diff options
| author | quentin@aristote.fr <quentin@aristote.fr> | 2025-02-26 10:58:50 +0100 |
|---|---|---|
| committer | quentin@aristote.fr <quentin@aristote.fr> | 2025-02-26 23:50:57 +0100 |
| commit | 7d0fe49b517ed374b069a5fc906db4b170b878b8 (patch) | |
| tree | 0d72b78e8188880eabae67e9ec06c6b781e89995 | |
| parent | 58e0dd8b10c78cb3f7a36c6bcb169caa9087497d (diff) | |
nixos: autoUpgrade: when allowReboot, add tmp keyfile on boot
| -rw-r--r-- | modules/nixos/personal/hardware.nix | 2 | ||||
| -rw-r--r-- | modules/nixos/personal/nix.nix | 31 |
2 files changed, 30 insertions, 3 deletions
diff --git a/modules/nixos/personal/hardware.nix b/modules/nixos/personal/hardware.nix index f81c859..3604852 100644 --- a/modules/nixos/personal/hardware.nix +++ b/modules/nixos/personal/hardware.nix @@ -56,7 +56,7 @@ in { preLVM = true; fallbackToPassword = true; keyFileTimeout = 1; - keyfile = + keyFile = config.fileSystems."/boot".device + ":/keyfile"; postOpenCommands = '' diff --git a/modules/nixos/personal/nix.nix b/modules/nixos/personal/nix.nix index 53daa6c..9e596ca 100644 --- a/modules/nixos/personal/nix.nix +++ b/modules/nixos/personal/nix.nix @@ -123,11 +123,38 @@ in { flags = lib.optional (!hasFlake) "--upgrade-all"; }; systemd.services.nixos-upgrade = lib.mkMerge [ + checkNetwork { - preStart = "${config.system.build.nixos-rebuild}/bin/nixos-rebuild dry-build ${toString config.system.autoUpgrade.flags}"; + preStart = lib.mkAfter '' + ${config.system.build.nixos-rebuild}/bin/nixos-rebuild dry-build ${toString config.system.autoUpgrade.flags} + ''; personal.monitor = true; } - checkNetwork # has to come second, so network is checked before the dry-build + (let + luksCfg = config.boot.initrd.luks.devices; + cryptExists = luksCfg ? crypt; + cryptCfg = luksCfg.crypt; + in + lib.mkIf (cryptExists && config.system.autoUpgrade.allowReboot) { + script = lib.mkAfter '' + # clean previous keyfile + # shouldn't do anything, only in case something went wrong + ${cryptCfg.postOpenCommands} + # Creating temporary LUKS key file for next reboot... + if [[ "''${booted}" != "''${built}" && "''${do_reboot}" = true ]] + then + dd if=/dev/urandom of=/boot/keyfile bs=1024 count=4 + chmod 400 /boot/keyfile + cryptsetup --verbose --key-file /etc/luks/keyfile ${cryptCfg.device} /boot/keyfile + fi + ''; + postStop = '' + # if a reboot due to nixos-upgrade happens, it should occur within a minute + sleep 120 + # if no reboot has happened, clean any leftover keyfile + ${cryptCfg.postOpenCommands} + ''; + }) ]; }) |