let cryptOpenArgs = [ "--allow-discards" "--perf-same_cpu_crypt" "--perf-submit_from_crypt_cpus" "--perf-no_read_workqueue" "--perf-no_write_workqueue" ]; in { disko.devices = { disk = { cryptroot_0 = { type = "disk"; device = "/dev/disk/by-id/nvme-eui.0000000623072487caf25b0310000017"; content = { type = "gpt"; partitions = { ESP = { label = "fake_EFI"; name = "fake_ESP"; size = "512M"; type = "8300"; }; luks = { end = "-256G"; content = { type = "luks"; name = "crypted_0"; extraOpenArgs = cryptOpenArgs; passwordFile = "/tmp/secret.key"; additionalKeyFiles = [ ]; # content is empty here as the btrfs partition will be created via extraArgs of the cryptroot_1 partition def }; }; luksSwap = { # size = "64G" end = "-192G"; content = { type = "luks"; name = "crypted_swap_0"; extraOpenArgs = cryptOpenArgs; passwordFile = "/tmp/secret.key"; additionalKeyFiles = [ ]; content = { type = "swap"; }; }; }; }; }; }; cryptroot_1 = { type = "disk"; device = "/dev/disk/by-id/nvme-eui.0000000623072487caf25b031000000d"; content = { type = "gpt"; partitions = { ESP = { label = "real_EFI"; name = "ESP"; size = "512M"; type = "EF00"; content = { type = "filesystem"; format = "vfat"; mountpoint = "/boot"; mountOptions = [ "defaults" ]; }; }; luks = { end = "-256G"; content = { type = "luks"; name = "crypted_1"; extraOpenArgs = cryptOpenArgs; passwordFile = "/tmp/secret.key"; additionalKeyFiles = [ ]; content = { # this partiton needs to be in the last parent part alphabetically to ensure the referenced /crypted_0 dev already exists type = "btrfs"; extraArgs = [ "-L btrfs_vault" "-f" "-m raid1" "-d raid1" "/dev/mapper/crypted_0" ]; subvolumes = { "/_active" = { }; "/_active/root" = { mountpoint = "/"; mountOptions = [ "autodefrag" "compress=zstd" "discard=async" "noatime" "space_cache=v2" "ssd" ]; }; "/_active/home" = { mountpoint = "/home"; mountOptions = [ "autodefrag" "compress=zstd" "discard=async" "relatime" "space_cache=v2" "ssd" ]; }; "/_active/nix" = { mountpoint = "/nix"; mountOptions = [ "autodefrag" "compress=zstd" "discard=async" "noatime" "space_cache=v2" "ssd" ]; }; }; }; }; }; luksSwap = { end = "-192G"; content = { type = "luks"; name = "crypted_swap_1"; extraOpenArgs = cryptOpenArgs; passwordFile = "/tmp/secret.key"; additionalKeyFiles = [ ]; content = { type = "swap"; resumeDevice = true; }; }; }; }; }; }; }; }; }