prescientmoon/satellite
1
Fork 0
Code Activity

Give up and manually type zfs decryption keys

Browse source
This commit is contained in:
Matei Adriel 2024-01-18 06:20:07 +01:00
parent c5a0381c9e
commit 2c01cf98f4
No known key found for this signature in database
3 changed files with 10 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
hosts/nixos/lapetus/filesystems/default.nix
View file

@ -8,9 +8,5 @@
# Mark a bunch of paths as needed for boot # Mark a bunch of paths as needed for boot
fileSystems = lib.attrsets.genAttrs fileSystems = lib.attrsets.genAttrs
[ "/" "/nix" "/persist/data" "/persist/state" "/persist/local/cache" "/boot" ] [ "/" "/nix" "/persist/data" "/persist/state" "/persist/local/cache" "/boot" ]
(p: { (p: { neededForBoot = true; });
neededForBoot = true;
# We need the extra check to allow nix to topologically sort everything
depends = lib.mkIf (p != "/") [ "/hermes" ];
});
} }

20
hosts/nixos/lapetus/filesystems/partitions.nix
View file

@ -47,38 +47,34 @@
postCreateHook = '' postCreateHook = ''
zfs snapshot zroot@blank zfs snapshot zroot@blank
zfs set keylocation="prompt" "zroot";
''; '';
rootFsOptions = { rootFsOptions = {
compression = "lz4"; compression = "lz4";
"com.sun:auto-snapshot" = "false"; "com.sun:auto-snapshot" = "false";
encryption = "aes-256-gcm";
keyformat = "passphrase";
keylocation = "file:///hermes/secret.key";
}; };
# {{{ Datasets # {{{ Datasets
datasets = { datasets = {
"secure" = { "root/persist/data" = {
type = "zfs_fs";
options = {
encryption = "aes-256-gcm";
keyformat = "passphrase";
keylocation = "file:///hermes/secrets/lapetus/disk.key";
};
};
"secure/persist/data" = {
type = "zfs_fs"; type = "zfs_fs";
mountpoint = "/persist/data"; mountpoint = "/persist/data";
options."com.sun:auto-snapshot" = "true"; options."com.sun:auto-snapshot" = "true";
}; };
"secure/persist/state" = { "root/persist/state" = {
type = "zfs_fs"; type = "zfs_fs";
mountpoint = "/persist/state"; mountpoint = "/persist/state";
options."com.sun:auto-snapshot" = "true"; options."com.sun:auto-snapshot" = "true";
}; };
"secure/local/nix" = { "root/local/nix" = {
type = "zfs_fs"; type = "zfs_fs";
mountpoint = "/nix"; mountpoint = "/nix";
}; };
"secure/local/cache" = { "root/local/cache" = {
type = "zfs_fs"; type = "zfs_fs";
mountpoint = "/persist/local/cache"; mountpoint = "/persist/local/cache";
}; };

23
hosts/nixos/lapetus/filesystems/zfs.nix
View file

@ -3,32 +3,11 @@ let secretMountpoint = "/hermes";
in in
{ {
# Configure ZFS # Configure ZFS
boot.supportedFilesystems = [ "zfs" "ext4" ]; boot.supportedFilesystems = [ "zfs" ];
boot.zfs.extraPools = [ "zroot" ]; boot.zfs.extraPools = [ "zroot" ];
boot.zfs.requestEncryptionCredentials = [ "secure" ];
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
boot.kernelParams = [ "nohibernate" ]; boot.kernelParams = [ "nohibernate" ];
fileSystems."/hermes" = {
neededForBoot = true;
device = "/dev/disk/by-uuid/9f795d9c-5ee0-4c53-a5bf-97767cd9a30b";
fsType = "ext4";
options = [ "x-systemd.automount" "nofail" ];
};
# # {{{ Mount usb for zfs secrets
# boot.initrd.systemd.mounts = [{
# where = "/hermes";
# what = "/dev/sdb";
#
# # The usb contains sensitive data that should only be readable to root
# # mountConfig.DirectoryMode = "0750";
#
# wantedBy = [ "zfs-import.target" ];
# before = [ "zfs-import.target" ];
# }];
# # }}}
boot.initrd.systemd.services = { boot.initrd.systemd.services = {
# # {{{ Rollback # # {{{ Rollback
# rollback = { # rollback = {