| 28 Apr 2025 |
 @realhotgirlshit:envs.net | Does disko-install change a partition’s UUID every time it’s run? | 23:36:47 |
|  @cent:neuland.enterprises left the room. | 23:39:13 |
| 29 Apr 2025 |
 hexa | probably, yeah | 01:21:52 |
| hexa | but you can use the disko config to populate mountpoints | 01:22:24 |
| hexa | so that's a non-issue for mounting | 01:22:34 |
 lassulus | I think you can specify uuids now. But i never tested it | 01:28:39 |
| @realhotgirlshit:envs.net | I’m trying to install NixOS through disko with a BTRFS partitions/full disk encrypted setup. I’ve changed the configuration in a couple different ways, and ran disko-install, each time. GRUB always allows two password entries telling me Invalid password, and a third attempt which ends with a cryptodisk not found meltdown and rescue prompt.
The changes I’ve made recently:
Change all UUID partition references to /dev/sda or /dev/sda2. Made sure that btrfs was present during boot. Expanded the boot device definition to have more details vs. the previous version which just had the path.
Relevant configuration.nix:
# Disable UEFI.
boot.loader.systemd-boot.enable = false;
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = false;
boot.loader.grub.enableCryptodisk = true;
boot.loader.efi.canTouchEfiVariables = false;
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
boot.initrd.luks.devices.cryptroot.devices = [
{
name = "luksroot";
device = "/dev/sda2";
}
];
boot.initrd.supportedFilesystems = [ "btrfs" ];
Disko configuration in flake.nix:
{
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
inputs.disko.url = "github:nix-community/disko/latest";
inputs.disko.inputs.nixpkgs.follows = "nixpkgs";
outputs = {self, disko, nixpkgs }: {
nixosConfigurations.koolthing = nixpkgs.legacyPackages.x86_64-linux.nixos [
./configuration.nix
disko.nixosModules.disko
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
# Legacy BIOS, MBR-style partition table.
boot = {
size = "1M";
type = "EF02"; # Grub MBR.
};
# The LUKS-encrypted root.
luks = {
size = "300G";
content = {
type = "luks";
name = "crypted";
# Set up with an interactive password and not a keyfile.
settings = {
allowDiscards = true;
};
# The Btrfs filesystem.
content = {
type = "btrfs";
extraArgs = ["-f"]; # Overwrite any existing file system.
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"compress=zstd"
"noatime"
];
};
# The home subvolume.
"/home" = {
mountpoint = "/home";
mountOptions = [
"compress=zstd"
"noatime"
];
};
# The nix subvolume.
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"compress=zstd"
"noatime"
];
};
};
};
};
};
};
};
};
};
};
}
];
};
}
| 01:43:10 |
| lassulus | Remove the enableCryptoDisk Option from grub. This is used for encrypted /Boot partitions | 02:00:08 |
| lassulus | Oh wait that seems to be what you want to do? | 02:00:32 |
| lassulus | Dies grub support btrfs for finding the kernel? | 02:01:53 |
| @realhotgirlshit:envs.net | I didn’t know that, but I think that’s what I want | 02:07:04 |
| @realhotgirlshit:envs.net | If not, I will not encrypt /boot | 02:07:54 |
| lassulus | It could be that grub only supports luks1 but we do luks2 nowadays | 02:15:40 |
| lassulus | I used the grub unlockaing years ago. But it was pretty slow and frustrating :D | 02:16:12 |
| lassulus | Maybe this is better if you boot the machine via efi instead of legacy. But not sure | 02:16:35 |
| @realhotgirlshit:envs.net | Yeah, my machine doesn’t support legacy | 03:58:56 |
| @realhotgirlshit:envs.net | I’m looking up tutorials and see if they have anything useful | 03:59:07 |
| @realhotgirlshit:envs.net | I want to encrypt boot if possible | 03:59:16 |
| lassulus | Maybe here is some context about luks2 support in grub: https://savannah.gnu.org/bugs/?55093 | 04:49:38 |
| lassulus | I haven't read it yet. So maybe you can check there | 04:50:21 |
| @realhotgirlshit:envs.net | Okay, so GRUB LUKS2 support is not great | 05:03:51 |
| @realhotgirlshit:envs.net | So no encrypted /boot | 05:04:22 |
| @realhotgirlshit:envs.net | That’s the only ramification, anything about FDE in general? | 05:04:58 |
| lassulus | No I usually do LUKS fde on all my computers | 05:07:42 |
| @realhotgirlshit:envs.net | With GRUB? | 05:09:58 |
| lassulus | That doesnt matter usually. Since the kernel does the decryption in the initrd | 05:10:45 |
| lassulus | I use grub or systemd-boot on different systems | 05:11:13 |
| @realhotgirlshit:envs.net | perfect 😁 | 05:11:36 |
| @realhotgirlshit:envs.net | I’ll remove the cryptodisk stuff | 05:11:46 |
| lassulus | You have to add a /boot partition outside the luks also | 05:12:12 |
