diff options
Diffstat (limited to 'hardware/chromebook/disks.nix')
| -rw-r--r-- | hardware/chromebook/disks.nix | 152 |
1 files changed, 152 insertions, 0 deletions
diff --git a/hardware/chromebook/disks.nix b/hardware/chromebook/disks.nix new file mode 100644 index 0000000..ad0e014 --- /dev/null +++ b/hardware/chromebook/disks.nix @@ -0,0 +1,152 @@ +{ inputs, lib, config, pkgs, ... }: +let + MMC = "/dev/disk/by-id/mmc-AGND3R_0x48d44fdc"; + SD = "/dev/disk/by-id/usb-Generic_STORAGE_DEVICE_000000000208-0:0"; + + partitionsCreateScript = '' + parted -s "${MMC}" mklabel gpt + parted -s "${MMC}" mkpart "efi" fat32 1024KiB 64M + parted -s "${MMC}" set 1 esp on + parted -s -a optimal "${MMC}" mkpart "boot" 64M 264M + parted -s -a optimal "${MMC}" mkpart "nix" 264M 100% + + parted -s "${SD}" mklabel gpt + parted -s -a optimal "${SD}" mkpart "home_and_persist" 1024KiB 100% + + udevadm trigger --subsystem-match=block; udevadm settle + ''; + partitionsFormatScript = '' + mkfs.vfat "${MMC}"-part1 + cryptsetup -q luksFormat "${MMC}"-part2 --type luks1 + cryptsetup open --type luks "${MMC}"-part2 encrypted_boot + mkfs.ext4 /dev/mapper/encrypted_boot + cryptsetup close encrypted_boot + cryptsetup -q luksFormat "${MMC}"-part3 --type luks2 + cryptsetup open --type luks "${MMC}"-part3 encrypted_nix + mkfs.btrfs -f /dev/mapper/encrypted_nix + cryptsetup close encrypted_nix + + cryptsetup -q luksFormat "${SD}"-part1 --type luks2 + cryptsetup open --type luks "${SD}"-part1 encrypted_home_and_persist + pvcreate /dev/mapper/encrypted_home_and_persist + vgcreate encrypted_home_and_persist_pool /dev/mapper/encrypted_home_and_persist + lvcreate -L 4G -n persist encrypted_home_and_persist_pool + mkfs.btrfs -f /dev/mapper/encrypted_home_and_persist_pool-persist + lvcreate -l 100%FREE -n home encrypted_home_and_persist_pool + mkfs.btrfs -f /dev/mapper/encrypted_home_and_persist_pool-home + vgchange -a n encrypted_home_and_persist_pool + cryptsetup close encrypted_home_and_persist + ''; + partitionsMountScript = '' + mount -t tmpfs none /mnt + mkdir -p /mnt/{boot,nix,persist,home} + + cryptsetup open --type luks /dev/disk/by-partlabel/boot encrypted_boot + mount /dev/mapper/encrypted_boot /mnt/boot + mkdir -p /mnt/boot/efi + mount /dev/disk/by-partlabel/efi /mnt/boot/efi + cryptsetup open --type luks /dev/disk/by-partlabel/nix encrypted_nix + mount -o compress-force=zstd,noatime /dev/mapper/encrypted_nix /mnt/nix + cryptsetup open --type luks /dev/disk/by-partlabel/home_and_persist encrypted_home_and_persist + vgchange -ay encrypted_home_and_persist_pool + mount -o compress-force=zstd /dev/mapper/encrypted_home_and_persist_pool-home /mnt/home + mount -o compress-force=zstd,noatime /dev/mapper/encrypted_home_and_persist_pool-persist /mnt/persist + ''; +in +{ + config = { + + environment.persistence."/persist" = { + directories = [ + "/var/log" + "/var/lib" + ]; + files = [ + "/etc/machine-id" + "/etc/nix/id_rsa" + ]; + }; + + fileSystems."/" = { + device = "none"; + fsType = "tmpfs"; + }; + + boot.initrd.luks.devices."encrypted_boot" = { + device = "/dev/disk/by-partlabel/boot"; + preLVM = true; + }; + + fileSystems."/boot" = { + device = "/dev/mapper/encrypted_boot"; + fsType = "ext4"; + }; + + fileSystems."/boot/efi" = { + device = "/dev/disk/by-partlabel/efi"; + fsType = "vfat"; + }; + + boot.initrd.luks.devices."encrypted_nix".device = "/dev/disk/by-partlabel/nix"; + + fileSystems."/nix" = { + device = "/dev/mapper/encrypted_nix"; + fsType = "btrfs"; + neededForBoot = true; + options = [ "compress-force=zstd" "noatime" ]; + }; + + boot.initrd.luks.devices."encrypted_home_and_persist".device = "/dev/disk/by-partlabel/home_and_persist"; + + fileSystems."/persist" = { + device = "/dev/mapper/encrypted_home_and_persist_pool-persist"; + fsType = "btrfs"; + neededForBoot = true; + options = [ "compress-force=zstd" "noatime" ]; + }; + + fileSystems."/home" = { + device = "/dev/mapper/encrypted_home_and_persist_pool-home"; + fsType = "btrfs"; + options = [ "compress-force=zstd" ]; + }; + + services.btrfs.autoScrub.enable = true; + + swapDevices = [ ]; + + zramSwap.enable = true; + + + environment.systemPackages = [ + config.disks-create + config.disks-format + config.disks-mount + ]; + }; + + options.disks-create = with lib; mkOption rec { + type = types.package; + default = with pkgs; symlinkJoin { + name = "disks-create"; + paths = [ (writeScriptBin default.name partitionsCreateScript) parted ]; + }; + }; + + options.disks-format = with lib; mkOption rec { + type = types.package; + default = with pkgs; symlinkJoin { + name = "disks-format"; + paths = [ (writeScriptBin default.name partitionsFormatScript) cryptsetup lvm2 dosfstools e2fsprogs btrfs-progs ]; + }; + }; + + options.disks-mount = with lib; mkOption rec { + type = types.package; + default = with pkgs; symlinkJoin { + name = "disks-mount"; + paths = [ (writeScriptBin default.name partitionsMountScript) cryptsetup lvm2 ]; + }; + }; + +} |