diff --git a/docs/install.sh b/docs/install.sh index fc352a39..51aed88b 100755 --- a/docs/install.sh +++ b/docs/install.sh @@ -37,12 +37,8 @@ if [ ! -e "nixos/hosts/$TARGET_HOST/disks.nix" ]; then exit 1 fi -# Check if the machine we're provisioning expects a keyfile to unlock a disk. -# If it does, generate a new key, and write to a known location. -if grep -q "secret.key" "nixos/$TARGET_HOST/disks.nix"; then - echo "Secret key not found. Create one at /tmp/secret.key" - exit 1 -fi +# Create a key for encrypted swap, if needed +openssl rand -hex 512 > /etc/swap.key echo "WARNING! The disks in $TARGET_HOST are about to get wiped" echo " NixOS will be re-installed" @@ -70,8 +66,8 @@ if [[ $REPLY =~ ^[Yy]$ ]]; then # If there is a keyfile for a data disk, put copy it to the root partition and # ensure the permissions are set appropriately. - if [[ -f "/tmp/secret.key" ]]; then - sudo cp /tmp/secret.key /mnt/etc/secret.key - sudo chmod 0400 /mnt/etc/secret.key + if [[ -f "/etc/swap.key" ]]; then + sudo cp /etc/swap.key /mnt/etc/swap.key + sudo chmod 0400 /mnt/etc/swap.key fi fi \ No newline at end of file diff --git a/nixos/hosts/nixos-framework/disks.nix b/nixos/hosts/nixos-framework/disks.nix index 5d888bbe..8a724705 100644 --- a/nixos/hosts/nixos-framework/disks.nix +++ b/nixos/hosts/nixos-framework/disks.nix @@ -20,10 +20,10 @@ content = { type = "filesystem"; format = "vfat"; - mountpoint = "/boot"; + mountpoint = "/boot/efi"; }; } # partition 1 (ESP) - { + { name = "LUKS"; start = "550MiB"; end = "-64GiB"; @@ -65,13 +65,19 @@ }; # content } # partition 2 (/ BTRFS) { - name = "SWAP"; + name = "LUKS-SWAP"; start = "-64GiB"; end = "100%"; content = { + type = "luks"; + name "SWAP"; + settings = { + keyFile = "/swap.key"; + allowDiscards = true; + }; type = "swap"; - randomEncryption = true; - resumeDevice = true; # resume from hiberation from this device + randomEncryption = false; + resumeDevice = true; # Hibernation }; } # partition 3 (SWAP) ]; # partitions