Q: Setup with encrypted nix-store+swap, unencrypted boot and impermenance?

[Kreyren]

I figured out this configuration, but i feel like i don't know what am I doing..

{ ... }:

# Nix-based Disk Management of SINNENFREUDE with disko and impermenance on tmpfs

###! * Should have 4096 sectors of unallocated space before the first partition
###! * The partition following should be an **UN**ENCRYPTED bootable /boot partition with FAT32 filesystem of size 512M
###! * The next partiion is expected to be the ENCRYPTED nix-store mounted on /nix with size of -100GB from the end of SSD
###! * Last partition should be an ENCRYPTED SWAP (filesystem not file) with size 100% of the remaining and set up as resume device from hibernation
###! * Impermenance requires to declare the following:
###! ```nix
###! fileSystems = {
###! 	"/" = {
###! 		device = "none";
###! 		fsType = "tmpfs";
###! 		options = [ "size=3G" "mode=755" ];
###! 	};
###! 	"/home/raptor" = {
###! 		device = "none";
###! 		fsType = "tmpfs";
###! 		options = [ "size=4G" "mode=777" ];
###! 	};
###! };

# FIXME(Krey): Should use a keyFile from a flash disk to decrypt

{
	# Taken from previous setup
	boot.initrd.luks.devices."luks-f5e6fd45-31bb-453a-9066-c8cc92b7eab0".device = "/dev/disk/by-uuid/f5e6fd45-31bb-453a-9066-c8cc92b7eab0"; # Rootfs
	boot.initrd.luks.devices."luks-452ab52a-080e-40c0-83ed-a7c9363a4ef7".device = "/dev/disk/by-uuid/452ab52a-080e-40c0-83ed-a7c9363a4ef7"; # SWAP

	disko.devices = {
		disk = {
			system = {
				# FIXME-SECURITY()
				device = "/dev/disk/by-id/ata-CT500MX500SSD1_21052CD42FFF"; # SSD
				type = "disk";
				content = {
					type = "gpt";
					partitions = {
						# NOTE(Krey): Do NOT encrypt
						ESP = {
							type = "EF00"; # EFI System Partition
							size = "512M"; # 1024M = 1G -> This is one half
							content = {
								type = "filesystem";
								format = "vfat"; # FAT32
								mountpoint = "/boot";
							};
						};
						# FIXME(Krey): Encrypt this with known passphrase
						nix-store = {
							# type = "???"; # Set for purity?
							size = "-100G";
							content = {
								type = "filesystem";
								format = "btrfs";
								mountpoint = "/nix";
								#mountOptions = [ "subvol=@" ]; # Do we need this?
							};
						};
						# FIXME(Krey): This swap has to be encrypted, randomEncryption doesn't work with hibernation as you won't be able to decrypt it during bootloader phase unless you can guess the random passphrase
						# NOTE(Krey): The passphrase should be the same as the one for nix-store atm
						swap = {
							# type = "???"; # Set for purity?
							size = "100%";
							content = {
								type = "swap";
								resumeDevice = true; # resume from hiberation from this device
							};
						};
						# Impermanance stuff
						rootfs = {
							fsType = "tmpfs";
							mountOptions = [ "size=3G" "mode=755" ];
						};
						"/home/raptor" = {
							fsType = "tmpfs";
							mountOptions = [ "size=4G" "mode=777" ];
						};
					};
				};
			};
		};
	};

	# Impermanence
	environment.persistence."/nix/persist/system" = {
		hideMounts = true; # For added security and less clutter in the system
		directories = [
			"/var/log" # Logs
			"/var/lib/bluetooth" # Keep bluetooth configs
			"/var/lib/nixos" # Nix stuff? Dunno why
			"/var/lib/systemd/coredump" # Dunno
			"/etc/NetworkManager/system-connections" # WiFi configs
			{ directory = "/var/lib/colord"; user = "colord"; group = "colord"; mode = "u=rwx,g=rx,o="; } # No idea
		];
		files = [
			"/etc/machine-id" # To avoid confusing systemd
			{ file = "/etc/nix/id_rsa"; parentDirectory = { mode = "u=rwx,g=,o="; }; } # No idea

			# To make SSH connections consistent without having to refresh known_hosts
			"/etc/ssh/ssh_host_ed25519_key"
			"/etc/ssh/ssh_host_ed25519_key.pub"
		];
		# FIXME(Krey): Move this in user declaration?
		# FIXME-SECURITY(Krey): Username is confidential, using placeholder atm
		users.raptor = {
			directories = [
				# FIXME(Krey): This is projected to be deprecated as home-manager will be part of our nix-config
				".config/home-manager"
			];
			# files = [
			# 	".screenrc"
			# ];
		};
	};
}

See the ###! for intent, i am not sure how to declare the encryption as the projected usecase is to boot into a recovery that automatically applies the nixos configuration on the disk and reboots for like this "absolute" purity where the whole system gets wiped and OS re-installed.

[Kreyren]

and i guess using the table declaration (https://github.com/nix-community/disko/blob/master/example/legacy-table.nix) would be more manageable as it can declare exactly on which sector to have what compared to the current that sets size = "512M" ?

[Lassulus]

whats the error? the legacy table is deprecated and lacks a lot of features. gpt table can also set start and end instead of size, size is just an alias for end = "+${size}"

[Kreyren]

whats the error? the legacy table is deprecated and lacks a lot of features. gpt table can also set start and end instead of size, size is just an alias for end = "+${size}" -- @Lassulus (#490 (comment))

I didn't try to run it yet, because i felt like i didn't know what i was doing and am unsure how to set it up so that it does encryption in a sane way with disko tbh

gpt table can also set start and end instead of size, size is just an alias for end = "+${size}"

Can that be declared in sectors? expected is sector size of 1 * 512 = 512 bytes

• 0-4090 = BIOS
• 4096 - 1052671 (1048576) = /boot (EFI FAT32)
• -100G = nix-store (btrfs encrypted with known passphrase)
• 100% = swap (encrypted with known passphrase)

I feel like i get more control over the partitioning by using sectors, but unsure

[Lassulus]

yeah the start, stop and size parameters of gpt also support sectors. just specify them without a suffix. Weil if you want to specify the password interactively just don't specify a keyFile/passwordFIle and you should be asked interactively. Best way to figure out problems is to try it out

[iFreilicht]

@Kreyren is this still relevant or can I close it?