From a0fd1e92641aa84f9bdbd6e1e9bdc3ae946df6e2 Mon Sep 17 00:00:00 2001
From: aaron <aaron@0x29a.ch>
Date: Thu, 5 Mar 2026 20:53:40 +0100
Subject: [PATCH] feature(drives): add encrypted drives for argon

---
 hosts/argon/configuration.nix |  1 +
 modules/nixos/drives.nix      | 48 +++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 modules/nixos/drives.nix

diff --git a/hosts/argon/configuration.nix b/hosts/argon/configuration.nix
index 9ed142c..5035aad 100644
--- a/hosts/argon/configuration.nix
+++ b/hosts/argon/configuration.nix
@@ -5,6 +5,7 @@
     ../../modules/nixos/audio.nix
     ../../modules/nixos/bootloader.nix
     ../../modules/nixos/certificates.nix
+    ../../modules/nixos/drives.nix
     ../../modules/nixos/gnupg.nix
     ../../modules/nixos/graphics.nix
     ../../modules/nixos/locales.nix
diff --git a/modules/nixos/drives.nix b/modules/nixos/drives.nix
new file mode 100644
index 0000000..1afc77e
--- /dev/null
+++ b/modules/nixos/drives.nix
@@ -0,0 +1,48 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # decrypt data drives with keyfiles
+  boot.initrd.luks.devices = {
+    "data1" = {
+      device = "/dev/disk/by-uuid/dfae62cc-bad1-4879-bf9a-461bde833625";
+      keyFile = "/etc/nixos/keys/data1.key";
+      fallbackToPassword = true;
+    };
+    "data2" = {
+      device = "/dev/disk/by-uuid/8312edae-9247-481b-a313-52a7f848f027";
+      keyFile = "/etc/nixos/keys/data2.key";
+      fallbackToPassword = true;
+    };
+    "nvmecache" = {
+      device = "/dev/disk/by-uuid/2352250e-4ebe-4f9a-bf66-0d4aaa961bd8";
+      keyFile = "/etc/nixos/keys/nvmecache.key";
+      fallbackToPassword = true;
+    };
+  };
+
+  # copy keyfiles into initrd to make them available during early boot
+  boot.initrd.secrets = {
+    "/etc/nixos/keys/data1.key" = "/etc/nixos/keys/data1.key";
+    "/etc/nixos/keys/data2.key" = "/etc/nixos/keys/data2.key";
+    "/etc/nixos/keys/nvmecache.key" = "/etc/nixos/keys/nvmecache.key";
+  };
+
+  # mount decrypted filesystems
+  fileSystems."/mnt/data1" = {
+    device = "/dev/mapper/data1";
+    fsType = "ext4";
+    options = [ "nofail" ];
+  };
+
+  fileSystems."/mnt/data2" = {
+    device = "/dev/mapper/data2";
+    fsType = "ext4";
+    options = [ "nofail" ];
+  };
+
+  fileSystems."/mnt/nvmecache" = {
+    device = "/dev/mapper/nvmecache";
+    fsType = "ext4";
+    options = [ "nofail" ];
+  };
+}