nixos: unattended decrypt: switch to initrd key

1 files changed, 7 insertions, 12 deletions

diff --git a/modules/nixos/personal/nix.nix b/modules/nixos/personal/nix.nix
index a5c6e77..1fd3eec 100644
--- a/modules/nixos/personal/nix.nix
+++ b/modules/nixos/personal/nix.nix
@@ -117,6 +117,7 @@ in {
     })
 
     (lib.mkIf cfg.autoUpgrade.enable {
+      personal.boot.unattendedReboot = lib.mkIf config.system.autoUpgrade.allowReboot true;
       system.autoUpgrade = {
         enable = true;
         flake = cfg.flake;
@@ -137,22 +138,16 @@ in {
         in
           lib.mkIf (cryptExists && config.system.autoUpgrade.allowReboot) {
             script = lib.mkAfter ''
-              # clean previous keyfile
-              # shouldn't do anything, only in case something went wrong
-              ${cryptCfg.postOpenCommands}
-              # Creating temporary LUKS key file for next reboot...
-              if [[ "''${booted}" != "''${built}" && "''${do_reboot}" = true ]]
-              then
-                # dd if=/dev/urandom of=/boot/keyfile bs=1024 count=4
-                # chmod 400 /boot/keyfile
-                # cryptsetup --verbose luksAddKey --key-file /etc/luks/keyfile ${cryptCfg.device} /boot/keyfile
-              fi
+              cryptsetup --verbose luksAddKey --key-file /etc/luks/keys/master ${cryptCfg.device} /etc/luks/keys/tmp
             '';
             postStop = ''
               # if a reboot due to nixos-upgrade happens, it should occur within a minute
               sleep 120
-              # if no reboot has happened, clean any leftover keyfile
-              ${cryptCfg.postOpenCommands}
+              # if no reboot has happened, disable any leftover keyfile
+              while cryptsetup --verbose luksRemoveKey ${cryptCfg.device} --key-file /etc/luks/keys/tmp
+              do
+                :
+              done
             '';
           })
       ];