[disko] Bit of a hack but the storage partition now gets mounted after zroot using a file on the disk.

2025-01-24 18:30:31 +01:00
parent fb222bc1a4
commit 4a67683462
4 changed files with 6 additions and 6 deletions
--- a/machines/modules/disko/default.nix
+++ b/machines/modules/disko/default.nix
@@ -187,6 +187,7 @@ in
              postCreateHook = lib.mkIf cfg.encryption ''
                zfs set keylocation="prompt" zroot/encrypted;
              '';
+
            };
            "encrypted/root" = {
              type = "zfs_fs";
@@ -244,13 +245,12 @@ in
              };
              # use this to read the key during boot
              postCreateHook = lib.mkIf cfg.encryption ''
-                zfs set keylocation="prompt" storage/encrypted;
+                zfs set keylocation="file:///root/secret.key" storage/encrypted;
              '';
            };
            "encrypted/data" = {
              type = "zfs_fs";
              mountpoint = "/data";
-              options.mountpoint = "legacy";
            };
            reserved = {
              # for cow delete if pool is full
@@ -267,7 +267,7 @@ in
    };

    boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
-
+    boot.zfs.extraPools = lib.mkIf cfg.storage.enable [ "storage" ];
    fileSystems."/".neededForBoot = true;
    fileSystems."/etc".neededForBoot = true;
    fileSystems."/boot".neededForBoot = true;
--- a/machines/modules/malobeo/initssh.nix
+++ b/machines/modules/malobeo/initssh.nix
@@ -30,9 +30,7 @@ in
      loader.efi.canTouchEfiVariables = true;
      supportedFilesystems = [ "vfat" "zfs" ];
      zfs = {
-        forceImportAll = true;
        requestEncryptionCredentials = true;
-        
      };
      initrd = {
        availableKernelModules = cfg.ethernetDrivers;
--- a/machines/testvm/configuration.nix
+++ b/machines/testvm/configuration.nix
@@ -24,7 +24,7 @@ in

  malobeo.disks = {
    enable = true;
-    encryption = false;
+    encryption = true;
    hostId = "83abc8cb";
    devNodes = "/dev/disk/by-path/";
    root = {
--- a/scripts/remote-install-encrypt.sh
+++ b/scripts/remote-install-encrypt.sh
@@ -37,9 +37,11 @@ trap cleanup EXIT

 # Create the directory where sshd expects to find the host keys
 install -d -m755 "$temp/etc/ssh/"
+install -d -m755 "$temp/root/"

 diskKey=$(sops -d machines/$hostname/disk.key)
 echo "$diskKey" > /tmp/secret.key
+echo "$diskKey" > $temp/root/secret.key

 ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N ""
 ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N ""