nixfiles/presets/nixos/server-encrypted-drive.nix

72 lines
1.4 KiB
Nix

{
config,
tree,
...
}: {
imports = with tree; [profiles.sshd];
config.boot = {
loader.systemd-boot.enable = false;
loader.grub = {
enable = true;
efiSupport = false;
version = 2;
enableCryptodisk = true;
device = "/dev/sda";
};
initrd.availableKernelModules = [
"nvme"
"ahci"
"xhci_pci"
"virtio_pci"
"sd_mod"
"sr_mod" # For Storage
"virtio_net" # For Hetzner VMs Networking
# For Cryptography
"aesni_intel"
"cryptd"
];
loader.supportsInitrdSecrets = true;
initrd.luks.forceLuksSupportInInitrd = true;
initrd.network = {
enable = true;
ssh = {
enable = true;
port = 22;
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
hostKeys = ["/ssh_host_ed25519_key"];
};
postCommands = ''
echo 'cryptsetup-askpass' >> /root/.profile
'';
};
initrd.secrets = {
"/ssh_host_ed25519_key" = "/ssh_host_ed25519_key";
};
initrd.luks.devices = {
"nixos_unencrypted" = {
device = "/dev/sda3";
preLVM = false;
allowDiscards = true;
};
};
};
config.fileSystems = {
"/" = {
device = "/dev/mapper/nixos_unencrypted";
fsType = "ext4";
};
"/boot" = {
device = "/dev/sda2";
fsType = "vfat";
};
};
}