From 737b74c58de0712973f81c91aa07748c02deef70 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Sat, 24 Jan 2026 10:55:16 -0800
Subject: adding a new VM for testing

Re-key all the secrets.
---
 profiles/disk/btrfs-on-luks.nix | 102 +++++++++++++++++++++-------------------
 1 file changed, 54 insertions(+), 48 deletions(-)

(limited to 'profiles/disk/btrfs-on-luks.nix')

diff --git a/profiles/disk/btrfs-on-luks.nix b/profiles/disk/btrfs-on-luks.nix
index 3fe57f7..aea2c0c 100644
--- a/profiles/disk/btrfs-on-luks.nix
+++ b/profiles/disk/btrfs-on-luks.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ lib, config, ... }:
 let
   btrfsopt = [
     "compress=zstd"
@@ -13,55 +13,52 @@ in
   ];
 
   disko.devices = {
-    disk = {
-      main = {
-        type = "disk";
-        device = "/dev/nvme0n1";
-        content = {
-          type = "gpt";
-          partitions = {
-            ESP = {
-              size = "2G";
-              type = "EF00";
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot";
-                mountOptions = [
-                  "fmask=0022"
-                  "dmask=0022"
-                ];
-              };
+    disk.disk1 = {
+      type = "disk";
+      device = lib.mkDefault "/dev/nvme0n1";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            size = "2G";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
             };
-            luks = {
-              size = "100%";
+          };
+          luks = {
+            size = "100%";
+            content = {
+              type = "luks";
+              name = "nixos";
+              passwordFile = "/tmp/disk.key";
+              settings.allowDiscards = true;
               content = {
-                type = "luks";
-                name = "nixos";
-                passwordFile = "/tmp/pass";
-                settings = {
-                  allowDiscards = true;
-                };
-                content = {
-                  type = "btrfs";
-                  extraArgs = [ "-f" ];
-                  subvolumes = {
-                    "@root" = {
-                      mountpoint = "/";
-                      mountOptions = btrfsopt;
-                    };
-                    "@home" = {
-                      mountpoint = "/home";
-                      mountOptions = btrfsopt;
-                    };
-                    "@nix" = {
-                      mountpoint = "/nix";
-                      mountOptions = btrfsopt;
-                    };
-                    "@data" = {
-                      mountpoint = "/data";
-                      mountOptions = btrfsopt;
-                    };
+                type = "btrfs";
+                extraArgs = [ "-f" ];
+                subvolumes = {
+                  "/root" = lib.mkIf (!config.ephemeralRoot) {
+                    mountpoint = "/";
+                    mountOptions = btrfsopt;
+                  };
+                  "/nix" = {
+                    mountpoint = "/nix";
+                    mountOptions = btrfsopt;
+                  };
+                  "/data" = {
+                    mountpoint = "/data";
+                    mountOptions = btrfsopt;
+                  };
+                  "/persist" = {
+                    mountpoint = "/persist";
+                    mountOptions = btrfsopt;
                   };
                 };
               };
@@ -70,5 +67,14 @@ in
         };
       };
     };
+    nodev."/" = lib.mkIf config.ephemeralRoot {
+      fsType = "tmpfs";
+      mountOptions = [
+        "size=16G"
+        "defaults"
+        "mode=755"
+      ];
+    };
   };
+  fileSystems."/persist".neededForBoot = true;
 }
-- 
cgit v1.2.3