From 7d0fe49b517ed374b069a5fc906db4b170b878b8 Mon Sep 17 00:00:00 2001 From: "quentin@aristote.fr" Date: Wed, 26 Feb 2025 10:58:50 +0100 Subject: nixos: autoUpgrade: when allowReboot, add tmp keyfile on boot --- modules/nixos/personal/nix.nix | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) (limited to 'modules/nixos/personal/nix.nix') diff --git a/modules/nixos/personal/nix.nix b/modules/nixos/personal/nix.nix index 53daa6c..9e596ca 100644 --- a/modules/nixos/personal/nix.nix +++ b/modules/nixos/personal/nix.nix @@ -123,11 +123,38 @@ in { flags = lib.optional (!hasFlake) "--upgrade-all"; }; systemd.services.nixos-upgrade = lib.mkMerge [ + checkNetwork { - preStart = "${config.system.build.nixos-rebuild}/bin/nixos-rebuild dry-build ${toString config.system.autoUpgrade.flags}"; + preStart = lib.mkAfter '' + ${config.system.build.nixos-rebuild}/bin/nixos-rebuild dry-build ${toString config.system.autoUpgrade.flags} + ''; personal.monitor = true; } - checkNetwork # has to come second, so network is checked before the dry-build + (let + luksCfg = config.boot.initrd.luks.devices; + cryptExists = luksCfg ? crypt; + cryptCfg = luksCfg.crypt; + in + lib.mkIf (cryptExists && config.system.autoUpgrade.allowReboot) { + script = lib.mkAfter '' + # clean previous keyfile + # shouldn't do anything, only in case something went wrong + ${cryptCfg.postOpenCommands} + # Creating temporary LUKS key file for next reboot... + if [[ "''${booted}" != "''${built}" && "''${do_reboot}" = true ]] + then + dd if=/dev/urandom of=/boot/keyfile bs=1024 count=4 + chmod 400 /boot/keyfile + cryptsetup --verbose --key-file /etc/luks/keyfile ${cryptCfg.device} /boot/keyfile + fi + ''; + postStop = '' + # if a reboot due to nixos-upgrade happens, it should occur within a minute + sleep 120 + # if no reboot has happened, clean any leftover keyfile + ${cryptCfg.postOpenCommands} + ''; + }) ]; }) -- cgit v1.2.3