diff options
| -rw-r--r-- | modules/nixos/personal/boot.nix | 51 | ||||
| -rw-r--r-- | modules/nixos/personal/hardware.nix | 35 | ||||
| -rw-r--r-- | modules/nixos/personal/nix.nix | 19 |
3 files changed, 52 insertions, 53 deletions
diff --git a/modules/nixos/personal/boot.nix b/modules/nixos/personal/boot.nix index 9486d5e..149d9b9 100644 --- a/modules/nixos/personal/boot.nix +++ b/modules/nixos/personal/boot.nix @@ -1,23 +1,44 @@ -{ config, lib, ... }: - -let cfg = config.personal.boot; +{ + config, + lib, + ... +}: let + cfg = config.personal.boot; in { options.personal.boot = { grub.enable = lib.mkEnableOption "grub"; efi.enable = lib.mkEnableOption "EFI"; + unattendedReboot = lib.mkEnableOption "unattended reboots"; }; - config.boot.loader = lib.mkMerge [ - (lib.mkIf cfg.grub.enable { - grub = { - enable = true; - enableCryptodisk = config.boot.initrd.luks.devices != { }; - device = lib.mkDefault "nodev"; + config.boot = { + loader = lib.mkMerge [ + (lib.mkIf cfg.grub.enable { + grub = { + enable = true; + enableCryptodisk = config.boot.initrd.luks.devices != {}; + device = lib.mkDefault "nodev"; + }; + }) + (lib.mkIf cfg.efi.enable { + efi.canTouchEfiVariables = true; + grub.efiSupport = true; + }) + ]; + + initrd = let + crypt = config.personal.hardware.disks.crypted; + in + lib.mkIf (cfg.unattendedReboot && crypt != null) { + secrets."/keyfile.luks" = /etc/luks/keys/tmp; + luks.devices.crypt = { + fallbackToPassword = true; + keyFile = "/keyfile.luks"; + postOpenCommands = '' + echo "Disabling temporary LUKS key file..." + cryptsetup --verbose luksRemoveKey ${crypt} /keyfile.luks + ''; + }; }; - }) - (lib.mkIf cfg.efi.enable { - efi.canTouchEfiVariables = true; - grub.efiSupport = true; - }) - ]; + }; } diff --git a/modules/nixos/personal/hardware.nix b/modules/nixos/personal/hardware.nix index d01639e..da4629c 100644 --- a/modules/nixos/personal/hardware.nix +++ b/modules/nixos/personal/hardware.nix @@ -49,32 +49,15 @@ in { ''; } - (lib.mkIf (cfg.disks.crypted != null) { - boot.initrd.luks.devices.crypt = { - device = - cfg.disks.crypted; - preLVM = true; - fallbackToPassword = true; - # broken - ## only supported with systemd-initrd - # keyFileTimeout = 1; - # keyFile = - # config.fileSystems."/boot".device - # + ":/keyfile"; - postOpenCommands = '' - if [[ -f /boot/keyfile ]] - then - echo "Detected old LUKS key file." - echo "Disabling key file..." - cryptsetup --verbose luksRemoveKey ${cfg.disks.crypted} --key-file /boot/keyfile || - echo "Shredding key file..." - shred --force --zero --remove /boot/keyfile - else - echo "No old LUKS keyfile detected." - fi - ''; - }; - }) + (let + crypt = cfg.disks.crypted; + in + lib.mkIf (crypt != null) { + boot.initrd.luks.devices.crypt = { + device = crypt; + preLVM = true; + }; + }) (lib.mkIf cfg.sound.enable { security.rtkit.enable = true; diff --git a/modules/nixos/personal/nix.nix b/modules/nixos/personal/nix.nix index a5c6e77..1fd3eec 100644 --- a/modules/nixos/personal/nix.nix +++ b/modules/nixos/personal/nix.nix @@ -117,6 +117,7 @@ in { }) (lib.mkIf cfg.autoUpgrade.enable { + personal.boot.unattendedReboot = lib.mkIf config.system.autoUpgrade.allowReboot true; system.autoUpgrade = { enable = true; flake = cfg.flake; @@ -137,22 +138,16 @@ in { in lib.mkIf (cryptExists && config.system.autoUpgrade.allowReboot) { script = lib.mkAfter '' - # clean previous keyfile - # shouldn't do anything, only in case something went wrong - ${cryptCfg.postOpenCommands} - # Creating temporary LUKS key file for next reboot... - if [[ "''${booted}" != "''${built}" && "''${do_reboot}" = true ]] - then - # dd if=/dev/urandom of=/boot/keyfile bs=1024 count=4 - # chmod 400 /boot/keyfile - # cryptsetup --verbose luksAddKey --key-file /etc/luks/keyfile ${cryptCfg.device} /boot/keyfile - fi + cryptsetup --verbose luksAddKey --key-file /etc/luks/keys/master ${cryptCfg.device} /etc/luks/keys/tmp ''; postStop = '' # if a reboot due to nixos-upgrade happens, it should occur within a minute sleep 120 - # if no reboot has happened, clean any leftover keyfile - ${cryptCfg.postOpenCommands} + # if no reboot has happened, disable any leftover keyfile + while cryptsetup --verbose luksRemoveKey ${cryptCfg.device} --key-file /etc/luks/keys/tmp + do + : + done ''; }) ]; |