nixos: hardware: luks: allow keyfile on boot

1 files changed, 26 insertions, 10 deletions

diff --git a/modules/nixos/personal/hardware.nix b/modules/nixos/personal/hardware.nix
index f3688d9..f81c859 100644
--- a/modules/nixos/personal/hardware.nix
+++ b/modules/nixos/personal/hardware.nix
@@ -38,16 +38,7 @@ in {
     {
       hardware.firmware =
         lib.optional cfg.firmwareNonFree.enable pkgs.firmwareLinuxNonfree;
-      boot.initrd = {
-        availableKernelModules = lib.optional cfg.usb.enable "usb_storage";
-        luks.devices = lib.optionalAttrs (cfg.disks.crypted != null) {
-          crypt = {
-            name = "crypt";
-            device = cfg.disks.crypted;
-            preLVM = true;
-          };
-        };
-      };
+      boot.initrd.availableKernelModules = lib.optional cfg.usb.enable "usb_storage";
 
       services.udev.extraRules =
         lib.optionalString (cfg.backlights.screen != null) ''
@@ -58,6 +49,31 @@ in {
         '';
     }
 
+    (lib.mkIf (cfg.disks.crypted != null) {
+      boot.initrd.luks.devices.crypt = {
+        device =
+          cfg.disks.crypted;
+        preLVM = true;
+        fallbackToPassword = true;
+        keyFileTimeout = 1;
+        keyfile =
+          config.fileSystems."/boot".device
+          + ":/keyfile";
+        postOpenCommands = ''
+          if [[ -f /boot/keyfile ]]
+          then
+            echo "Detected old LUKS key file."
+            echo "Disabling key file..."
+            cryptsetup --verbose luksRemoveKey ${cfg.disks.crypted} --key-file /boot/keyfile ||
+            echo "Shredding key file..."
+            shred --force --zero --remove /boot/keyfile
+          else
+            echo "No old LUKS keyfile detected."
+          fi
+        '';
+      };
+    })
+
     (lib.mkIf cfg.sound.enable {
       security.rtkit.enable = true;
       services.pipewire = {