setup disk encryption on JWST

hosts/JWST/configuration.nix

@@ -10,12 +10,33 @@
 
   # ------------ System ------------
 
-  boot.loader.grub.extraEntries = ''
+  boot.loader.efi.efiSysMountPoint = "/boot/efi";
-    menuentry "Void" {
+  boot.loader.grub.enableCryptodisk = true;
-      search --set=void --fs-uuid 987518fa-8ea0-49a6-b1e5-1fed4e4ae50f
+
-      configfile "($void)/boot/grub/grub.cfg"
+  boot.initrd = {
-    }
+    luks.devices."root" = {
-  '';
+      device = "/dev/disk/by-uuid/25e06c9e-3f53-4abc-a656-d8b388b27f58"; # UUID for /dev/nvme01np2 
+      preLVM = true;
+      keyFile = "/keyfile0.bin";
+      allowDiscards = true;
+    };
+    secrets = {
+      # Create /mnt/etc/secrets/initrd directory and copy keys to it
+      "keyfile0.bin" = "/etc/secrets/initrd/keyfile0.bin";
+      "keyfile1.bin" = "/etc/secrets/initrd/keyfile1.bin";
+    };
+  };
+
+  # Data mount
+  fileSystems."/data" = {
+    device = "/dev/disk/by-uuid/12c28d9c-f781-499c-bd58-ad2608c9322a"; # UUID for /dev/mapper/crypted-data
+    encrypted = {
+      enable = true;
+      label = "crypted-data";
+      blkDev = "/dev/disk/by-uuid/3f16043b-ab85-42af-a3aa-a687372dae67"; # UUID for /dev/nvme1n1p1
+      keyFile = "/keyfile1.bin";
+    };
+  };
 
   time.timeZone = "America/New_York";
 
@@ -27,7 +48,7 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
+  system.stateVersion = "23.11"; # Did you read the comment?
 
   # ------------ Graphics ------------
 

hosts/JWST/hardware-configuration.nix

@@ -1,45 +1,31 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
 {
-  config,
+  imports =
-  lib,
+    [ (modulesPath + "/installer/scan/not-detected.nix")
-  pkgs,
+    ];
-  modulesPath,
-  ...
-}: {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
 
-  boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
-  boot.initrd.kernelModules = [];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = ["kvm-intel"];
+  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [];
+  boot.extraModulePackages = [ ];
 
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "/dev/disk/by-uuid/d05d358d-19d4-4629-b0bd-594a754ad76d";
+    { device = "/dev/disk/by-uuid/09e1694e-5236-45d3-b454-1dbe9ac473da";
-    fsType = "ext4";
+      fsType = "ext4";
-  };
+    };
 
-  fileSystems."/boot" = {
+  fileSystems."/boot/efi" =
-    device = "/dev/disk/by-uuid/6DD4-5A29";
+    { device = "/dev/disk/by-uuid/20C7-3E47";
-    fsType = "vfat";
+      fsType = "vfat";
-  };
+    };
 
-  fileSystems."/mnt/void" = {
+  swapDevices =
-    device = "/dev/disk/by-uuid/987518fa-8ea0-49a6-b1e5-1fed4e4ae50f";
+    [ { device = "/dev/disk/by-uuid/9d8aab67-42c8-4139-a178-275523260792"; }
-    fsType = "ext4";
+    ];
-  };
-
-  fileSystems."/mnt/secondary" = {
-    device = "/dev/disk/by-uuid/3b424592-6b20-42e0-9d28-8bf562c15913";
-    fsType = "ext4";
-  };
-
-  swapDevices = [
-    {device = "/dev/disk/by-uuid/802e89ce-52b8-41b9-85ea-b969ab08765f";}
-  ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -49,6 +35,5 @@
   # networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }