Skip to content

Commit

Permalink
feat: data-crypted
Browse files Browse the repository at this point in the history
  • Loading branch information
@ryan4yin
ryan4yin committed Aug 16, 2024
1 parent df1f9b0 commit 663616c
Show file tree
Hide file tree
Showing 4 changed files with 80 additions and 33 deletions.
6 changes: 3 additions & 3 deletions flake.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

95 changes: 65 additions & 30 deletions hosts/idols-aquamarine/disko-fs.nix
View file
Original file line number Diff line number Diff line change
@@ -1,42 +1,81 @@
# auto disk partitioning:
# nix run github:nix-community/disko -- --mode disko ./disko-fs.nix
{
{config, ...}: {
fileSystems."/data/fileshare/public".depends = ["/data/fileshare"];

disko.devices = {
disk.data-apps = {
disk.data-encrypted = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EJRX-89T1XY0_WD-WCC7K0XDCZE6";
device = "/dev/disk/by-id/ata-WDC_WD40EZRZ-22GXCB0_WD-WCC7K7VV9613";
content = {
type = "gpt";
partitions.data-apps = {
size = "100%";
content = {
type = "btrfs";
# extraArgs = ["-f"]; # Override existing partition
subvolumes = {
"@persistent" = {
mountpoint = "/data/apps";
mountOptions = [
"compress-force=zstd:1"
# https://www.freedesktop.org/software/systemd/man/latest/systemd.mount.html
"nofail"
];
};
"@backups" = {
mountpoint = "/data/backups";
mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
partitions = {
luks = {
size = "100%";
content = {
type = "luks";
name = "data-encrypted";
settings = {
keyFile = config.age.secrets.hdd-luks-crypt-key.path;
# The maximum size of the keyfile is 8192 KiB
# type `cryptsetup --help` to see the compiled-in key and passphrase maximum sizes
# to generate a key file:
# dd bs=512 count=1024 iflag=fullblock if=/dev/random of=./hdd-luks-crypt-key
keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
fallbackToPassword = true;
allowDiscards = true;
};
"@snapshots" = {
mountpoint = "/data/apps-snapshots";
mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];

# encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
# cryptsetup luksFormat
extraFormatArgs = [
"--type luks2"
"--cipher aes-xts-plain64"
"--hash sha512"
"--iter-time 5000"
"--key-size 256"
"--pbkdf argon2id"
# use true random data from /dev/random, will block until enough entropy is available
"--use-random"
];
extraOpenArgs = [
"--timeout 10"
];
content = {
type = "btrfs";
extraArgs = ["-f"]; # Force override existing partition
subvolumes = {
"@apps" = {
mountpoint = "/data/apps";
mountOptions = [
"compress-force=zstd:1"
# https://www.freedesktop.org/software/systemd/man/latest/systemd.mount.html
"nofail"
];
};
"@fileshare" = {
mountpoint = "/data/fileshare";
mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
};
"@backups" = {
mountpoint = "/data/backups";
mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
};
"@snapshots" = {
mountpoint = "/data/apps-snapshots";
mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
};
};
};
};
};
};
};
};
disk.data-fileshare = {
disk.data-public = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EZRZ-22GXCB0_WD-WCC7K7VV9613";
device = "/dev/disk/by-id/ata-WDC_WD40EJRX-89T1XY0_WD-WCC7K0XDCZE6";
content = {
type = "gpt";
partitions.data-fileshare = {
Expand All @@ -46,13 +85,9 @@
# extraArgs = ["-f"]; # Override existing partition
subvolumes = {
"@persistent" = {
mountpoint = "/data/fileshare";
mountpoint = "/data/fileshare/public";
mountOptions = ["compress-force=zstd:1" "nofail"];
};
"@snapshots" = {
mountpoint = "/data/fileshare-snapshots";
mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
};
};
};
};
Expand Down
1 change: 1 addition & 0 deletions outputs/x86_64-linux/src/idols-aquamarine.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
{modules.secrets.server.application.enable = true;}
{modules.secrets.server.operation.enable = true;}
{modules.secrets.server.webserver.enable = true;}
{modules.secrets.server.storage.enable = true;}
];
home-modules = map mylib.relativeToRoot [
"home/linux/tui.nix"
Expand Down
11 changes: 11 additions & 0 deletions secrets/nixos.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ in {
server.operation.enable = mkEnableOption "NixOS Secrets for Operation Servers(Backup, Monitoring, etc)";
server.kubernetes.enable = mkEnableOption "NixOS Secrets for Kubernetes";
server.webserver.enable = mkEnableOption "NixOS Secrets for Web Servers(contains tls cert keys)";
server.storage.enable = mkEnableOption "NixOS Secrets for HDD Data's LUKS Encryption";

impermanence.enable = mkEnableOption "whether use impermanence and ephemeral root file system";
};
Expand Down Expand Up @@ -249,5 +250,15 @@ in {
};
};
})

(mkIf cfg.server.storage.enable {
age.secrets = {
"hdd-luks-crypt-key" = {
file = "${mysecrets}/hdd-luks-crypt-key.age";
mode = "0400";
owner = "root";
};
};
})
]);
}

0 comments on commit 663616c

Please sign in to comment.