From 1c53bf43d1e752cc76e0aac74ac6460a200bc0f6 Mon Sep 17 00:00:00 2001
From: aristote <quentin.aristote@irif.fr>
Date: Fri, 28 Feb 2025 16:32:21 +0100
Subject: nixos: unattended decrypt: switch to initrd key

---
 modules/nixos/personal/hardware.nix | 35 +++++++++--------------------------
 1 file changed, 9 insertions(+), 26 deletions(-)

(limited to 'modules/nixos/personal/hardware.nix')

diff --git a/modules/nixos/personal/hardware.nix b/modules/nixos/personal/hardware.nix
index d01639e..da4629c 100644
--- a/modules/nixos/personal/hardware.nix
+++ b/modules/nixos/personal/hardware.nix
@@ -49,32 +49,15 @@ in {
         '';
     }
 
-    (lib.mkIf (cfg.disks.crypted != null) {
-      boot.initrd.luks.devices.crypt = {
-        device =
-          cfg.disks.crypted;
-        preLVM = true;
-        fallbackToPassword = true;
-        # broken
-        ## only supported with systemd-initrd
-        # keyFileTimeout = 1;
-        # keyFile =
-        #   config.fileSystems."/boot".device
-        #   + ":/keyfile";
-        postOpenCommands = ''
-          if [[ -f /boot/keyfile ]]
-          then
-            echo "Detected old LUKS key file."
-            echo "Disabling key file..."
-            cryptsetup --verbose luksRemoveKey ${cfg.disks.crypted} --key-file /boot/keyfile ||
-            echo "Shredding key file..."
-            shred --force --zero --remove /boot/keyfile
-          else
-            echo "No old LUKS keyfile detected."
-          fi
-        '';
-      };
-    })
+    (let
+      crypt = cfg.disks.crypted;
+    in
+      lib.mkIf (crypt != null) {
+        boot.initrd.luks.devices.crypt = {
+          device = crypt;
+          preLVM = true;
+        };
+      })
 
     (lib.mkIf cfg.sound.enable {
       security.rtkit.enable = true;
-- 
cgit v1.2.3