| 10 May 2026 |
 sudoforge | but that has inherent risks IMO | 20:54:30 |
 trumee | Thanks, i used this now. And it built,
nvme1n1 259:1 0 1.8T 0 disk
├─nvme1n1p1 259:2 0 2G 0 part /mnt/boot
└─nvme1n1p2 259:3 0 1.8T 0 part
└─enc 254:3 0 1.8T 0 crypt
├─pool-swap 254:4 0 98G 0 lvm [SWAP]
└─pool-root 254:5 0 1.7T 0 lvm /mnt/var/log
/mnt/persist
/mnt/nix
/mnt
~```
| 20:54:35 |
| sudoforge | @trumee you also won't need the /persist subvol if you aren't using the impermanence module | 20:55:18 |
| trumee | right i dont need that. How can i enroll my yubikey with disko. I do something like systemd-cryptenroll --fido2-device=auto /dev/disk | 20:56:19 |
 Albert Larsan | Yes, I like the passphrases. (the PCR selection I have is lax enough that I was able to disable secure boot, boot clonezilla, clone from one disk to another, and reenable secureboot that the disk auto-unlocked)
I have both (poor) passphrases and (poor) pcr selections for the servers. | 20:56:38 |
| sudoforge | luks = {
size = "100%";
content.type = "luks";
content.name = "system";
content.settings.allowDiscards = true;
# use a fido2 key for unlocking
content.enrollFido2 = true;
# do not generate a recovery passphrase
content.enrollRecovery = false;
content.content = {
type = "btrfs";
...
};
| 20:56:54 |
| sudoforge | then i'm not seeing the problem with using disko :P | 20:57:34 |
| Albert Larsan | I do use disko, just that I don’t enroll the TPM using disko | 20:57:58 |
| sudoforge | well, i mean for setting up the initial encryption | 20:58:11 |
| sudoforge | passphrase, in your case | 20:58:18 |
| trumee | do i need compress=zstd:3 or simply compress=zstd ? | 20:58:20 |
| Albert Larsan | Both are currently equivalent | 20:58:33 |
| Albert Larsan | But setting 3 is more explicit | 20:58:41 |
| trumee | this did not work,
luks = {
size = "100%";
content = {
type = "luks";
name = "enc";
enrollFido2 = true;
settings = {
allowDiscards = true;
};
content = {
type = "lvm_pv";
vg = "pool";
};
};
};
| 20:59:27 |
| Albert Larsan | And you know what to change depending on whether your storage fills up (increase the number everywhere) or your CPU is hammered (decrease the number, even into the negatives if needed) | 20:59:32 |
| trumee | error: The option `disko.devices.disk.disk1.content.partitions.luks.content.enrollFido2' does not exist. Definition values: | 20:59:43 |
| sudoforge | you need to update the disko binary you're using, and the disko library you're using | 21:00:06 |
| trumee | i used sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount /tmp/disk-config.nix from https://github.com/nix-community/disko | 21:00:26 |
| sudoforge | yeah i just checked, it's not released | 21:00:42 |
| sudoforge | so change /latest to /master | 21:00:57 |
| Albert Larsan | That is what is does, asks me for a passphrase at format step. | 21:01:16 |
| sudoforge | i didn't see encryption configuration in the config you shared earlier. did i miss it? | 21:01:38 |
| sudoforge | oh, so i did | 21:01:51 |
| sudoforge | oops | 21:01:51 |
| Albert Larsan | There is luks, but with default-iish configs | 21:02:10 |
| sudoforge | yeah, which will just ask for a passphrase | 21:02:24 |
| sudoforge | i'm tracking now | 21:02:32 |
| sudoforge | trumee the fido2 support landed 3 weeks ago, and unfortunately a release hasn't been cut yet | 21:03:18 |
| sudoforge | which is why "latest" didn't work for you | 21:03:25 |
| Albert Larsan | Even the second disk is crypted. I would have loved to make a key file work, but despite trying for a week I couldn’t, so it also has a passphrase and unlocks from tpmk | 21:03:35 |
