{ config, lib, pkgs, modulesPath, ... }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; # === Boot options === boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "uas" "usb_storage" "sd_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; # === Internal drive === fileSystems."/" = { device = "zroot/safe/root"; fsType = "zfs"; }; fileSystems."/nix" = { device = "zroot/local/nix"; fsType = "zfs"; }; fileSystems."/var/log/journal" = { device = "zroot/safe/journal"; fsType = "zfs"; }; fileSystems."/boot" = { device = "/dev/disk/by-uuid/8BB2-9DCB"; fsType = "vfat"; }; # === Swap === swapDevices = [{ device = "/dev/disk/by-uuid/efc7e294-1c18-4dd9-aca5-f868eb9c47fc"; }]; } // ( # === External drives === let cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup"; unlockLuksService = label: keyfile: overwrites: lib.attrsets.recursiveUpdate { description = "Unlock luks encrypted device '${label}'"; bindsTo = [ "dev-${label}.device" ]; after = [ "dev-${label}.device" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; ExecStart = '' ${cryptsetup} luksOpen --key-file ${keyfile} /dev/${label} ${label}opened ''; ExecStop = '' ${cryptsetup} luksClose ${label}opened ''; }; } overwrites; disks = { FRA = "8ae45289-82ed-4cf1-9d68-a0e26e5d9bb5"; BER = "85ce2e58-72fc-4a66-a376-565bb4fc39a1"; HND = "4a3765fc-155e-453d-a348-d1782447bcfe"; LEJ = "5e3c2c1e-73f6-43e6-b8f3-71c923cbeb6d"; }; in { # Unlock all luks devices and import the zfs pools if necessary systemd.services."luks-open-FRA" = unlockLuksService "FRA" "/root/keys/fra" { }; systemd.services."luks-open-BER" = unlockLuksService "BER" "/root/keys/ber" { serviceConfig.ExecStartPost = "${pkgs.zfs}/bin/zpool import zBER"; }; systemd.services."luks-open-HND" = unlockLuksService "HND" "/root/keys/hnd" { serviceConfig.ExecStartPost = "${pkgs.zfs}/bin/zpool import zHND"; }; systemd.services."luks-open-LEJ" = unlockLuksService "LEJ" "/root/keys/lej" { }; systemd.mounts = [ { what = "/dev/mapper/FRAopened"; where = "/srv/fra"; type = "ext4"; wantedBy = [ "default.target" ]; requires = [ "luks-open-FRA.service" ]; after = [ "luks-open-FRA.service" ]; } { what = "/dev/mapper/vg_lej-lv_lej"; where = "/srv/lej"; type = "ext4"; wantedBy = [ "default.target" ]; requires = [ "luks-open-LEJ.service" ]; after = [ "luks-open-LEJ.service" ]; } ]; # Add udev rules for every disk services.udev.customRules = [{ name = "85-rename-and-unlock-disks"; rules = lib.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (alias: uuid: '' SUBSYSTEM=="block", ENV{ID_FS_UUID}=="${uuid}", SYMLINK+="${alias}", TAG+="systemd" '') disks); }]; })