HX NixOS

Appearance

Boot & Disk Layout

Secure Boot with Lanzaboote

The laptop uses Lanzaboote for UEFI Secure Boot support. This replaces systemd-boot with a signed boot stub.

nix
# boot.nix
imports = [ inputs.lanzaboote.nixosModules.lanzaboote ];

boot = {
  tmp.cleanOnBoot = true;
  supportedFilesystems.zfs = lib.mkForce false;

  loader = {
    timeout = lib.mkForce 0;
    efi.canTouchEfiVariables = true;
    systemd-boot.enable = lib.mkForce false;  # Disabled in favour of Lanzaboote
  };

  lanzaboote = {
    enable = true;
    pkiBundle = "/var/lib/sbctl";
    autoGenerateKeys.enable = true;
    autoEnrollKeys = {
      enable = true;
      autoReboot = true;  # Reboot to complete key enrollment
    };
  };
};

Key Points

  • systemd-boot is force-disabled -- Lanzaboote takes over the EFI boot process.
  • Automatic key generation -- Secure Boot keys are generated and stored in /var/lib/sbctl.
  • Automatic key enrollment -- Keys are enrolled into UEFI firmware automatically, triggering a reboot.
  • ZFS disabled -- supportedFilesystems.zfs = lib.mkForce false prevents ZFS kernel module compilation, which would fail without additional configuration.
  • Zero boot timeout -- The boot menu is skipped for instant boot.
  • Temp cleaned on boot -- /tmp is wiped on each boot.

Disk Layout (disko)

Disk partitioning is declared in disko.nix using the disko module:

/dev/disk/by-id/nvme-CT1000P3SSD8_2321E6DBFB5A  (Crucial 1TB NVMe)
├── boot  (1 GB, EF00, FAT32)  →  /boot
└── root  (remaining, LUKS)
    └── cryptroot  (ext4)      →  /

Boot Partition

nix
boot = {
  size = "1G";
  type = "EF00";
  content = {
    type = "filesystem";
    format = "vfat";
    mountpoint = "/boot";
    mountOptions = [ "defaults" "umask=0077" ];
  };
};
  • 1 GB -- generous size for multiple kernel generations.
  • umask=0077 -- restrictive permissions on the EFI partition.

Root Partition

nix
root = {
  size = "100%";
  content = {
    type = "luks";
    name = "cryptroot";
    extraOpenArgs = [ "--allow-discards" ];
    content = {
      type = "filesystem";
      format = "ext4";
      mountpoint = "/";
      mountOptions = [ "defaults" "noatime" "lazytime" "commit=600" ];
    };
  };
};
  • LUKS encryption with --allow-discards for SSD TRIM through the encryption layer.
  • ext4 with performance-oriented mount options:
    • noatime -- no access time updates.
    • lazytime -- lazy inode timestamp writeback.
    • commit=600 -- 10-minute journal commit interval (reduces write amplification on SSD).

SSD Maintenance

Weekly TRIM is enabled via fstrim.nix:

nix
services.fstrim = {
  enable = true;
  interval = "weekly";
};

This works in conjunction with --allow-discards on the LUKS layer to pass TRIM commands through to the NVMe drive.