booting - it is now safe to turn off your computer
The swap partition size must be at least the size of RAM plus square root of RAM size. Hibernation is reccomended for all systems.
20 = {๐ฉ+โ๐ฉ} 16or for the full list up to 32G{โ๐ฉ+โ๐ฉ}ยจโ32
/dev/sda1, system/dev/sda2, swap/dev/sda3, bootfollow the lanzaboote instructions, this will be important later.
TPM encryption for system files + secure boot is a good base, but doesn't do much to protect user data. making hard user separation user-friendly seems like a stretch, but creating useful hooks might be an interesting and useful start.
/dev/sda1, 500M/dev/sda2, 2M/dev/sda3, $swap_size/dev/sda4, $restGRUB only supports luks1-formatted disks. purism has some kind of secure legacy boot thing going on, but it seems more practical to flash coreboot with a UEFI payload and use lanzaboote.
cryptsetup luksFormat --type luks1 -h sha512 $rootpart
configure legacy boot! some of this will be picked up by
nixos-generate-config, but you should verify that all of these settings are
following the right pattern.
{
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
boot.loader.grub.enableCryptodisk = true;
boot.initrd.luks.devices.crypted.device = "/dev/disk/by-partuuid/UUID";
fileSystems."/".device = "/dev/mapper/crypted";
}