From 1c53bf43d1e752cc76e0aac74ac6460a200bc0f6 Mon Sep 17 00:00:00 2001 From: aristote Date: Fri, 28 Feb 2025 16:32:21 +0100 Subject: nixos: unattended decrypt: switch to initrd key --- modules/nixos/personal/nix.nix | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) (limited to 'modules/nixos/personal/nix.nix') diff --git a/modules/nixos/personal/nix.nix b/modules/nixos/personal/nix.nix index a5c6e77..1fd3eec 100644 --- a/modules/nixos/personal/nix.nix +++ b/modules/nixos/personal/nix.nix @@ -117,6 +117,7 @@ in { }) (lib.mkIf cfg.autoUpgrade.enable { + personal.boot.unattendedReboot = lib.mkIf config.system.autoUpgrade.allowReboot true; system.autoUpgrade = { enable = true; flake = cfg.flake; @@ -137,22 +138,16 @@ in { in lib.mkIf (cryptExists && config.system.autoUpgrade.allowReboot) { script = lib.mkAfter '' - # clean previous keyfile - # shouldn't do anything, only in case something went wrong - ${cryptCfg.postOpenCommands} - # Creating temporary LUKS key file for next reboot... - if [[ "''${booted}" != "''${built}" && "''${do_reboot}" = true ]] - then - # dd if=/dev/urandom of=/boot/keyfile bs=1024 count=4 - # chmod 400 /boot/keyfile - # cryptsetup --verbose luksAddKey --key-file /etc/luks/keyfile ${cryptCfg.device} /boot/keyfile - fi + cryptsetup --verbose luksAddKey --key-file /etc/luks/keys/master ${cryptCfg.device} /etc/luks/keys/tmp ''; postStop = '' # if a reboot due to nixos-upgrade happens, it should occur within a minute sleep 120 - # if no reboot has happened, clean any leftover keyfile - ${cryptCfg.postOpenCommands} + # if no reboot has happened, disable any leftover keyfile + while cryptsetup --verbose luksRemoveKey ${cryptCfg.device} --key-file /etc/luks/keys/tmp + do + : + done ''; }) ]; -- cgit v1.2.3