diff --git a/machines/modules/disko/default.nix b/machines/modules/disko/default.nix index 3c6adde0..5c8006c3 100644 --- a/machines/modules/disko/default.nix +++ b/machines/modules/disko/default.nix @@ -176,7 +176,7 @@ in mountpoint = "none"; encryption = "aes-256-gcm"; keyformat = "passphrase"; - keylocation = "file:///tmp/root.key"; + keylocation = "file:///tmp/secret.key"; }; # use this to read the key during boot postCreateHook = '' @@ -186,22 +186,27 @@ in "encrypted/root" = { type = "zfs_fs"; mountpoint = "/"; + options.mountpoint = "legacy"; }; "encrypted/var" = { type = "zfs_fs"; mountpoint = "/var"; + options.mountpoint = "legacy"; }; "encrypted/etc" = { type = "zfs_fs"; mountpoint = "/etc"; + options.mountpoint = "legacy"; }; "encrypted/home" = { type = "zfs_fs"; mountpoint = "/home"; + options.mountpoint = "legacy"; }; "encrypted/nix" = { type = "zfs_fs"; mountpoint = "/nix"; + options.mountpoint = "legacy"; }; reserved = { # for cow delete if pool is full @@ -230,7 +235,7 @@ in mountpoint = "none"; encryption = "aes-256-gcm"; keyformat = "passphrase"; - keylocation = "file:///tmp/storage.key"; + keylocation = "file:///tmp/secret.key"; }; # use this to read the key during boot postCreateHook = '' @@ -240,6 +245,7 @@ in "encrypted/data" = { type = "zfs_fs"; mountpoint = "/data"; + options.mountpoint = "legacy"; }; reserved = { # for cow delete if pool is full @@ -255,11 +261,14 @@ in }; }; + boot.zfs.devNodes = cfg.devNodes; + fileSystems."/".neededForBoot = true; fileSystems."/etc".neededForBoot = true; fileSystems."/boot".neededForBoot = true; fileSystems."/var".neededForBoot = true; fileSystems."/home".neededForBoot = true; fileSystems."/nix".neededForBoot = true; + fileSystems."/data".neededForBoot = true; }; } diff --git a/machines/modules/malobeo/initssh.nix b/machines/modules/malobeo/initssh.nix index b5a5587f..45b09c99 100644 --- a/machines/modules/malobeo/initssh.nix +++ b/machines/modules/malobeo/initssh.nix @@ -32,6 +32,7 @@ in zfs = { forceImportAll = true; requestEncryptionCredentials = true; + }; initrd = { availableKernelModules = cfg.ethernetDrivers; @@ -48,18 +49,18 @@ in secrets = { "/etc/ssh/initrd" = "/etc/ssh/initrd"; }; + systemd.services.zfs-remote-unlock = { + description = "Prepare for ZFS remote unlock"; + wantedBy = ["initrd.target"]; + after = ["systemd-networkd.service"]; + path = with pkgs; [ zfs ]; + serviceConfig.Type = "oneshot"; + script = '' + echo "systemctl default" >> /var/empty/.profile + ''; + }; }; kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ]; - systemd.services.zfs-remote-unlock = { - description = "Prepare for ZFS remote unlock"; - wantedBy = ["initrd.target"]; - after = ["systemd-networkd.service"]; - path = with pkgs; [ zfs ]; - serviceConfig.Type = "oneshot"; - script = '' - echo "systemctl default" >> /var/empty/.profile - ''; - }; }; }; } \ No newline at end of file diff --git a/scripts/remote-install-encrypt.sh b/scripts/remote-install-encrypt.sh index 72005ef9..2783fcc8 100755 --- a/scripts/remote-install-encrypt.sh +++ b/scripts/remote-install-encrypt.sh @@ -24,6 +24,9 @@ trap cleanup EXIT # Create the directory where sshd expects to find the host keys install -d -m755 "$temp/etc/ssh/" +diskKey=$(sops -d machines/$hostname/disk.key) +echo "$diskKey" > /tmp/secret.key + ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N "" ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N "" @@ -36,9 +39,9 @@ chmod 600 "$temp/etc/ssh/initrd" if [ $# = 3 ] then nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \ - --disk-encryption-keys /tmp/secret.key <(sops -d machines/$hostname/disk.key) --flake .#$hostname $3@$ipaddress + --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname $3@$ipaddress else nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \ - --disk-encryption-keys /tmp/secret.key <(sops -d machines/$hostname/disk.key) --flake .#$hostname root@$ipaddress + --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress fi \ No newline at end of file