| 10 May 2026 |
 sudoforge | the config i shared earlier doesn't include LVM under the luks container but can be a great starting point | 20:38:06 |
| sudoforge | mount -t btrfs -o defaults,ssd,noatime,compress=zstd:3,subvol=/home /dev/mapper/pool-root /mnt/home
is what i would do
| 20:38:33 |
 Albert Larsan | https://git.sr.ht/~albertlarsan68/dotfiles/tree/flake-parts/item/disko-configurations/ginkgo-grid.nix is what I use, just remove disk2 and adapt the swap size | 20:39:23 |
| sudoforge | ah you're not setting up encryption with disko? tsk tsk | 20:41:05 |
| Albert Larsan | I have VPSes that only have 15G of disk space. On them I run compress-force=zstd:15. Absolutely atrocious write performance, but really small disk usage (2 gigs for a full server) | 20:41:24 |
| Albert Larsan | Hey, it is not my fault that the disko documentation is inexistant!
Also, I really like systemd-cryptsetup. This is a server, it has a few steps before I can enroll the TPM (namely re-activating Secure Boot, once Lanzaboote is working, etc.)
So yes, I setup encryption well after disko has done its job. | 20:43:21 |
| Albert Larsan | At least lvm has a passphrase | 20:43:33 |
| Albert Larsan | From the start | 20:43:38 |
| sudoforge | disko just hands off to systemd-cryptsetup | 20:43:53 |
| Albert Larsan | I can’t provision the TPM from the install media AFAIK | 20:44:40 |
| Albert Larsan | My original setup came from someone else, and there were even more manual steps (see https://web.archive.org/web/20250919060007/https://github.com/kjhoerr/dotfiles/wiki/NixOS:-Instructions-for-adding-a-new-system) | 20:48:02 |
| Albert Larsan | Apparently the repo I took from disappeared | 20:48:41 |
| sudoforge | ah, that's right, you can't use the TPM device from the installation media | 20:49:12 |
| sudoforge | hmm | 20:49:40 |
| sudoforge | well, you could disko to set up the initial encryption for it (passphrase or key file or security key), i guess | 20:50:03 |
| sudoforge | then boot and manually enroll the tpm device | 20:50:16 |
| sudoforge | that's basically what i do anyway to add additional security keys | 20:50:31 |
| Albert Larsan | Disko sets up passphrase encryption when no options are given | 20:50:57 |
| sudoforge | by default, with no options specified, that is correct | 20:51:31 |
| sudoforge | but you can specify a key file | 20:51:35 |
| sudoforge | or content.enrollFido2 | 20:51:56 |
| Albert Larsan | But the key file needs to be available in the install env.
Also I’ve never got key files to work. | 20:52:46 |
| sudoforge | what's wrong with a passphrase, then? it seems like that needs to be present for you, as a backup option in case PCRs change | 20:53:35 |
| sudoforge | i'm not seeing the problem, unless you are avoiding a passphrase altogether and relying on the TPM never failing and PCRs never changing | 20:54:17 |
| sudoforge | but that has inherent risks IMO | 20:54:30 |
 trumee | Thanks, i used this now. And it built,
nvme1n1 259:1 0 1.8T 0 disk
├─nvme1n1p1 259:2 0 2G 0 part /mnt/boot
└─nvme1n1p2 259:3 0 1.8T 0 part
└─enc 254:3 0 1.8T 0 crypt
├─pool-swap 254:4 0 98G 0 lvm [SWAP]
└─pool-root 254:5 0 1.7T 0 lvm /mnt/var/log
/mnt/persist
/mnt/nix
/mnt
~```
| 20:54:35 |
| sudoforge | @trumee you also won't need the /persist subvol if you aren't using the impermanence module | 20:55:18 |
| trumee | right i dont need that. How can i enroll my yubikey with disko. I do something like systemd-cryptenroll --fido2-device=auto /dev/disk | 20:56:19 |
| Albert Larsan | Yes, I like the passphrases. (the PCR selection I have is lax enough that I was able to disable secure boot, boot clonezilla, clone from one disk to another, and reenable secureboot that the disk auto-unlocked)
I have both (poor) passphrases and (poor) pcr selections for the servers. | 20:56:38 |
| sudoforge | luks = {
size = "100%";
content.type = "luks";
content.name = "system";
content.settings.allowDiscards = true;
# use a fido2 key for unlocking
content.enrollFido2 = true;
# do not generate a recovery passphrase
content.enrollRecovery = false;
content.content = {
type = "btrfs";
...
};
| 20:56:54 |
