move grub and full-disk-encryption into seperate files

This commit is contained in:
fleaz 2022-06-05 02:12:55 +02:00
parent 21f2b0634c
commit 82f3a79787
No known key found for this signature in database
GPG key ID: AED15F8FDD04D083
7 changed files with 40 additions and 89 deletions

View file

@ -2,51 +2,19 @@
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ sources ? import ../../nix { pkgs, ... }:
, pkgs ? sources.pkgs { }
, lib
, ...
}:
let
home-manager = (import ./nix/sources.nix).home-manager;
secretsFile = "/root.key";
in
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../roles/all.nix ../../roles/all.nix
../../modules/luks.nix
../../modules/grub.nix
]; ];
# Use the systemd-boot EFI boot loader.
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.loader.systemd-boot.enable = false;
boot.loader.grub = {
enable = true;
version = 2;
device = "nodev";
efiSupport = true;
enableCryptodisk = true;
configurationLimit = 5;
};
# enable passing of keyfile between grub and initrd
boot.initrd.luks.devices."cryptroot" = {
fallbackToPassword = true;
keyFile = secretsFile;
};
# copy the secret into the additional initramfs. `null` means same path
boot.initrd.secrets."${secretsFile}" = null;
services.xserver.videoDrivers = [ "amdgpu" ]; services.xserver.videoDrivers = [ "amdgpu" ];
# Set your time zone. time.hardwareClockInLocalTime = true; #Be compatible with Windows Dualboot
time.timeZone = "Europe/Berlin";
time.hardwareClockInLocalTime = true; #Be compatible with Windows
# The global useDHCP flag is deprecated, therefore explicitly set to false here. # The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config # Per-interface useDHCP will be mandatory in the future, so this generated config

View file

@ -3,45 +3,17 @@
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let
secretsFile = "/root.key";
in
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../roles/all.nix ../../roles/all.nix
../../modules/luks.nix
../../modules/grub.nix
]; ];
# Use the systemd-boot EFI boot loader.
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.loader.systemd-boot.enable = false;
boot.loader.grub = {
enable = true;
version = 2;
device = "nodev";
efiSupport = true;
enableCryptodisk = true;
configurationLimit = 5;
};
# enable passing of keyfile between grub and initrd
boot.initrd.luks.devices."cryptroot" = {
fallbackToPassword = true;
keyFile = secretsFile;
};
# copy the secret into the additional initramfs. `null` means same path
boot.initrd.secrets."${secretsFile}" = null;
networking.hostName = "jimbo"; # Define your hostname. networking.hostName = "jimbo"; # Define your hostname.
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here. # The global useDHCP flag is deprecated, therefore explicitly set to false here.
networking.useDHCP = false; networking.useDHCP = false;
networking.networkmanager.enable = true; networking.networkmanager.enable = true;

View file

@ -3,35 +3,18 @@
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../roles/all.nix ../../roles/all.nix
../../modules/luks.nix
../../modules/grub.nix
]; ];
# Use the systemd-boot EFI boot loader.
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.loader.systemd-boot.enable = false;
boot.loader.grub = {
enable = true;
version = 2;
device = "nodev";
efiSupport = true;
enableCryptodisk = true;
configurationLimit = 5;
};
networking.hostName = "milhouse"; # Define your hostname. networking.hostName = "milhouse"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
# The global useDHCP flag is deprecated, therefore explicitly set to false here. # The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config # Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour. # replicates the default behaviour.
@ -53,9 +36,6 @@
# Enable the X11 windowing system. # Enable the X11 windowing system.
# services.xserver.enable = true; # services.xserver.enable = true;
# Configure keymap in X11 # Configure keymap in X11
# services.xserver.layout = "us"; # services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e"; # services.xserver.xkbOptions = "eurosign:e";

View file

@ -18,7 +18,7 @@
fsType = "ext4"; fsType = "ext4";
}; };
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/19bd5375-ca55-427e-baaa-a3ec0f519441"; boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/19bd5375-ca55-427e-baaa-a3ec0f519441";
fileSystems."/boot/efi" = fileSystems."/boot/efi" =
{ device = "/dev/disk/by-uuid/E497-94F9"; { device = "/dev/disk/by-uuid/E497-94F9";

13
modules/grub.nix Normal file
View file

@ -0,0 +1,13 @@
{
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.loader.systemd-boot.enable = false;
boot.loader.grub = {
enable = true;
version = 2;
device = "nodev";
efiSupport = true;
configurationLimit = 5;
};
}

15
modules/luks.nix Normal file
View file

@ -0,0 +1,15 @@
let
secretsFile = "/root.key";
in
{
boot.loader.grub.enableCryptodisk = true;
# enable passing of keyfile between grub and initrd
boot.initrd.luks.devices."cryptroot" = {
fallbackToPassword = true;
keyFile = secretsFile;
};
# copy the secret into the additional initramfs. `null` means same path
boot.initrd.secrets."${secretsFile}" = null;
}

View file

@ -17,6 +17,9 @@
../users/fleaz.nix ../users/fleaz.nix
]; ];
# Set your time zone.
time.timeZone = "Europe/Berlin";
# needed for Steam and VIA # needed for Steam and VIA
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;