added stuff

2024-04-09 23:11:33 +02:00 · 2024-04-09 23:11:33 +02:00 · 236b8c2a6b
commit 236b8c2a6b
parent 937f28770d
907 changed files with 70990 additions and 0 deletions
--- a/nyx/modules/core/common/system/encryption/default.nix
+++ b/nyx/modules/core/common/system/encryption/default.nix
@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf;
+
+  cfg = config.modules.system.encryption;
+in {
+  config = mkIf cfg.enable {
+    boot = {
+      # mildly improves performance for the disk encryption
+      initrd.availableKernelModules = [
+        "aesni_intel"
+        "cryptd"
+        "usb_storage"
+      ];
+
+      kernelParams = [
+        # Disable password timeout
+        "luks.options=timeout=0"
+        "rd.luks.options=timeout=0"
+        "rootflags=x-systemd.device-timeout=0"
+      ];
+    };
+
+    services.lvm.enable = true;
+
+    # TODO: account for multiple encrypted devices
+    boot.initrd.luks.devices."${cfg.device}" = {
+      # improve performance on ssds
+      bypassWorkqueues = true;
+
+      # handle LUKS decryption before LVM
+      preLVM = true;
+
+      # the device with the maching id will be searched for the key file
+      keyFile = mkIf (cfg.keyFile != null) "${cfg.keyFile}";
+
+      # the size of the key file in bytes
+      keyFileSize = cfg.keySize;
+
+      # if keyfile is not there, fall back to cryptsetup password
+      fallbackToPassword = cfg.fallbackToPassword; # IMPLIED BY config.boot.initrd.systemd.enable
+    };
+  };
+}