{ disko.devices = { disk = { cryptroot_0 = { type = "disk"; device = "/dev/disk/by-path/pci-0000:02:00.0-nvme-1"; content = { type = "gpt"; partitions = { ESP = { label = "fake_EFI"; name = "fake_ESP"; size = "512M"; type = "8300"; }; luks = { end = "-256G"; content = { type = "luks"; name = "crypted_0"; extraOpenArgs = ["--allow-discards"]; passwordFile = "/tmp/secret.key"; additionalKeyFiles = []; # content is empty here as the btrfs partition will be created via extraArgs of the cryptroot_1 partition def }; }; luksSwap = { end = "-192G"; content = { type = "luks"; name = "crypted_swap_0"; extraOpenArgs = ["--allow-discards"]; passwordFile = "/tmp/secret.key"; additionalKeyFiles = []; content = { type = "swap"; }; }; }; }; }; }; cryptroot_1 = { type = "disk"; device = "/dev/disk/by-path/pci-0000:04:00.0-nvme-1"; content = { type = "gpt"; partitions = { ESP = { label = "real_EFI"; name = "ESP"; size = "512M"; type = "EF00"; content = { type = "filesystem"; format = "vfat"; mountpoint = "/boot"; mountOptions = [ "defaults" ]; }; }; luks = { end = "-256G"; content = { type = "luks"; name = "crypted_1"; extraOpenArgs = ["--allow-discards"]; passwordFile = "/tmp/secret.key"; additionalKeyFiles = []; content = { # this partiton needs to be in the last parent part alphabetically to ensure the referenced /crypted_0 dev already exists type = "btrfs"; extraArgs = [ "-L btrfs_vault" "-f" "-m raid1" "-d raid1" "/dev/mapper/crypted_0" ]; subvolumes = { "/_active" = {}; "/_active/root" = { mountpoint = "/"; mountOptions = ["compress=zstd" "noatime"]; }; "/_active/home" = { mountpoint = "/home"; mountOptions = ["compress=zstd" "relatime"]; }; "/_active/nix" = { mountpoint = "/nix"; mountOptions = ["compress=zstd" "noatime"]; }; }; }; }; }; luksSwap = { end = "-192G"; content = { type = "luks"; name = "crypted_swap_1"; extraOpenArgs = ["--allow-discards"]; passwordFile = "/tmp/secret.key"; additionalKeyFiles = []; content = { type = "swap"; resumeDevice = true; }; }; }; }; }; }; }; }; }