Newbie, looking to achieve btrfs + full disk encryption with tpm auto-unlock + fallback unencrypted /boot with ssh

Saladar · November 26, 2025, 12:30pm

Hello,
I’m new to NixOS. My homelab is currently running Debian but I want to switch to NixOS for easier and reproducible configuration. I think I can easily manage to install anything non-breakable myself (dnsproxy, podman…)
But I am unsure about the part that could be breakable. I guess I didn’t fully get the NixOS core concepts.

I am looking to have full disk encryption with LUKS, with tpm auto unlock and, if auto unlock fails, an unencrypted /boot partition with openssh, allowing me to connect via ssh with my key to unlock the main partition.
Also, I would like to have btrfs for filesystem snapshots in case of any issue.

I would like to have most of the configuration to be done in a declarative way. What would be the procedure to set that up on a new nixos install ?
What is the guide that you would recommend ?
I found Secure Boot & TPM-backed Full Disk Encryption on NixOS · Jon Seager , which doesn’t explain btrfs formatting nor fallback unencrypted partition with Nix but covers all the LUKS/TPM unlock part.

Thanks in advance for any answer!

truh · November 26, 2025, 1:08pm

Usually you create the partitions with the tools of your choice, format them, and mount them in the intended structure inside of /mnt and let nixos-generate-config figure out the rest.

If you want to do partitioning in a declarative manner, have a look at disko. I’ve used for my latest installation which included btrfs and luks encryption, worked without problems. My configuration was based on this example.

I’ve never dabbled with SSH in /boot but I think these options cover it https://search.nixos.org/options?channel=25.05&query=boot.initrd.network.ssh

waffle8946 · November 26, 2025, 1:27pm

Also, use a 25.11 channel or iso - from https://channels.nixos.org/nixos-25.11 - as 25.11 will be released in ~4 days.

TLATER · November 26, 2025, 4:50pm

tpm auto-unlock is a fair bit trickier than just LUKS+btrfs FWIW. That guide looks good, but you’re asking for help with the easy bit. I’d suggest trying it out on something less critical before you commit to using it in production.

If you’re going the disko route you can quite easily experiment in a VM (or on some hardware you have lying around if getting qemu to emulate a TPM is too tricky) and just port over your disko config to the target by renaming the drives once it’s working. Declarative configuration is nice that way

Saladar · December 4, 2025, 11:36pm

Thanks for this disko example, it is exactly what I am trying to achieve.

I am currently setting this up using nixos-anywhere and disko. Would you also have an example about what to set in configuration.nix, so the system can properly see and unlock the luks partition?