NixOS + Framework

Sender	Message	Time
10 May 2026
trumee	yes, that seems a good way forward	15:59:01
sudoforge	it's a rather strange way forward	16:05:50
sudoforge	but, yes, it should get you there	16:06:13
sudoforge	i'm not really sure how `boot.resumeDevice` is going to play with that	16:06:48
sudoforge	what you could do instead, is encrypt the entire disk (except your ESP partition if using systemd-boot) and within the unlocked container, set up your different filesystems	16:07:42
sudoforge	that's what i'd call far more typical on single-disk installations	16:08:09
trumee	why do you think this is strange?	16:09:46
sudoforge	well, what does it accomplish?	16:10:35
sudoforge	you increase complexity and gain, what?	16:10:42
sudoforge	well, and we should probably clarify: are you using a framework laptop with a single disk for your system, or are you using multiple disks?	16:11:56
trumee	yes, i have a single disk.	16:12:07
sudoforge	okay, yeah, i'm going to call it strange then	16:12:22
trumee	My goal is to use Yubikey to decrypt the disk.	16:12:24
sudoforge	you can just do that, directly, on the single luks container that is your entire disk (sans your ESP partition if using systemd-boot)	16:12:50
sudoforge	i do this on my FW13	16:13:07
trumee	i was using ZFS encryption instead of using Luks.	16:13:19
sudoforge	no, you're using luks for your keyfile and then using that for zfs	16:13:53
sudoforge	based on: https://discourse.nixos.org/t/yubikey-fido2-and-boot-initrd-systemd/60051/18?u=trumee	16:14:10
sudoforge	anyway, what i've described is far simpler	16:15:09
sudoforge	you are welcome to continue doing what you're doing, of course	16:15:21
sudoforge	`➜ lsblk /dev/nvme0n1 NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS nvme0n1 259:0 0 1.8T 0 disk ├─nvme0n1p1 259:1 0 1.8T 0 part │ └─disk 254:0 0 1.8T 0 crypt /swap │ /home │ /persist │ /nix/store │ /nix │ /var/log │ / └─nvme0n1p2 259:2 0 488M 0 part /boot` this is what a single luks container containing various partitions (which in this case all happen to be btrfs, but could be a disparate `ext4 on /swap`, `zfs pool on /`, etc	16:16:31
sudoforge	* `➜ lsblk /dev/nvme0n1 NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS nvme0n1 259:0 0 1.8T 0 disk ├─nvme0n1p1 259:1 0 1.8T 0 part │ └─disk 254:0 0 1.8T 0 crypt /swap │ /home │ /persist │ /nix/store │ /nix │ /var/log │ / └─nvme0n1p2 259:2 0 488M 0 part /boot` this is what a single luks container containing various partitions (which in this case all happen to be btrfs, but could be a disparate `ext4 on /swap`, `zfs pool on /`, etc)	16:16:34
trumee	that is more accurate, my goal was to use native zfs encryption when i set the system up.	16:16:52
sudoforge	* `➜ lsblk /dev/nvme0n1 NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS nvme0n1 259:0 0 1.8T 0 disk ├─nvme0n1p1 259:1 0 1.8T 0 part │ └─disk 254:0 0 1.8T 0 crypt /swap │ /home │ /persist │ /nix/store │ /nix │ /var/log │ / └─nvme0n1p2 259:2 0 488M 0 part /boot` this is what a single luks container containing various partitions looks like (which in this case all happen to be btrfs, but could be a disparate `ext4 on /swap`, `zfs pool on /`, etc)	16:16:54
sudoforge	* `➜ lsblk /dev/nvme0n1 NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS nvme0n1 259:0 0 1.8T 0 disk ├─nvme0n1p1 259:1 0 1.8T 0 part │ └─disk 254:0 0 1.8T 0 crypt /swap │ /home │ /persist │ /nix/store │ /nix │ /var/log │ / └─nvme0n1p2 259:2 0 488M 0 part /boot` this is what a single luks container containing various partitions looks like (which in this case all happen to be btrfs, but could be a disparate `ext4 on /swap`, `zfs pool on /`, etc). my single luks container is unlocked with my security key's PIN and presence.	16:17:33
trumee	this is what i have currently, `root@lappy ~# lsblk /dev/nvme0n1 NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS nvme0n1 259:0 0 1.8T 0 disk ├─nvme0n1p1 259:1 0 1G 0 part /boot ├─nvme0n1p2 259:2 0 32M 0 part ├─nvme0n1p3 259:3 0 86G 0 part │ └─dev-disk-byx2did-nvmex2dSHPP41x2dpart 254:0 0 86G 0 crypt [SWAP] └─nvme0n1p4 259:4 0 1.7T 0 part`	16:18:38
sudoforge	do you see and understand the difference?	16:20:41
Albert Larsan	I have something even more complex (ignore p3 and p4, an old dual boot) `❯ lsblk /dev/nvme0n1 NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS nvme0n1 259:0 0 931.5G 0 disk ├─nvme0n1p1 259:1 0 2G 0 part /boot ├─nvme0n1p2 259:2 0 729.5G 0 part │ └─enc 254:0 0 729.5G 0 crypt │ ├─pool-swap 254:1 0 64G 0 lvm [SWAP] │ └─pool-root 254:2 0 665.5G 0 lvm /mnt │ /home │ ... │ / ├─nvme0n1p3 259:3 0 4G 0 part └─nvme0n1p4 259:4 0 196G 0 part`	16:24:37
sudoforge	well ignoring partitions 3 and 4, we have basically the same core setup: a single luks container that contains our filesystems	16:25:31
sudoforge	this is really more telling, i guess: `➜ sudo parted /dev/nvme0n1 print Model: DOES-NOT-MATTER (nvme) Disk /dev/nvme0n1: 2000GB Sector size (logical/physical): 512B/512B Partition Table: gpt Disk Flags: Number Start End Size File system Name Flags 1 1049kB 2000GB 2000GB primary 2 2000GB 2000GB 512MB fat32 ESP boot, esp`	16:26:23

trumee

yes, that seems a good way forward

15:59:01

sudoforge

it's a rather strange way forward

16:05:50

sudoforge

but, yes, it should get you there

16:06:13

sudoforge

i'm not really sure how boot.resumeDevice is going to play with that

16:06:48

sudoforge

what you could do instead, is encrypt the entire disk (except your ESP partition if using systemd-boot) and within the unlocked container, set up your different filesystems

16:07:42

sudoforge

that's what i'd call far more typical on single-disk installations

16:08:09

trumee

why do you think this is strange?

16:09:46

sudoforge

well, what does it accomplish?

16:10:35

sudoforge

you increase complexity and gain, what?

16:10:42

sudoforge

well, and we should probably clarify: are you using a framework laptop with a single disk for your system, or are you using multiple disks?

16:11:56

trumee

yes, i have a single disk.

16:12:07

sudoforge

okay, yeah, i'm going to call it strange then

16:12:22

trumee

My goal is to use Yubikey to decrypt the disk.

16:12:24

sudoforge

you can just do that, directly, on the single luks container that is your entire disk (sans your ESP partition if using systemd-boot)

i do this on my FW13

i was using ZFS encryption instead of using Luks.

16:13:19

sudoforge

no, you're using luks for your keyfile and then using that for zfs

16:13:53

sudoforge

based on: https://discourse.nixos.org/t/yubikey-fido2-and-boot-initrd-systemd/60051/18?u=trumee

16:14:10

sudoforge

anyway, what i've described is far simpler

16:15:09

sudoforge

you are welcome to continue doing what you're doing, of course

16:15:21

sudoforge

➜ lsblk /dev/nvme0n1
NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
nvme0n1     259:0    0  1.8T  0 disk  
├─nvme0n1p1 259:1    0  1.8T  0 part  
│ └─disk    254:0    0  1.8T  0 crypt /swap
│                                     /home
│                                     /persist
│                                     /nix/store
│                                     /nix
│                                     /var/log
│                                     /
└─nvme0n1p2 259:2    0  488M  0 part  /boot

this is what a single luks container containing various partitions (which in this case all happen to be btrfs, but could be a disparate ext4 on /swap, zfs pool on /, etc

16:16:31

sudoforge

*

➜ lsblk /dev/nvme0n1
NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
nvme0n1     259:0    0  1.8T  0 disk  
├─nvme0n1p1 259:1    0  1.8T  0 part  
│ └─disk    254:0    0  1.8T  0 crypt /swap
│                                     /home
│                                     /persist
│                                     /nix/store
│                                     /nix
│                                     /var/log
│                                     /
└─nvme0n1p2 259:2    0  488M  0 part  /boot

this is what a single luks container containing various partitions (which in this case all happen to be btrfs, but could be a disparate ext4 on /swap, zfs pool on /, etc)

16:16:34

trumee

that is more accurate, my goal was to use native zfs encryption when i set the system up.

16:16:52

sudoforge

*

➜ lsblk /dev/nvme0n1
NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
nvme0n1     259:0    0  1.8T  0 disk  
├─nvme0n1p1 259:1    0  1.8T  0 part  
│ └─disk    254:0    0  1.8T  0 crypt /swap
│                                     /home
│                                     /persist
│                                     /nix/store
│                                     /nix
│                                     /var/log
│                                     /
└─nvme0n1p2 259:2    0  488M  0 part  /boot

this is what a single luks container containing various partitions looks like (which in this case all happen to be btrfs, but could be a disparate ext4 on /swap, zfs pool on /, etc)

16:16:54

sudoforge

*

➜ lsblk /dev/nvme0n1
NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
nvme0n1     259:0    0  1.8T  0 disk  
├─nvme0n1p1 259:1    0  1.8T  0 part  
│ └─disk    254:0    0  1.8T  0 crypt /swap
│                                     /home
│                                     /persist
│                                     /nix/store
│                                     /nix
│                                     /var/log
│                                     /
└─nvme0n1p2 259:2    0  488M  0 part  /boot

this is what a single luks container containing various partitions looks like (which in this case all happen to be btrfs, but could be a disparate ext4 on /swap, zfs pool on /, etc). my single luks container is unlocked with my security key's PIN and presence.

16:17:33

trumee

this is what i have currently,

root@lappy ~# lsblk /dev/nvme0n1
NAME                                                                  MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
nvme0n1                                                               259:0    0  1.8T  0 disk  
├─nvme0n1p1                                                           259:1    0    1G  0 part  /boot
├─nvme0n1p2                                                           259:2    0   32M  0 part  
├─nvme0n1p3                                                           259:3    0   86G  0 part  
│ └─dev-disk-byx2did-nvmex2dSHPP41x2dpart 254:0    0   86G  0 crypt [SWAP]
└─nvme0n1p4                                                           259:4    0  1.7T  0 part

16:18:38

sudoforge

do you see and understand the difference?

16:20:41

Albert Larsan

I have something even more complex (ignore p3 and p4, an old dual boot)

❯ lsblk /dev/nvme0n1
NAME            MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme0n1         259:0    0 931.5G  0 disk  
├─nvme0n1p1     259:1    0     2G  0 part  /boot
├─nvme0n1p2     259:2    0 729.5G  0 part  
│ └─enc         254:0    0 729.5G  0 crypt 
│   ├─pool-swap 254:1    0    64G  0 lvm   [SWAP]
│   └─pool-root 254:2    0 665.5G  0 lvm   /mnt
│                                          /home
│                                          ...
│                                          /
├─nvme0n1p3     259:3    0     4G  0 part  
└─nvme0n1p4     259:4    0   196G  0 part

16:24:37

sudoforge

well ignoring partitions 3 and 4, we have basically the same core setup: a single luks container that contains our filesystems

16:25:31

sudoforge

this is really more telling, i guess:

➜ sudo parted /dev/nvme0n1 print
Model: DOES-NOT-MATTER (nvme)
Disk /dev/nvme0n1: 2000GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system  Name     Flags
 1      1049kB  2000GB  2000GB               primary
 2      2000GB  2000GB  512MB   fat32        ESP      boot, esp

16:26:23

Load older messages

Show newer messages