This commit is contained in:
iFargle 2024-02-01 19:30:17 +09:00
parent 04673ec1a8
commit ba878932a3
2 changed files with 16 additions and 14 deletions

View file

@ -37,12 +37,8 @@ if [ ! -e "nixos/hosts/$TARGET_HOST/disks.nix" ]; then
exit 1
fi
# Check if the machine we're provisioning expects a keyfile to unlock a disk.
# If it does, generate a new key, and write to a known location.
if grep -q "secret.key" "nixos/$TARGET_HOST/disks.nix"; then
echo "Secret key not found. Create one at /tmp/secret.key"
exit 1
fi
# Create a key for encrypted swap, if needed
openssl rand -hex 512 > /etc/swap.key
echo "WARNING! The disks in $TARGET_HOST are about to get wiped"
echo " NixOS will be re-installed"
@ -70,8 +66,8 @@ if [[ $REPLY =~ ^[Yy]$ ]]; then
# If there is a keyfile for a data disk, put copy it to the root partition and
# ensure the permissions are set appropriately.
if [[ -f "/tmp/secret.key" ]]; then
sudo cp /tmp/secret.key /mnt/etc/secret.key
sudo chmod 0400 /mnt/etc/secret.key
if [[ -f "/etc/swap.key" ]]; then
sudo cp /etc/swap.key /mnt/etc/swap.key
sudo chmod 0400 /mnt/etc/swap.key
fi
fi

View file

@ -20,7 +20,7 @@
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountpoint = "/boot/efi";
};
} # partition 1 (ESP)
{
@ -65,13 +65,19 @@
}; # content
} # partition 2 (/ BTRFS)
{
name = "SWAP";
name = "LUKS-SWAP";
start = "-64GiB";
end = "100%";
content = {
type = "luks";
name "SWAP";
settings = {
keyFile = "/swap.key";
allowDiscards = true;
};
type = "swap";
randomEncryption = true;
resumeDevice = true; # resume from hiberation from this device
randomEncryption = false;
resumeDevice = true; # Hibernation
};
} # partition 3 (SWAP)
]; # partitions