Skip to content

Instantly share code, notes, and snippets.

@luishfonseca

luishfonseca/disko.nix

Created April 7, 2024 21:19
Show Gist options
  • Save luishfonseca/3652024e5af9a34cc831b2d646cb0e55 to your computer and use it in GitHub Desktop.
Save luishfonseca/3652024e5af9a34cc831b2d646cb0e55 to your computer and use it in GitHub Desktop.
Download ZIP
Disko
Raw
disko.nix
# nix run --experimental-features "nix-command flakes" github:nix-community/disko -- --mode disko --flake ./nixos#zfs-boot
# nixos-install --no-root-password --flake ./nixos#zfs-boot
{...}: {
disko.devices = {
disk = {
system0 = {
type = "disk";
device = "/dev/vda";
content = {
type = "gpt";
partitions = {
ESP = {
size = "64M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = ["umask=0077"];
};
};
zfs = {
size = "4G";
content = {
type = "zfs";
pool = "zsystem";
};
};
reserved = {
size = "100%";
type = "8301";
};
};
};
};
system1 = {
type = "disk";
device = "/dev/vdb";
content = {
type = "gpt";
partitions = {
ESP = {
size = "64M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountOptions = ["umask=0077"];
};
};
zfs = {
size = "4G";
content = {
type = "zfs";
pool = "zsystem";
};
};
reserved = {
size = "100%";
type = "8301";
};
};
};
};
};
zpool = let
generateKeys = ''
genkey() {
if [ -e $1 ]; then
return
fi
od -Anone -x -N 32 /dev/random | tr -d [:blank:] | tr -d '\n' > $1
chmod 600 $1
}
genkey /tmp/zfs.key
genkey /tmp/keybox_recovery.key
genkey /tmp/sshbox_recovery.key
'';
in {
zsystem = {
mode = "mirror";
rootFsOptions = {
mountpoint = "none";
compression = "zstd";
"com.sun:auto-snapshot" = "false";
};
datasets = {
keybox = {
type = "zfs_volume";
size = "20M";
content = {
name = "keybox";
type = "luks";
passwordFile = "/tmp/keybox_recovery.key";
content = {
type = "filesystem";
format = "ext4";
};
preCreateHook = generateKeys;
postCreateHook = ''
mkdir -p /keybox
mount /dev/mapper/keybox /keybox
cp /tmp/zfs.key /keybox
cp /tmp/keybox_recovery.key /keybox
cp /tmp/sshbox_recovery.key /keybox
printf '\e[1;33m%s\n%s\n%s\n%s\n\e[0m' \
"The following key files were created:" \
" - /keybox/zfs.key" \
" - /keybox/keybox_recovery.key" \
" - /keybox/sshbox_recovery.key" \
"Make sure to BACKUP the keys!!!"
systemd-cryptenroll /dev/zvol/zsystem/keybox --unlock-key-file=/keybox/keybox_recovery.key --tpm2-device=auto --tpm2-with-pin=yes --tpm2-pcrs=
'';
};
};
sshbox = {
type = "zfs_volume";
size = "20M";
content = {
name = "sshbox";
type = "luks";
passwordFile = "/tmp/sshbox_recovery.key";
content = {
type = "filesystem";
format = "ext4";
};
preCreateHook = generateKeys;
postCreateHook = ''
mkdir -p /sshbox
mount /dev/mapper/sshbox /sshbox
ssh-keygen -f /sshbox/ssh_host_ed25519_key -N "" -t ed25519
ssh-keygen -f /sshbox/ssh_host_rsa_key -N "" -t rsa
systemd-cryptenroll /dev/zvol/zsystem/sshbox --unlock-key-file=/tmp/sshbox_recovery.key --tpm2-device=auto --tpm2-with-pin=no --tpm2-pcrs=
'';
};
};
crypt = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = "aes-256-gcm";
keyformat = "hex";
keylocation = "file:///tmp/zfs.key";
};
preCreateHook = generateKeys;
postCreateHook = ''
zfs set keylocation="file:///keybox/zfs.key" "zsystem/$name";
'';
};
"crypt/root" = {
type = "zfs_fs";
mountpoint = "/";
postCreateHook = ''
zfs snapshot zsystem/crypt/root@blank
'';
};
};
};
};
};
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment