RAID on Giovanni Bassihttps://giggio.net/en/blog/tags/raid/https://giggio.net/images/base/logo-small.pngRAID on Giovanni Bassihttps://giggio.net/en/blog/tags/raid/RAID no site do Giovanni BassiHugoengiggio@giggio.net (Giovanni Bassi)giggio@giggio.net (Giovanni Bassi)© 2025 Giovanni BassiWed, 06 May 2026 11:00:00 -0300NixOS: Installation Guide with RAID 1, encryption, and TPM unlock (part 2 - Disko, LUKS, and btrfs)https://giggio.net/en/blog/nix-os-guia-de-instalacao-com-raid-1-criptografia-e-tpm-unlock-parte-2-disko-luks-e-btrfs/Wed, 06 May 2026 11:00:00 -0300giggio@giggio.net (Giovanni Bassi)https://giggio.net/en/blog/nix-os-guia-de-instalacao-com-raid-1-criptografia-e-tpm-unlock-parte-2-disko-luks-e-btrfs/infra<p>In this post I keep on building a NixOS setup with secure storage, now going deeper into Disko, LUKS, and btrfs.</p> <p>This is the second post in the series. <a href="https://giggio.net/en/blog/nix-os-guia-de-instalacao-com-raid-1-criptografia-e-tpm-unlock-parte-1/">Read the first one</a>.</p> <p>In the previous post I showed how to create the virtual machine and partition the disks using <a href="https://github.com/nix-community/disko/">Disko</a>. The main command was:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo nix --experimental-features <span class="s2">&#34;nix-command flakes&#34;</span> run github:nix-community/disko/latest -- <span class="se">\ </span></span></span><span class="line"><span class="cl"> --mode destroy,format,mount ~/nixos/disko.nix </span></span></code></pre></div><p>Although the file <a href="https://codeberg.org/giggio/nixos_raid_btrfs_luks_tpm/src/branch/main/disko.nix">disko.nix</a> is part of a <a href="https://nixos.wiki/wiki/flakes">flake</a> (a versioned Nix configuration), in this case I ran only the file on its own with <code>nix run</code>.</p> <p>It is also possible to run only the <code>mount</code> step, after the disk has already been partitioned and formatted, with <code>--mode mount</code>.</p> <h3 id="what-disko-is"> <a href="#what-disko-is" class="site-blog-post-header"> <span class="site-blog-post-header-text">What Disko is</span> <i class="fa-solid fa-link site-blog-post-header-paragraph"></i> </a> </h3> <p>Disko is a project that brings Nix a declarative way to partition and format disks. In Nix, everything is done declaratively, except disk partitioning and formatting. Disko solves that. Partitioning and formatting disks is done only at the start of an installation, and that is exactly where the project is useful.</p> <p>In addition, Disko provides a NixOS module that lets you use what was declared to define NixOS file systems, which are normally declared in the file <a href="https://codeberg.org/giggio/nixos_raid_btrfs_luks_tpm/src/branch/main/hardware-configuration.nix">hardware-configuration.nix</a>. I will talk more about that at the end.</p> <p>Disko can also be used in the installation process imperatively, through the command line. That is what I did when installing <a href="https://codeberg.org/giggio/nixos_serverbase/src/commit/8e8a356183698c248daa22c1a7be66e900996d7c/modules/lib.nix#L282">my servers</a>.</p> <h3 id="configuring-the-disk-and-its-first-partition"> <a href="#configuring-the-disk-and-its-first-partition" class="site-blog-post-header"> <span class="site-blog-post-header-text">Configuring the disk and its first partition</span> <i class="fa-solid fa-link site-blog-post-header-paragraph"></i> </a> </h3> <p>I am working with two disks. The second disk is where all the file system declarations live, so I will focus on it. The first disk ends up being a bit simpler, since it will be mirrored from the first one (I will talk about that below, in the <a href="https://giggio.net/en/blog/nix-os-guia-de-instalacao-com-raid-1-criptografia-e-tpm-unlock-parte-2-disko-luks-e-btrfs/#raid-1-on-btrfs">RAID section</a>).</p> <p>At the beginning I declare the disk, the device I am referring to (<code>/dev/vdb</code> — that is, the second virtual disk), and the first partition, which will be the EFI system partition, or <code>ESP</code> (<a href="https://en.wikipedia.org/wiki/EFI_system_partition">EFI System Partition</a>):</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">disko</span><span class="o">.</span><span class="n">devices</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">disk</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1"># disk1 omitted</span> </span></span><span class="line"><span class="cl"> <span class="n">disk2</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">type</span> <span class="o">=</span> <span class="s2">&#34;disk&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">device</span> <span class="o">=</span> <span class="s2">&#34;/dev/vdb&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">content</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">type</span> <span class="o">=</span> <span class="s2">&#34;gpt&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">partitions</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">ESP</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">=</span> <span class="s2">&#34;1G&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">type</span> <span class="o">=</span> <span class="s2">&#34;EF00&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">label</span> <span class="o">=</span> <span class="s2">&#34;EFI2&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">content</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">type</span> <span class="o">=</span> <span class="s2">&#34;filesystem&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">extraArgs</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;-n&#34;</span> <span class="s2">&#34;EFI2&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">format</span> <span class="o">=</span> <span class="s2">&#34;vfat&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">mountpoint</span> <span class="o">=</span> <span class="s2">&#34;/boot&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">mountOptions</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;umask=0077&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="c1"># crypt_disk2 partition omitted</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>Note that the mount options are included, and are used both by Disko&rsquo;s <code>mount</code> command and by the Disko module when defining file systems.</p> <p>In this case, an ESP partition needs to have type <code>EF00</code> and be formatted as <code>vfat</code>. I also set the label of the partition to <code>EFI2</code>, and the file system label to the same value (with <code>-n EFI</code>, an argument passed to <code>mkfs.vfat</code>).</p> <p>This part will generate something roughly like these commands:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">parted /dev/vdb mklabel gpt </span></span><span class="line"><span class="cl">parted /dev/vdb mkpart primary 1MiB 1025MiB </span></span><span class="line"><span class="cl">parted /dev/vdb <span class="nb">set</span> <span class="m">1</span> esp on </span></span><span class="line"><span class="cl">mkfs.fat -F <span class="m">32</span> -n EFI2 /dev/vdb1 </span></span><span class="line"><span class="cl"><span class="c1"># and, for mount:</span> </span></span><span class="line"><span class="cl">mount /dev/disk/by-label/EFI2 /boot </span></span></code></pre></div><h3 id="second-partition-luks--btrfs"> <a href="#second-partition-luks--btrfs" class="site-blog-post-header"> <span class="site-blog-post-header-text">Second partition: LUKS + btrfs</span> <i class="fa-solid fa-link site-blog-post-header-paragraph"></i> </a> </h3> <p>Next, I need to create the Linux partition, which I want to be encrypted. The encryption will be handled by <a href="https://gitlab.com/cryptsetup/cryptsetup/">LUKS</a>, so the <code>type</code> is defined as <code>luks</code> (in the ESP it was defined as <code>filesystem</code>). That means the command used to set up the partition will be <code>cryptsetup luksFormat</code>, and it is what receives the partition label parameter <code>--label NIXLUKS2</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">disko</span><span class="o">.</span><span class="n">devices</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">disk</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">disk2</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">content</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">partitions</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1"># ESP partition omitted</span> </span></span><span class="line"><span class="cl"> <span class="n">crypt_disk2</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">=</span> <span class="s2">&#34;100%&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">label</span> <span class="o">=</span> <span class="s2">&#34;NIXLUKS2&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">content</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">type</span> <span class="o">=</span> <span class="s2">&#34;luks&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">name</span> <span class="o">=</span> <span class="s2">&#34;crypt_disk2&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">extraFormatArgs</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;--label&#34;</span> <span class="s2">&#34;NIXLUKS2&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">passwordFile</span> <span class="o">=</span> <span class="s2">&#34;</span><span class="si">${</span><span class="sr">./luks-password.txt</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">settings</span> <span class="o">=</span> <span class="p">{</span> <span class="n">allowDiscards</span> <span class="o">=</span> <span class="no">true</span><span class="p">;</span> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="n">content</span> <span class="o">=</span> <span class="p">{</span> <span class="p">};</span> <span class="c1"># btrfs details omitted</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> <span class="c1"># other curly braces omitted</span> </span></span></code></pre></div><p>On a real NixOS system the password coming from the <code>luks-password.txt</code> file would be encrypted. I usually use <a href="https://github.com/Mic92/sops-nix/">sops-nix</a> for that.</p> <p>That previous part will generate something roughly like these commands:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">parted /dev/vdb mkpart primary 1025MiB 100% </span></span><span class="line"><span class="cl">cryptsetup --label<span class="o">=</span>NIXLUKS2 luksFormat --type luks2 /dev/vdb2 </span></span><span class="line"><span class="cl"><span class="c1"># and, for mount:</span> </span></span><span class="line"><span class="cl">cryptsetup open /dev/vdb2 crypt_disk2 </span></span></code></pre></div><p><strong>Note</strong>: The password is entered interactively in the commands above.</p> <p>Then, in the content part, we define what goes inside the LUKS encrypted volume, in this case, a btrfs file system.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="c1"># beginning omitted</span> </span></span><span class="line"><span class="cl"><span class="n">partitions</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1"># ESP partition omitted</span> </span></span><span class="line"><span class="cl"> <span class="n">crypt_disk2</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">content</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1"># LUKS details omitted</span> </span></span><span class="line"><span class="cl"> <span class="n">content</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">type</span> <span class="o">=</span> <span class="s2">&#34;btrfs&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">extraArgs</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;--label&#34;</span> <span class="s2">&#34;NIXOS&#34;</span> <span class="s2">&#34;-d&#34;</span> <span class="s2">&#34;raid1&#34;</span> <span class="s2">&#34;-m&#34;</span> <span class="s2">&#34;raid1&#34;</span> <span class="s2">&#34;/dev/mapper/crypt_disk1&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">subvolumes</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/@&#34;</span> <span class="o">=</span> <span class="p">{</span> <span class="n">mountpoint</span> <span class="o">=</span> <span class="s2">&#34;/&#34;</span><span class="p">;</span> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/@home&#34;</span> <span class="o">=</span> <span class="p">{</span> <span class="n">mountpoint</span> <span class="o">=</span> <span class="s2">&#34;/home&#34;</span><span class="p">;</span> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/@root&#34;</span> <span class="o">=</span> <span class="p">{</span> <span class="n">mountpoint</span> <span class="o">=</span> <span class="s2">&#34;/root&#34;</span><span class="p">;</span> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/@nix&#34;</span> <span class="o">=</span> <span class="p">{</span> <span class="n">mountpoint</span> <span class="o">=</span> <span class="s2">&#34;/nix&#34;</span><span class="p">;</span> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span></code></pre></div><p>This part will generate something roughly like these commands:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cryptsetup open /dev/vdb2 crypt_disk2 </span></span><span class="line"><span class="cl">mkfs.btrfs --label NIXOS -d raid1 -m raid1 /dev/mapper/crypt_disk1 /dev/mapper/crypt_disk2 </span></span><span class="line"><span class="cl">mkdir -p /mnt </span></span><span class="line"><span class="cl">mount /dev/mapper/crypt_disk2 /mnt </span></span><span class="line"><span class="cl">btrfs subvolume create /mnt/@ </span></span><span class="line"><span class="cl">btrfs subvolume create /mnt/@home </span></span><span class="line"><span class="cl">btrfs subvolume create /mnt/@root </span></span><span class="line"><span class="cl">btrfs subvolume create /mnt/@nix </span></span><span class="line"><span class="cl">umount /mnt </span></span><span class="line"><span class="cl"><span class="c1"># and, for mount:</span> </span></span><span class="line"><span class="cl">mount -o <span class="nv">subvol</span><span class="o">=</span>@ /dev/mapper/crypt_disk2 / </span></span><span class="line"><span class="cl">mkdir /mnt/<span class="o">{</span>home,nix,root,boot<span class="o">}</span> </span></span><span class="line"><span class="cl">mount -o <span class="nv">subvol</span><span class="o">=</span>@home /dev/mapper/crypt_disk2 /home </span></span><span class="line"><span class="cl">mount -o <span class="nv">subvol</span><span class="o">=</span>@nix /dev/mapper/crypt_disk2 /nix </span></span><span class="line"><span class="cl">mount -o <span class="nv">subvol</span><span class="o">=</span>@root /dev/mapper/crypt_disk2 /root </span></span></code></pre></div><p>At the end of the operation, Disko will mount btrfs at <code>/mnt</code>. You can verify everything by running:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># list the partitions and file systems</span> </span></span><span class="line"><span class="cl">lsblk -f </span></span><span class="line"><span class="cl"><span class="c1"># list the btrfs subvolumes</span> </span></span><span class="line"><span class="cl">sudo btrfs subvolume list /mnt </span></span></code></pre></div><h3 id="raid-1-on-btrfs"> <a href="#raid-1-on-btrfs" class="site-blog-post-header"> <span class="site-blog-post-header-text">RAID 1 on btrfs</span> <i class="fa-solid fa-link site-blog-post-header-paragraph"></i> </a> </h3> <p>Notice that I passed the parameters <code>-d raid1 -m raid1 /dev/mapper/crypt_disk1</code>, which means btrfs will be running in RAID 1 for both metadata and data, and in parity with the first disk, which has also already been configured for encryption with LUKS. The reason for defining everything on the second disk is because Disko operates in the order defined, so when disk 1 is being prepared disk 2 still has not been partitioned.</p> <p>In RAID 1, everything written to one disk is immediately copied (mirrored) to the other disks. In this case, we have a RAID 1 with two disks, controlled directly by the btrfs file system. With Linux, it is very common to do this with <a href="https://docs.kernel.org/admin-guide/md.html">mdadm</a>, but in this case mdadm is unnecessary because btrfs <a href="https://btrfs.readthedocs.io/en/latest/Volume-management.html">has native RAID support</a>.</p> <p>You can check the RAID status by running:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">btrfs device stats /mnt </span></span></code></pre></div><h3 id="subvolumes-on-btrfs"> <a href="#subvolumes-on-btrfs" class="site-blog-post-header"> <span class="site-blog-post-header-text">Subvolumes on btrfs</span> <i class="fa-solid fa-link site-blog-post-header-paragraph"></i> </a> </h3> <p>I defined several <a href="https://btrfs.readthedocs.io/en/latest/Subvolumes.html">btrfs subvolumes</a>. They are useful because they let us manage them independently. For example, we can save everything written to a volume using snapshots, as well as define several settings that on other file systems are available only for partitions, such as quotas, for example. They can also be nested, inheriting the settings and actions performed within the hierarchy.</p> <p>Subvolumes can also be mounted wherever we want, and that is exactly what we did, for example by mounting <code>/home</code> from the <code>@home</code> volume.</p> <p>On an already prepared system, this is the list of subvolumes:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-console" data-lang="console"><span class="line"><span class="cl"><span class="gp">$</span> sudo btrfs subvolume list / </span></span><span class="line"><span class="cl"><span class="go">ID 256 gen 1103 top level 5 path @ </span></span></span><span class="line"><span class="cl"><span class="go">ID 257 gen 923 top level 5 path @home </span></span></span><span class="line"><span class="cl"><span class="go">ID 258 gen 923 top level 5 path @nix </span></span></span><span class="line"><span class="cl"><span class="go">ID 259 gen 695 top level 5 path @root </span></span></span><span class="line"><span class="cl"><span class="go">ID 260 gen 19 top level 256 path srv </span></span></span><span class="line"><span class="cl"><span class="go">ID 261 gen 19 top level 256 path var/lib/portables </span></span></span><span class="line"><span class="cl"><span class="go">ID 262 gen 19 top level 256 path var/lib/machines </span></span></span><span class="line"><span class="cl"><span class="go">ID 263 gen 1080 top level 256 path tmp </span></span></span><span class="line"><span class="cl"><span class="go">ID 264 gen 1080 top level 256 path var/tmp </span></span></span></code></pre></div><p>The root volume is always <code>5</code>, which is why the four subvolumes created point to it as the parent subvolume.</p> <p>It is still possible to create subvolumes with <code>btrfs subvolume create</code> and make snapshots with <code>btrfs subvolume snapshot</code>.</p> <h3 id="using-disko-as-a-module"> <a href="#using-disko-as-a-module" class="site-blog-post-header"> <span class="site-blog-post-header-text">Using Disko as a module</span> <i class="fa-solid fa-link site-blog-post-header-paragraph"></i> </a> </h3> <p>As I mentioned at the start of the post, Disko lets you use it as a module that declares file systems, without needing to declare them in the <code>hardware-configuration.nix</code> file.</p> <p>To use it, just add <code>disko.nixosModules.disko</code> to the system modules, along with your Disko configuration file, which in this example is <code>disko.nix</code>, the same one that was used on its own to create the file system. It looks like this:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">inputs</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">nixpkgs</span><span class="o">.</span><span class="n">url</span> <span class="o">=</span> <span class="s2">&#34;github:NixOS/nixpkgs/nixos-unstable&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">disko</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">url</span> <span class="o">=</span> <span class="s2">&#34;github:nix-community/disko/latest&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">inputs</span><span class="o">.</span><span class="n">nixpkgs</span><span class="o">.</span><span class="n">follows</span> <span class="o">=</span> <span class="s2">&#34;nixpkgs&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="n">outputs</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> <span class="n">self</span><span class="o">,</span> <span class="n">nixpkgs</span><span class="o">,</span> <span class="n">disko</span><span class="o">,</span> <span class="o">...</span> <span class="p">}</span><span class="o">@</span><span class="n">inputs</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">nixosConfigurations</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">nixos</span> <span class="o">=</span> <span class="n">nixpkgs</span><span class="o">.</span><span class="n">lib</span><span class="o">.</span><span class="n">nixosSystem</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">system</span> <span class="o">=</span> <span class="s2">&#34;x86_64-linux&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">modules</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="sr">./configuration.nix</span> </span></span><span class="line hl"><span class="cl"> <span class="sr">./disko.nix</span> </span></span><span class="line hl"><span class="cl"> <span class="n">disko</span><span class="o">.</span><span class="n">nixosModules</span><span class="o">.</span><span class="n">disko</span> </span></span><span class="line"><span class="cl"> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>Note that my <a href="https://codeberg.org/giggio/nixos_raid_btrfs_luks_tpm/src/branch/main/hardware-configuration.nix">hardware-configuration.nix</a> file does not declare any file systems. See <a href="https://wiki.nixos.org/wiki/Filesystems">NixOS docs about file systems</a> for how this is normally declared, and, because I used Disko, I did not need to do it.</p> <p>If I had to do it manually, it would be more or less like this:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">fileSystems</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/&#34;</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">device</span> <span class="o">=</span> <span class="s2">&#34;/dev/mapper/crypt_disk1&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fsType</span> <span class="o">=</span> <span class="s2">&#34;btrfs&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">options</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;subvol=@&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/home&#34;</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">device</span> <span class="o">=</span> <span class="s2">&#34;/dev/mapper/crypt_disk1&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fsType</span> <span class="o">=</span> <span class="s2">&#34;btrfs&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">options</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;subvol=@home&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/nix&#34;</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">device</span> <span class="o">=</span> <span class="s2">&#34;/dev/mapper/crypt_disk1&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fsType</span> <span class="o">=</span> <span class="s2">&#34;btrfs&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">options</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;subvol=@nix&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/root&#34;</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">device</span> <span class="o">=</span> <span class="s2">&#34;/dev/mapper/crypt_disk1&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fsType</span> <span class="o">=</span> <span class="s2">&#34;btrfs&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">options</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;subvol=@root&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/boot&#34;</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">device</span> <span class="o">=</span> <span class="s2">&#34;/dev/disk/by-label/EFI1&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fsType</span> <span class="o">=</span> <span class="s2">&#34;vfat&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">options</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;fmask=0022&#34;</span> <span class="s2">&#34;dmask=0022&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>And that only after manually partitioning the main disks with LUKS and formatting them with btrfs.</p> <p>It becomes obvious how much Disko simplifies the whole process: we use its definitions to configure the disks during installation, and later to bring up the operating system itself.</p> <h3 id="conclusion"> <a href="#conclusion" class="site-blog-post-header"> <span class="site-blog-post-header-text">Conclusion</span> <i class="fa-solid fa-link site-blog-post-header-paragraph"></i> </a> </h3> <p>With a disk and file system declaration that is later used to configure it, it is possible to prepare all the storage for a future Linux operating system using just one command line.</p> <p>Instead of having to keep commands in documentation or build a shell script to prepare everything, we have it all versioned in executable files.</p> <p>In the next post I will show how to finally install NixOS on the file system that was mounted. In the following ones I will demonstrate how to use TPM to obtain an encryption key that will be used to unlock LUKS without human interaction, directly at boot.</p>