I am trying to prepare a RPi 5 as a small desktop computer for my work office needs. But for handling my work data I would rather have encryption-at-rest and I’m a bit stuck there.
I can prepare an image for sd-card or nvme no problem, but they always use unencrypted ext4 filesystems for data. Has anybody found a way to create an image or use the installer to create and mount a luks-encrypted volume at boot? Or alternatively, how to install nixos on zfs on a RPi 5 nvme?
You could use a combination of disko and nixos-anywhere. The former for configuring you disks with LUKS encryption and the latter for automatically setting up disks and installing NixOS.
Also check out this blog post and my disk configuration for how I did this on a Raspberry Pi.
My main Problem is that the universal aarch64 install image does not recognize the nvme and the Pi 5 specific sd image does not boot when setting boot.initrd.luks devices.
I will try to create a custom installer image built from the standard uefi image, but with the RPi 5 Kernel. I will report back if that can be used for a standard installation procedure.
Then maybe GitHub - nix-community/nixos-generators: Collection of image builders [maintainer=@Lassulus] can help you create custom installers.