diff --git a/docs/code-examples/disko-raid.nix b/docs/code-examples/disko-raid.nix new file mode 100644 index 000000000..dd59a9b2f --- /dev/null +++ b/docs/code-examples/disko-raid.nix @@ -0,0 +1,99 @@ +{ + lib, + config, + clan-core, + ... +}: +let + suffix = config.clan.core.vars.generators.disk-id.files.diskId.value; + mirrorBoot = idx: { + # suffix is to prevent disk name collisions + name = idx + suffix; + type = "disk"; + device = "/dev/disk/by-id/${idx}"; + content = { + type = "gpt"; + partitions = { + "boot" = { + size = "1M"; + type = "EF02"; # for grub MBR + priority = 1; + }; + "ESP" = lib.mkIf (idx == "nvme-eui.002538b931b59865") { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "nofail" ]; + }; + }; + "root" = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; +in +{ + imports = [ + clan-core.clanModules.disk-id + ]; + + config = { + boot.loader.systemd-boot.enable = true; + + disko.devices = { + disk = { + x = mirrorBoot "nvme-eui.002538b931b59865"; + y = mirrorBoot "my-other-disk"; + }; + zpool = { + zroot = { + type = "zpool"; + rootFsOptions = { + compression = "lz4"; + acltype = "posixacl"; + xattr = "sa"; + "com.sun:auto-snapshot" = "true"; + mountpoint = "none"; + }; + datasets = { + "root" = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + encryption = "aes-256-gcm"; + keyformat = "passphrase"; + keylocation = "file:///tmp/secret.key"; + }; + }; + "root/nixos" = { + type = "zfs_fs"; + options.mountpoint = "/"; + mountpoint = "/"; + }; + "root/home" = { + type = "zfs_fs"; + options.mountpoint = "/home"; + mountpoint = "/home"; + }; + "root/tmp" = { + type = "zfs_fs"; + mountpoint = "/tmp"; + options = { + mountpoint = "/tmp"; + sync = "disabled"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/docs/code-examples/disko-single-disk.nix b/docs/code-examples/disko-single-disk.nix new file mode 100644 index 000000000..7b0283903 --- /dev/null +++ b/docs/code-examples/disko-single-disk.nix @@ -0,0 +1,98 @@ +{ + lib, + config, + clan-core, + ... +}: +let + suffix = config.clan.core.vars.generators.disk-id.files.diskId.value; + mirrorBoot = idx: { + # suffix is to prevent disk name collisions + name = idx + suffix; + type = "disk"; + device = "/dev/disk/by-id/${idx}"; + content = { + type = "gpt"; + partitions = { + "boot" = { + size = "1M"; + type = "EF02"; # for grub MBR + priority = 1; + }; + "ESP" = lib.mkIf (idx == "nvme-eui.002538b931b59865") { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "nofail" ]; + }; + }; + "root" = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; +in +{ + imports = [ + clan-core.clanModules.disk-id + ]; + + config = { + boot.loader.systemd-boot.enable = true; + + disko.devices = { + disk = { + x = mirrorBoot "nvme-eui.002538b931b59865"; + }; + zpool = { + zroot = { + type = "zpool"; + rootFsOptions = { + compression = "lz4"; + acltype = "posixacl"; + xattr = "sa"; + "com.sun:auto-snapshot" = "true"; + mountpoint = "none"; + }; + datasets = { + "root" = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + encryption = "aes-256-gcm"; + keyformat = "passphrase"; + keylocation = "file:///tmp/secret.key"; + }; + }; + "root/nixos" = { + type = "zfs_fs"; + options.mountpoint = "/"; + mountpoint = "/"; + }; + "root/home" = { + type = "zfs_fs"; + options.mountpoint = "/home"; + mountpoint = "/home"; + }; + "root/tmp" = { + type = "zfs_fs"; + mountpoint = "/tmp"; + options = { + mountpoint = "/tmp"; + sync = "disabled"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/docs/site/getting-started/disk-encryption.md b/docs/site/getting-started/disk-encryption.md index 1595ab49c..8fd81a630 100644 --- a/docs/site/getting-started/disk-encryption.md +++ b/docs/site/getting-started/disk-encryption.md @@ -1,5 +1,5 @@ -This guide provides an example setup for a single-disk ZFS system with native encryption, accessible for decryption remotely. +This guide provides an example setup for a single-disk ZFS system with native encryption, accessible for decryption remotely. !!! Warning This configuration only applies to `systemd-boot` enabled systems and **requires** UEFI booting. @@ -15,100 +15,7 @@ lsblk --output NAME,ID-LINK,FSTYPE,SIZE,MOUNTPOINT === "**Single Disk**" Below is the configuration for `disko.nix` ```nix hl_lines="17 48" - { lib, clan-core, ... }: - let - suffix = config.clan.core.vars.generators.disk-id.files.diskId.value; - mirrorBoot = idx: { - # suffix is to prevent disk name collisions - name = idx + suffix; - type = "disk"; - device = "/dev/disk/by-id/${idx}"; - content = { - type = "gpt"; - partitions = { - "boot" = { - size = "1M"; - type = "EF02"; # for grub MBR - priority = 1; - }; - "ESP" = lib.mkIf (idx == "nvme-eui.002538b931b59865") { - size = "1G"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "nofail" ]; - }; - }; - "root" = { - size = "100%"; - content = { - type = "zfs"; - pool = "zroot"; - }; - }; - }; - }; - }; - in - { - imports = [ - clan-core.clanModules.disk-id - ]; - - config = { - boot.loader.systemd-boot.enable = true; - - disko.devices = { - disk = { - x = mirrorBoot "nvme-eui.002538b931b59865"; - }; - zpool = { - zroot = { - type = "zpool"; - rootFsOptions = { - compression = "lz4"; - acltype = "posixacl"; - xattr = "sa"; - "com.sun:auto-snapshot" = "true"; - mountpoint = "none"; - }; - datasets = { - "root" = { - type = "zfs_fs"; - options = { - mountpoint = "none"; - encryption = "aes-256-gcm"; - keyformat = "passphrase"; - keylocation = "file:///tmp/secret.key"; - }; - }; - "root/nixos" = { - type = "zfs_fs"; - options.mountpoint = "/"; - mountpoint = "/"; - }; - "root/home" = { - type = "zfs_fs"; - options.mountpoint = "/home"; - mountpoint = "/home"; - }; - "root/tmp" = { - type = "zfs_fs"; - mountpoint = "/tmp"; - options = { - mountpoint = "/tmp"; - sync = "disabled"; - }; - }; - }; - }; - }; - }; - }; - } - + --8<-- "docs/code-examples/disko-single-disk.nix" ``` @@ -116,104 +23,11 @@ lsblk --output NAME,ID-LINK,FSTYPE,SIZE,MOUNTPOINT === "**Raid 1**" Below is the configuration for `disko.nix` ```nix hl_lines="17 48 49" - { lib, clan-core, ... }: - let - suffix = config.clan.core.vars.generators.disk-id.files.diskId.value; - mirrorBoot = idx: { - # suffix is to prevent disk name collisions - name = idx + suffix; - type = "disk"; - device = "/dev/disk/by-id/${idx}"; - content = { - type = "gpt"; - partitions = { - "boot" = { - size = "1M"; - type = "EF02"; # for grub MBR - priority = 1; - }; - "ESP" = lib.mkIf (idx == "nvme-eui.002538b931b59865") { - size = "1G"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "nofail" ]; - }; - }; - "root" = { - size = "100%"; - content = { - type = "zfs"; - pool = "zroot"; - }; - }; - }; - }; - }; - in - { - imports = [ - clan-core.clanModules.disk-id - ]; - - config = { - boot.loader.systemd-boot.enable = true; - - disko.devices = { - disk = { - x = mirrorBoot "nvme-eui.002538b931b59865"; - y = mirrorBoot "my-other-disk"; - }; - zpool = { - zroot = { - type = "zpool"; - rootFsOptions = { - compression = "lz4"; - acltype = "posixacl"; - xattr = "sa"; - "com.sun:auto-snapshot" = "true"; - mountpoint = "none"; - }; - datasets = { - "root" = { - type = "zfs_fs"; - options = { - mountpoint = "none"; - encryption = "aes-256-gcm"; - keyformat = "passphrase"; - keylocation = "file:///tmp/secret.key"; - }; - }; - "root/nixos" = { - type = "zfs_fs"; - options.mountpoint = "/"; - mountpoint = "/"; - }; - "root/home" = { - type = "zfs_fs"; - options.mountpoint = "/home"; - mountpoint = "/home"; - }; - "root/tmp" = { - type = "zfs_fs"; - mountpoint = "/tmp"; - options = { - mountpoint = "/tmp"; - sync = "disabled"; - }; - }; - }; - }; - }; - }; - }; - } + --8<-- "docs/code-examples/disko-raid.nix" ``` -Below is the configuration for `initrd.nix`. -Replace `` with your ssh public key. +Below is the configuration for `initrd.nix`. +Replace `` with your ssh public key. Replace `kernelModules` with the ethernet module loaded one on your target machine. ```nix hl_lines="18 29" {config, pkgs, ...}: @@ -244,7 +58,7 @@ Replace `kernelModules` with the ethernet module loaded one on your target machi ]; # Find out the required network card driver by running `lspci -k` on the target machine - boot.initrd.kernelModules = [ "r8169" ]; + boot.initrd.kernelModules = [ "r8169" ]; } ```