Allow disableing encryption for testing

2025-01-02 14:07:38 +01:00
parent 63f2ca5b3c
commit f44adbc815
3 changed files with 17 additions and 12 deletions
--- a/machines/modules/disko/default.nix
+++ b/machines/modules/disko/default.nix
@@ -1,4 +1,4 @@
-{config, lib, inputs, ...}:
+{config, inputs, lib, ...}:
 let 
  cfg = config.malobeo.disks;
 in
@@ -15,6 +15,11 @@ in
      default = "";
      description = "Host ID for zfs disks, generate with 'head -c4 /dev/urandom | od -A none -t x4'";
    };
+    encryption = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Allows encryption to be disabled for testing";
+    };
    devNodes = lib.mkOption {
      type = lib.types.str;
      default = "/dev/disk/by-id/";
@@ -174,12 +179,12 @@ in
              type = "zfs_fs";
              options = {
                mountpoint = "none";
-                encryption = "aes-256-gcm";
-                keyformat = "passphrase";
-                keylocation = "file:///tmp/secret.key";
+                encryption = lib.mkIf cfg.encryption "aes-256-gcm";
+                keyformat = lib.mkIf cfg.encryption "passphrase";
+                keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
              };
              # use this to read the key during boot
-              postCreateHook = ''
+              postCreateHook = lib.mkIf cfg.encryption ''
                zfs set keylocation="prompt" zroot/encrypted;
              '';
            };
@@ -233,12 +238,12 @@ in
              type = "zfs_fs";
              options = {
                mountpoint = "none";
-                encryption = "aes-256-gcm";
-                keyformat = "passphrase";
-                keylocation = "file:///tmp/secret.key";
+                encryption = lib.mkIf cfg.encryption "aes-256-gcm";
+                keyformat = lib.mkIf cfg.encryption "passphrase";
+                keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
              };
              # use this to read the key during boot
-              postCreateHook = ''
+              postCreateHook = lib.mkIf cfg.encryption ''
                zfs set keylocation="prompt" storage/encrypted;
              '';
            };
@@ -261,7 +266,7 @@ in
      };
    };

-    boot.zfs.devNodes = cfg.devNodes;
+    boot.zfs.devNodes = lib.mkDefault cfg.devNodes;

    fileSystems."/".neededForBoot = true;
    fileSystems."/etc".neededForBoot = true;
@@ -269,6 +274,5 @@ in
    fileSystems."/var".neededForBoot = true;
    fileSystems."/home".neededForBoot = true;
    fileSystems."/nix".neededForBoot = true;
-    fileSystems."/data".neededForBoot = true;
  };
 }
--- a/machines/modules/malobeo/initssh.nix
+++ b/machines/modules/malobeo/initssh.nix
@@ -24,7 +24,7 @@ in
    };
  };
  
-  config = lib.mkIf cfg.enable {
+  config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
    boot = {
      loader.systemd-boot.enable = true;
      loader.efi.canTouchEfiVariables = true;
--- a/machines/testvm/default.nix
+++ b/machines/testvm/default.nix
@@ -22,6 +22,7 @@ in

  malobeo.disks = {
    enable = true;
+    encryption = false;
    hostId = "83abc8cb";
    devNodes = "/dev/disk/by-path/";
    root = {