VM: Encrypt filesystem

1 files changed, 33 insertions, 4 deletions

diff --git a/hosts/vm/hardware.nix b/hosts/vm/hardware.nix
index 393afa5..facdb18 100644
--- a/hosts/vm/hardware.nix
+++ b/hosts/vm/hardware.nix
@@ -13,14 +13,42 @@
     kernelParams = [ "net.ifnames=0" "biosdevname=0" "mitigations=off" ];
   };
 
+  fileSystems."/" = {
+    device = "none";
+    fsType = "tmpfs";
+  };
+
+  boot.initrd.luks.devices."encrypted_boot".device = "/dev/disk/by-partlabel/boot";
+
   fileSystems."/boot" = {
-    device = "/dev/disk/by-label/boot";
+    device = "/dev/mapper/encrypted_boot";
     fsType = "vfat";
   };
 
-  fileSystems."/" = {
-    device = "/dev/disk/by-label/nixos";
-    fsType = "ext4";
+  fileSystems."/boot/efi" = {
+    device = "/dev/disk/by-partlabel/efi";
+    fsType = "vfat";
+  };
+
+  boot.initrd.luks.devices."encrypted_root".device = "/dev/disk/by-partlabel/root";
+
+  fileSystems."/nix" = {
+    device = "/dev/mapper/encrypted_root";
+    fsType = "btrfs";
+    options = [ "subvol=nix" "compress-force=zstd" "noatime" ];
+  };
+
+  fileSystems."/persist" = {
+    device = "/dev/mapper/encrypted_root";
+    fsType = "btrfs";
+    neededForBoot = true;
+    options = [ "subvol=persist" "compress-force=zstd" "noatime" ];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/mapper/encrypted_root";
+    fsType = "btrfs";
+    options = [ "subvol=home" "compress-force=zstd" ];
   };
 
   swapDevices = [ ];
@@ -38,4 +66,5 @@
   };
 
   virtualisation.virtualbox.guest.enable = true;
+
 }