-
Notifications
You must be signed in to change notification settings - Fork 0
/
encryption-configuration.local.nix.example
47 lines (43 loc) · 1.47 KB
/
encryption-configuration.local.nix.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# Copy this file and remove the `.example` extension.
# This file adds encryption specific settings for `hardware-configuration.nix`
{ ... }:
{
boot.initrd.luks.devices = {
"sdXZ_crypt" = {
keyFile = "/crypto_keyfile.bin";
preLVM = true;
#allowDiscards = true;
};
"swap_crypt" = {
device = "/dev/disk/by-uuid/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX";
keyFile = "/crypto_keyfile.bin";
preLVM = true;
#allowDiscards = true;
};
};
boot.resumeDevice = "/dev/mapper/swap_crypt";
# Data mount
#fileSystems."/data" = {
# device = "/dev/mapper/data_crypt";
# fsType = "btrfs";
# options = [ "subvol=@data" ];
# encrypted = {
# enable = true;
# label = "data_crypt";
# blkDev = "/dev/disk/by-uuid/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"; # UUID for encrypted disk
# keyFile = "/crypto_keyfile.bin";
# };
#};
swapDevices = [
{ device = "/dev/mapper/swap_crypt"; }
# In case swap is not encrypted in initrd to be used as resume device:
#{ device = "/dev/mapper/swap_crypt";
# encrypted = {
# enable = true;
# label = "swap_crypt";
# blkDev = "/dev/disk/by-uuid/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"; # UUID for encrypted disk
# keyFile = "/crypto_keyfile.bin";
# };
#}
];
}