From b9c99485aa0c6fb4021cbb4a7556b832ac6d8c65 Mon Sep 17 00:00:00 2001
From: Felix Uhl <github@mail.felix-uhl.de>
Date: Tue, 1 Oct 2024 17:12:57 +0200
Subject: [PATCH] Fix and comment luks-encrypted btrfs raid example

---
 example/luks-btrfs-raid.nix | 90 ++++++++++++++++++++++++-------------
 1 file changed, 58 insertions(+), 32 deletions(-)

diff --git a/example/luks-btrfs-raid.nix b/example/luks-btrfs-raid.nix
index cbcce8e1..13ac1970 100644
--- a/example/luks-btrfs-raid.nix
+++ b/example/luks-btrfs-raid.nix
@@ -1,49 +1,75 @@
 {
   disko.devices = {
     disk = {
-      disk0 = {
+      # Devices will be mounted and formatted in alphabetical order, and btrfs can only mount raids
+      # when all devices are present. So we define an "empty" luks device on the first disk,
+      # and the actual btrfs raid on the second disk, and the name of these entries matters!
+      disk1 = {
         type = "disk";
-	device = "/dev/sdb";
-	content = {
-	  type = "gpt";
-	  partitions = {
-	    crypted2 = {
-	      name = "crypt_raidp2";
-	      size = "100%";
-	      content = {
+        device = "/dev/sda";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            crypt_p1 = {
+              size = "100%";
+              content = {
                 type = "luks";
-		name = "raidp2"; # this is DM name
-	      };
-	    };
-	  };
-	};
+                name = "p1"; # device-mapper name when decrypted
+                # Remove settings.keyFile if you want to use interactive password entry
+                settings = {
+                  allowDiscards = true;
+                  keyFile = "/tmp/secret.key";
+                };
+              };
+            };
+          };
+        };
       };
-      disk1 = {
+      disk2 = {
         type = "disk";
-        device = "/dev/sda";
+        device = "/dev/sdb";
         content = {
           type = "gpt";
           partitions = {
-            crypted1 = {
+            crypt_p2 = {
               size = "100%";
-	      name = "crypt_raidp1";
               content = {
                 type = "luks";
-		name = "raidp1";
-		content = {
-		  type = "btrfs";
-		  extraArgs = [ "-f" "-m raid1 -d raid1" "/dev/mapper/raidp2"]; # raidp2 - DM name of 2nd disk
+                name = "p2";
+                # Remove settings.keyFile if you want to use interactive password entry
+                settings = {
+                  allowDiscards = true;
+                  keyFile = "/tmp/secret.key"; # Same key for both devices
+                };
+                content = {
+                  type = "btrfs";
+                  extraArgs = [
+                    "-d raid1"
+                    "/dev/mapper/p1" # Use decrypted mapped device, same name as defined in disk1
+                  ];
                   subvolumes = {
-		    "/" = {
-                      mountpoint = "/mnt/SoftWare";
-		      mountOptions = [
-		        "rw" "relatime" "ssd" "discard=async" "space_cache=v2" "subvolid=5" "subvol=/"
-		      ];
-		    };
-		  };
-		};
-	      };
-	    };
+                    "/root" = {
+                      mountpoint = "/";
+                      mountOptions = [
+                        "rw"
+                        "relatime"
+                        "ssd"
+                      ];
+                    };
+                  };
+                };
+              };
+            };
           };
         };
       };