nixfiles/presets/nixos/server-encrypted-drive.nix

{
  config,
  pkgs,
  ...
}: {
  config.boot = {
    loader.systemd-boot.enable = false;

    loader.grub = {
      enable = true;
      efiSupport = false;
      version = 2;
      enableCryptodisk = true;
      device = "/dev/sda";
    };

    initrd.availableKernelModules = [
      "nvme"
      "ahci"
      "xhci_pci"
      "virtio_pci"
      "sd_mod"
      "sr_mod" # For Storage
      "virtio_net" # For Hetzner VMs Networking

      # For Cryptography
      "aesni_intel"
      "cryptd"
    ];

    loader.supportsInitrdSecrets = true;
    initrd.luks.forceLuksSupportInInitrd = true;
    initrd.network = {
      enable = true;
      ssh = {
        enable = true;
        port = 22;
        authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
        hostKeys = ["/ssh_host_ed25519_key"];
      };
      postCommands = ''
        echo 'cryptsetup-askpass' >> /root/.profile
      '';
    };

    initrd.secrets = {
      "/ssh_host_ed25519_key" = "/ssh_host_ed25519_key";
    };

    initrd.luks.devices = {
      "nixos_unencrypted" = {
        device = "/dev/sda3";
        preLVM = false;
        allowDiscards = true;
      };
    };
  };

  config.fileSystems = {
    "/" = {
      device = "/dev/mapper/nixos_unencrypted";
      fsType = "ext4";
    };
    "/boot" = {
      device = "/dev/sda2";
      fsType = "vfat";
    };
  };
}
add encrypted server profile and move vault to it 2022-12-14 12:04:21 +00:00			`{`
			`config,`
			`pkgs,`
			`...`
			`}: {`
			`config.boot = {`
			`loader.systemd-boot.enable = false;`

			`loader.grub = {`
			`enable = true;`
			`efiSupport = false;`
			`version = 2;`
			`enableCryptodisk = true;`
			`device = "/dev/sda";`
			`};`

			`initrd.availableKernelModules = [`
			`"nvme"`
			`"ahci"`
			`"xhci_pci"`
			`"virtio_pci"`
			`"sd_mod"`
			`"sr_mod" # For Storage`
			`"virtio_net" # For Hetzner VMs Networking`

			`# For Cryptography`
			`"aesni_intel"`
			`"cryptd"`
			`];`

			`loader.supportsInitrdSecrets = true;`
			`initrd.luks.forceLuksSupportInInitrd = true;`
			`initrd.network = {`
			`enable = true;`
			`ssh = {`
			`enable = true;`
			`port = 22;`
			`authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;`
			`hostKeys = ["/ssh_host_ed25519_key"];`
			`};`
			`postCommands = ''`
			`echo 'cryptsetup-askpass' >> /root/.profile`
			`'';`
			`};`

			`initrd.secrets = {`
			`"/ssh_host_ed25519_key" = "/ssh_host_ed25519_key";`
			`};`

			`initrd.luks.devices = {`
			`"nixos_unencrypted" = {`
			`device = "/dev/sda3";`
			`preLVM = false;`
			`allowDiscards = true;`
			`};`
			`};`
			`};`

			`config.fileSystems = {`
			`"/" = {`
			`device = "/dev/mapper/nixos_unencrypted";`
			`fsType = "ext4";`
			`};`
			`"/boot" = {`
			`device = "/dev/sda2";`
			`fsType = "vfat";`
			`};`
			`};`
			`}`