This commit is contained in:
iFargle 2024-02-01 19:30:17 +09:00
parent 04673ec1a8
commit ba878932a3
2 changed files with 16 additions and 14 deletions

View file

@ -37,12 +37,8 @@ if [ ! -e "nixos/hosts/$TARGET_HOST/disks.nix" ]; then
exit 1 exit 1
fi fi
# Check if the machine we're provisioning expects a keyfile to unlock a disk. # Create a key for encrypted swap, if needed
# If it does, generate a new key, and write to a known location. openssl rand -hex 512 > /etc/swap.key
if grep -q "secret.key" "nixos/$TARGET_HOST/disks.nix"; then
echo "Secret key not found. Create one at /tmp/secret.key"
exit 1
fi
echo "WARNING! The disks in $TARGET_HOST are about to get wiped" echo "WARNING! The disks in $TARGET_HOST are about to get wiped"
echo " NixOS will be re-installed" echo " NixOS will be re-installed"
@ -70,8 +66,8 @@ if [[ $REPLY =~ ^[Yy]$ ]]; then
# If there is a keyfile for a data disk, put copy it to the root partition and # If there is a keyfile for a data disk, put copy it to the root partition and
# ensure the permissions are set appropriately. # ensure the permissions are set appropriately.
if [[ -f "/tmp/secret.key" ]]; then if [[ -f "/etc/swap.key" ]]; then
sudo cp /tmp/secret.key /mnt/etc/secret.key sudo cp /etc/swap.key /mnt/etc/swap.key
sudo chmod 0400 /mnt/etc/secret.key sudo chmod 0400 /mnt/etc/swap.key
fi fi
fi fi

View file

@ -20,10 +20,10 @@
content = { content = {
type = "filesystem"; type = "filesystem";
format = "vfat"; format = "vfat";
mountpoint = "/boot"; mountpoint = "/boot/efi";
}; };
} # partition 1 (ESP) } # partition 1 (ESP)
{ {
name = "LUKS"; name = "LUKS";
start = "550MiB"; start = "550MiB";
end = "-64GiB"; end = "-64GiB";
@ -65,13 +65,19 @@
}; # content }; # content
} # partition 2 (/ BTRFS) } # partition 2 (/ BTRFS)
{ {
name = "SWAP"; name = "LUKS-SWAP";
start = "-64GiB"; start = "-64GiB";
end = "100%"; end = "100%";
content = { content = {
type = "luks";
name "SWAP";
settings = {
keyFile = "/swap.key";
allowDiscards = true;
};
type = "swap"; type = "swap";
randomEncryption = true; randomEncryption = false;
resumeDevice = true; # resume from hiberation from this device resumeDevice = true; # Hibernation
}; };
} # partition 3 (SWAP) } # partition 3 (SWAP)
]; # partitions ]; # partitions