refactor(disk): enhance LUKS encryption and disk configurations #552
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add separate vault partition with strong encryption for storing LUKS keys - Implement key-file based unlocking for secondary partitions instead of password - Add openssh to install-anywhere runtime dependencies - Update disk configurations for maul, phasma and vader systems - Add new disk configuration files for vader and phasma - Fix chown permissions after nixos-anywhere installation - Improve encryption parameters with appropriate memory and iteration settings refactor(disk): replace mdraid with luks+btrfs for storage setup
There was a problem hiding this comment.
Pull Request Overview
Refactors disk configurations to replace mdraid with LUKS+Btrfs, adds a dedicated encrypted vault partition and key-file–based unlocking, and updates provisioning scripts with keyfile support and new runtime dependencies.
- Introduce a separate
/vaultpartition with custom LUKS parameters and ext2 filesystem - Migrate snapshot and home RAID-0 setups from mdraid to LUKS+Btrfs across vader, phasma, and maul
- Enhance install-system/install-anywhere scripts to generate, deploy, and secure key files; add
opensshto runtimeInputs
Reviewed Changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| nixos/vader/disks.nix | Add vault partition and update LUKS/Btrfs settings |
| nixos/vader/disks-snapshot.nix | Replace mdraid snapshots with LUKS and Btrfs RAID-0 |
| nixos/vader/disks-home.nix | Migrate home RAID to LUKS and Btrfs |
| nixos/phasma/disks.nix | Add vault partition and revise LUKS/Btrfs parameters |
| nixos/phasma/disks-snapshot.nix | Convert snapshot RAID to LUKS and Btrfs |
| nixos/phasma/disks-home.nix | Switch home RAID to LUKS and Btrfs |
| nixos/maul/disks.nix | Update vault and crypt partitions with LUKS settings |
| nixos/_mixins/scripts/install-system/install-system.sh | Generate and install keyfiles for encrypted volumes |
| nixos/_mixins/scripts/install-anywhere/install-anywhere.sh | Copy LUKS key during “install-anywhere” provisioning |
| nixos/_mixins/scripts/install-anywhere/default.nix | Add openssh to install-anywhere runtime dependencies |
Comments suppressed due to low confidence (2)
nixos/maul/disks.nix:82
- The comment states AES-XTS with 512-bit keys, but the
--key-size=256argument is used. Align the comment with the actual key size or update the--key-sizeto match your security requirements.
# AES-XTS with 512-bit keys provides optimal security-performance balance.
nixos/_mixins/scripts/install-system/install-system.sh:117
- Using
grep -q "keyFile"may match any occurrence (including root LUKS slots) and trigger keyfile generation prematurely. Consider matching a more specific pattern (e.g.,--keyFilein a particular partition block) or using a YAML/JSON parser to detect the intended keyFile entry.
if grep -q "keyFile" "nixos/$TARGET_HOST/disks.nix"; then
Comment on lines
+60
to
+66
| extraFormatArgs = [ | ||
| "--cipher=serpent-xts-plain64" | ||
| "--hash=sha512" | ||
| "--iter-time=3000" | ||
| "--key-size=256" | ||
| "--pbkdf-memory=4194304" | ||
| "--sector-size=4096" |
There was a problem hiding this comment.
[nitpick] The LUKS extraFormatArgs block is repeated across multiple configurations. Extract common parameters into a variable or function to reduce duplication and simplify future adjustments.
Suggested change
| extraFormatArgs = [ | |
| "--cipher=serpent-xts-plain64" | |
| "--hash=sha512" | |
| "--iter-time=3000" | |
| "--key-size=256" | |
| "--pbkdf-memory=4194304" | |
| "--sector-size=4096" | |
| extraFormatArgs = commonLuksArgs ++ [ | |
| "--cipher=serpent-xts-plain64" | |
| "--hash=sha512" | |
| "--iter-time=3000" | |
| "--pbkdf-memory=4194304" |
Copilot uses AI. Check for mistakes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
refactor(disk): replace mdraid with luks+btrfs for storage setup