| 10 May 2026 |
 Albert Larsan | If the subvolume isn’t mounted, then nix can’t infer that you want the home submodule at /home and the nix submodule at /nix | 20:35:01 |
 trumee | how do i mount the subvolume? | 20:35:15 |
| Albert Larsan | sudo mount -m -o subvol=home,noatime /dev/mapper/pool-root /mnt/home
sudo mount -m -o subvol=nix,noatime /dev/mapper/pool-root /mnt/nix | 20:36:53 |
 sudoforge | ah, albert got it out as i was responding :) | 20:37:31 |
| sudoforge | also, i'd strongly encourage you to use disko | 20:37:36 |
| Albert Larsan | Don’t forget to add noatime to the options in the generated nixos-hardware config, otherwise the SSD will get hammered by writes every time you read something | 20:37:59 |
| sudoforge | the config i shared earlier doesn't include LVM under the luks container but can be a great starting point | 20:38:06 |
| sudoforge | mount -t btrfs -o defaults,ssd,noatime,compress=zstd:3,subvol=/home /dev/mapper/pool-root /mnt/home
is what i would do
| 20:38:33 |
| Albert Larsan | https://git.sr.ht/~albertlarsan68/dotfiles/tree/flake-parts/item/disko-configurations/ginkgo-grid.nix is what I use, just remove disk2 and adapt the swap size | 20:39:23 |
| sudoforge | ah you're not setting up encryption with disko? tsk tsk | 20:41:05 |
| Albert Larsan | I have VPSes that only have 15G of disk space. On them I run compress-force=zstd:15. Absolutely atrocious write performance, but really small disk usage (2 gigs for a full server) | 20:41:24 |
| Albert Larsan | Hey, it is not my fault that the disko documentation is inexistant!
Also, I really like systemd-cryptsetup. This is a server, it has a few steps before I can enroll the TPM (namely re-activating Secure Boot, once Lanzaboote is working, etc.)
So yes, I setup encryption well after disko has done its job. | 20:43:21 |
| Albert Larsan | At least lvm has a passphrase | 20:43:33 |
| Albert Larsan | From the start | 20:43:38 |
| sudoforge | disko just hands off to systemd-cryptsetup | 20:43:53 |
| Albert Larsan | I can’t provision the TPM from the install media AFAIK | 20:44:40 |
| Albert Larsan | My original setup came from someone else, and there were even more manual steps (see https://web.archive.org/web/20250919060007/https://github.com/kjhoerr/dotfiles/wiki/NixOS:-Instructions-for-adding-a-new-system) | 20:48:02 |
| Albert Larsan | Apparently the repo I took from disappeared | 20:48:41 |
| sudoforge | ah, that's right, you can't use the TPM device from the installation media | 20:49:12 |
| sudoforge | hmm | 20:49:40 |
| sudoforge | well, you could disko to set up the initial encryption for it (passphrase or key file or security key), i guess | 20:50:03 |
| sudoforge | then boot and manually enroll the tpm device | 20:50:16 |
| sudoforge | that's basically what i do anyway to add additional security keys | 20:50:31 |
| Albert Larsan | Disko sets up passphrase encryption when no options are given | 20:50:57 |
| sudoforge | by default, with no options specified, that is correct | 20:51:31 |
| sudoforge | but you can specify a key file | 20:51:35 |
| sudoforge | or content.enrollFido2 | 20:51:56 |
| Albert Larsan | But the key file needs to be available in the install env.
Also I’ve never got key files to work. | 20:52:46 |
| sudoforge | what's wrong with a passphrase, then? it seems like that needs to be present for you, as a backup option in case PCRs change | 20:53:35 |
| sudoforge | i'm not seeing the problem, unless you are avoiding a passphrase altogether and relying on the TPM never failing and PCRs never changing | 20:54:17 |
