From efe5da2044e924cada635be4c563916425454a28 Mon Sep 17 00:00:00 2001
From: "quentin@aristote.fr" <quentin@aristote.fr>
Date: Tue, 18 Mar 2025 07:02:55 +0100
Subject: autoUpgrade: decrypt disk conditionally

---
 config/nix.nix | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

(limited to 'config/nix.nix')

diff --git a/config/nix.nix b/config/nix.nix
index e3b7602..3989c6e 100644
--- a/config/nix.nix
+++ b/config/nix.nix
@@ -52,23 +52,28 @@ in {
         let
           switch = "$RESULT/bin/switch-to-configuration";
           readlink = "${pkgs.coreutils}/bin/readlink";
+          luksCfg = config.boot.initrd.luks.devices;
         in
           if allowReboot
-          then ''
-            ${switch} boot
-            booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})"
-            built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
-            if [ "$booted" = "$built" ]
-            then
-              ${switch} switch
-            else
+          then
+            ''
+              ${switch} boot
+              booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})"
+              built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
+              if [ "$booted" = "$built" ]
+              then
+                ${switch} switch
+              else ''
+            + lib.optionalString (luksCfg ? crypt) ''
               cryptsetup --verbose luksAddKey \
                          --key-file /etc/luks/keys/master \
-                         ${config.boot.initrd.luks.devices.crypt.device} \
+                         ${luksCfg.crypt.device} \
                          /etc/luks/keys/tmp
-              shutdown -r +1
-            fi
-          ''
+            ''
+            + ''
+                shutdown -r +1
+              fi
+            ''
           else ''
             ${switch} switch
           ''
-- 
cgit v1.2.3