b8f1c
6 changed files with 59 additions and 24 deletions
@@ -13,8 +13,18 @@
    useNetworkd = true;
  };

-  # Raspberry Pi 4 uses U-Boot / extlinux, not systemd-boot
-  boot.useSystemdBoot = lib.mkForce false;
+  # Raspberry Pi 4 uses U-Boot / extlinux — disable both GRUB and systemd-boot
+  # TPM 2.0 HAT: systemd initrd required for tpm2-device auto-unlock
+  # After first install, enroll with:
+  #   systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --recovery-key /dev/mmcblk0p3
+  boot = {
+    useSystemdBoot = lib.mkForce false;
+    loader.grub.enable = lib.mkOverride 0 false;
+    initrd = {
+      systemd.enable = true;
+      luks.devices."cryptroot".crypttabExtraOpts = [ "tpm2-device=auto" ];
+    };
+  };

  sops = {
    defaultSopsFile = ./secrets.yaml;
@@ -6,16 +6,13 @@
        type = "disk";
        device = "/dev/mmcblk0";
        content = {
-          type = "table";
-          format = "mbr";
-          partitions = [
-            {
-              # Raspberry Pi firmware partition — must be vfat and first
-              name = "firmware";
-              type = "primary";
-              start = "1MiB";
-              end = "512MiB";
-              bootable = true;
+          type = "gpt";
+          partitions = {
+            # Raspberry Pi firmware partition — must be vfat and first
+            firmware = {
+              size = "256MiB";
+              type = "EF00";
+              priority = 1;
              content = {
                type = "filesystem";
                format = "vfat";
@@ -25,20 +22,33 @@
                  "dmask=0077"
                ];
              };
-            }
-            {
-              # Root filesystem
-              name = "root";
-              type = "primary";
-              start = "512MiB";
-              end = "100%";
+            };
+            # NixOS boot partition — holds kernels/initrds for each generation
+            boot = {
+              size = "1GiB";
+              priority = 2;
              content = {
                type = "filesystem";
                format = "ext4";
-                mountpoint = "/";
+                mountpoint = "/boot";
              };
-            }
-          ];
+            };
+            # Root filesystem — LUKS-encrypted, unlocked via TPM 2.0 HAT
+            root = {
+              size = "100%";
+              priority = 3;
+              content = {
+                type = "luks";
+                name = "cryptroot";
+                settings.allowDiscards = true;
+                content = {
+                  type = "filesystem";
+                  format = "ext4";
+                  mountpoint = "/";
+                };
+              };
+            };
+          };
        };
      };
    };