{ disko.devices = { disk = { sda = { type = "disk"; device = "/dev/vda"; content = { type = "gpt"; partitions = { ESP = { label = "boot"; name = "ESP"; size = "512M"; type = "EF00"; content = { type = "filesystem"; format = "vfat"; mountpoint = "/boot"; mountOptions = [ "defaults" ]; }; }; luks = { size = "100%"; label = "luks"; content = { type = "luks"; name = "cryptroot"; extraOpenArgs = [ "--allow-discards" "--perf-no_read_workqueue" "--perf-no_write_workqueue" ]; # https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html settings = {crypttabExtraOpts = ["fido2-device=auto" "token-timeout=10"];}; content = { type = "btrfs"; extraArgs = ["-L" "nixos" "-f"]; subvolumes = { "/root" = { mountpoint = "/"; mountOptions = ["subvol=root" "compress=zstd:5" "noatime"]; }; "/home" = { mountpoint = "/home"; mountOptions = ["subvol=home" "compress=zstd:5" "noatime"]; }; "/nix" = { mountpoint = "/nix"; mountOptions = ["subvol=nix" "compress=zstd:5" "noatime"]; }; "/persist" = { mountpoint = "/persist"; mountOptions = ["subvol=persist" "compress=zstd:5" "noatime"]; }; "/log" = { mountpoint = "/var/log"; mountOptions = ["subvol=log" "compress=zstd:5" "noatime"]; }; }; }; }; }; }; }; }; }; }; fileSystems."/persist".neededForBoot = true; fileSystems."/var/log".neededForBoot = true; }