62 lines
1.3 KiB
Nix
62 lines
1.3 KiB
Nix
{ lib, ... }:
|
|
{
|
|
|
|
boot = {
|
|
initrd = {
|
|
services.lvm.enable = true;
|
|
luks.devices = {
|
|
"nixos-pv" = {
|
|
device = "/dev/disk/by-uuid/614787a6-784a-4932-b787-cb6424725444";
|
|
preLVM = true;
|
|
allowDiscards = true;
|
|
};
|
|
};
|
|
|
|
clevis = {
|
|
enable = true;
|
|
useTang = true;
|
|
devices = {
|
|
# Unlock LUKS root device via Tang
|
|
"nixos-pv".secretFile = ./nixos-pv.jwe;
|
|
# Unlock ZFS native-encrypted dataset via Tang
|
|
"ZFS-primary/nix".secretFile = ./nix-store.jwe;
|
|
};
|
|
};
|
|
|
|
# Static networking needed in initrd so Tang is reachable before any disk mounts
|
|
systemd.network = {
|
|
enable = true;
|
|
networks."10-initrd-eno1" = {
|
|
matchConfig.Name = "eno1";
|
|
address = [ "192.168.76.2/24" ];
|
|
routes = [ { Gateway = "192.168.76.1"; } ];
|
|
dns = [ "192.168.76.1" ];
|
|
linkConfig.RequiredForOnline = "routable";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
fileSystems = {
|
|
"/".options = [
|
|
"noatime"
|
|
"nodiratime"
|
|
];
|
|
|
|
"/home".options = [
|
|
"noatime"
|
|
"nodiratime"
|
|
];
|
|
|
|
"/boot".options = [
|
|
"noatime"
|
|
"nodiratime"
|
|
"fmask=0077"
|
|
"dmask=0077"
|
|
];
|
|
|
|
"/nix".depends = [ "/" ];
|
|
|
|
};
|
|
}
|