diff options
| author | quentin@aristote.fr <quentin@aristote.fr> | 2025-03-18 07:02:55 +0100 |
|---|---|---|
| committer | quentin@aristote.fr <quentin@aristote.fr> | 2025-03-18 07:02:55 +0100 |
| commit | efe5da2044e924cada635be4c563916425454a28 (patch) | |
| tree | 2b5cb4a97d35fd90fe487625dfe26842c4def30c | |
| parent | 8538f77816a5b929f7ed4f0f3ad5225c26e318fb (diff) | |
autoUpgrade: decrypt disk conditionally
| -rw-r--r-- | config/nix.nix | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/config/nix.nix b/config/nix.nix index e3b7602..3989c6e 100644 --- a/config/nix.nix +++ b/config/nix.nix @@ -52,23 +52,28 @@ in { let switch = "$RESULT/bin/switch-to-configuration"; readlink = "${pkgs.coreutils}/bin/readlink"; + luksCfg = config.boot.initrd.luks.devices; in if allowReboot - then '' - ${switch} boot - booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})" - built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})" - if [ "$booted" = "$built" ] - then - ${switch} switch - else + then + '' + ${switch} boot + booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})" + built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})" + if [ "$booted" = "$built" ] + then + ${switch} switch + else '' + + lib.optionalString (luksCfg ? crypt) '' cryptsetup --verbose luksAddKey \ --key-file /etc/luks/keys/master \ - ${config.boot.initrd.luks.devices.crypt.device} \ + ${luksCfg.crypt.device} \ /etc/luks/keys/tmp - shutdown -r +1 - fi - '' + '' + + '' + shutdown -r +1 + fi + '' else '' ${switch} switch '' |