From 8b94d9c55a804dc81e0c16a38049d72410cb6633 Mon Sep 17 00:00:00 2001
From: Daniel Ziltener <dziltener@lyrion.ch>
Date: Thu, 4 Jul 2024 14:24:58 +0200
Subject: [PATCH] Disk encryption

---
 configuration.nix | 71 +++++++++++++++++++++++++++++------------------
 disko-config.nix  | 45 +++++++++++++++++-------------
 2 files changed, 70 insertions(+), 46 deletions(-)

diff --git a/configuration.nix b/configuration.nix
index add7f37..3c58600 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -7,6 +7,7 @@
 {
   imports =
     [ # Include the results of the hardware scan.
+      ./bevuta-config/bevuta.nix
       ./hardware-configuration.nix
       "${builtins.fetchTarball "https://github.com/nix-community/disko/archive/master.tar.gz"}/module.nix"
       ./disko-config.nix
@@ -16,7 +17,24 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  networking.hostName = "ziltis-desktop"; # Define your hostname.
+  boot.initrd.luks.devices."root".preLVM = lib.mkForce false;
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    initrd = {
+      systemd.enable = true;
+      luks.devices."crypted" = {
+        preLVM = lib.mkForce false;
+        crypttabExtraOpts = [ "fido2-device=auto" ];
+        device = "/dev/nvme0n1p2";
+      };
+    };
+  };
+
+  #networking.hostName = "ziltis-desktop"; # Define your hostname.
   # Pick only one of the below networking options.
   # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
   networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
@@ -38,15 +56,20 @@
 
   # Enable the X11 windowing system.
   # services.xserver.enable = true;
+  services.xserver = {
+    enable = true;
+    layout = "de";
+    xkbOptions = "eurosign;e,caps:escape";
+    libinput.enable = true;
+    displayManager = {
+      sddm.enable = true;
+    };
+  };
 
   programs.hyprland.enable = true;
   services.flatpak.enable = true;
   nixpkgs.config.allowUnfree = true; 
 
-  # Configure keymap in X11
-  services.xserver.layout = "de";
-  services.xserver.xkbOptions = "eurosign:e,caps:escape";
-
   # Enable CUPS to print documents.
   # services.printing.enable = true;
 
@@ -64,12 +87,6 @@
     #jack.enable = true;
   };
 
-  # Enable touchpad support (enabled default in most desktopManager).
-  services.xserver.enable = true;
-  services.xserver.libinput.enable = true;
-  services.xserver.displayManager.sddm.enable = true;
-
-
   # Define a user account. Don't forget to set a password with ‘passwd’.
   # users.users.alice = {
   #   isNormalUser = true;
@@ -100,16 +117,16 @@
     libvirtd = {
       enable = true;
     };
-    podman = {
-      enable = true;
-      dockerCompat = true;
-      defaultNetwork.settings.dns_enabled = true;
-    };
-    containers.storage.settings = {
-      storage = {
-        driver = "btrfs";
-      };
-    };
+#    podman = {
+#      enable = true;
+#      dockerCompat = true;
+#      defaultNetwork.settings.dns_enabled = true;
+#    };
+#    containers.storage.settings = {
+#      storage = {
+#        driver = "btrfs";
+#      };
+#    };
   };
 
   # Some programs need SUID wrappers, can be configured further or are
@@ -139,12 +156,12 @@
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
 
-  networking.extraHosts = ''
-    127.0.0.1 l.redsky.io
-    ::1 l.redsky.io
-  '';
+#  networking.extraHosts = ''
+#    127.0.0.1 l.redsky.io
+#    ::1 l.redsky.io
+#  '';
 
-  security.pam.services.swaylock = {};
+#  security.pam.services.swaylock = {};
 
   services.btrfs = {
     autoScrub = {
@@ -165,7 +182,7 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.11"; # Did you read the comment?
+  system.stateVersion = "24.05"; # Did you read the comment?
 
 }
 
diff --git a/disko-config.nix b/disko-config.nix
index 0d6f188..797380b 100644
--- a/disko-config.nix
+++ b/disko-config.nix
@@ -19,27 +19,34 @@
                 mountpoint = "/boot";
               };
             };
-            root = {
+            luks = {
               size = "100%";
               content = {
-                type = "btrfs";
-                extraArgs = [ "-f" ];
-                subvolumes = {
-                  "/rootfs" = {
-                    mountOptions = [ "compress=zstd" ];
-                    mountpoint = "/";
-                  };
-                  "/home" = {
-                    mountOptions = [ "compress=zstd" ];
-                    mountpoint = "/home";
-                  };
-                  "/nix" = {
-                    mountOptions = [ "compress=zstd" "noatime" ];
-                    mountpoint = "/nix";
-                  };
-                  "/swap" = {
-                    mountOptions = [ "subvol=swap" ];
-                    mountpoint = "/swap";
+                type = "luks";
+                name = "crypted";
+                settings = {
+                  allowDiscards = true;
+                };
+                content = {
+                  type = "btrfs";
+                  extraArgs = [ "-f" ];
+                  subvolumes = {
+                    "/rootfs" = {
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                      mountpoint = "/";
+                    };
+                    "/home" = {
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                      mountpoint = "/home";
+                    };
+                    "/nix" = {
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                      mountpoint = "/nix";
+                    };
+                    "/swap" = {
+                      mountOptions = [ "subvol=swap" ];
+                      mountpoint = "/swap";
+                    };
                   };
                 };
               };