kalipso/infrastructure
1
1
Fork 1
Code Issues 42 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Allow disableing encryption for testing
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m39s
Details
Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m29s
Details

Browse Source
This commit is contained in:
ahtlon
2025-01-02 14:07:38 +01:00
parent 63f2ca5b3c
commit f44adbc815
3 changed files with 17 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
machines/modules/disko/default.nix
View File

@@ -1,4 +1,4 @@
{config, lib, inputs, ...}: {config, inputs, lib, ...}:
let let
cfg = config.malobeo.disks; cfg = config.malobeo.disks;
in in
@@ -15,6 +15,11 @@ in
default = ""; default = "";
description = "Host ID for zfs disks, generate with 'head -c4 /dev/urandom | od -A none -t x4'"; description = "Host ID for zfs disks, generate with 'head -c4 /dev/urandom | od -A none -t x4'";
}; };
encryption = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Allows encryption to be disabled for testing";
};
devNodes = lib.mkOption { devNodes = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "/dev/disk/by-id/"; default = "/dev/disk/by-id/";
@@ -174,12 +179,12 @@ in
type = "zfs_fs"; type = "zfs_fs";
options = { options = {
mountpoint = "none"; mountpoint = "none";
encryption = "aes-256-gcm"; encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = "passphrase"; keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = "file:///tmp/secret.key"; keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
}; };
# use this to read the key during boot # use this to read the key during boot
postCreateHook = '' postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="prompt" zroot/encrypted; zfs set keylocation="prompt" zroot/encrypted;
''; '';
}; };
@@ -233,12 +238,12 @@ in
type = "zfs_fs"; type = "zfs_fs";
options = { options = {
mountpoint = "none"; mountpoint = "none";
encryption = "aes-256-gcm"; encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = "passphrase"; keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = "file:///tmp/secret.key"; keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
}; };
# use this to read the key during boot # use this to read the key during boot
postCreateHook = '' postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="prompt" storage/encrypted; zfs set keylocation="prompt" storage/encrypted;
''; '';
}; };
@@ -261,7 +266,7 @@ in
}; };
}; };
boot.zfs.devNodes = cfg.devNodes; boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
fileSystems."/".neededForBoot = true; fileSystems."/".neededForBoot = true;
fileSystems."/etc".neededForBoot = true; fileSystems."/etc".neededForBoot = true;
@@ -269,6 +274,5 @@ in
fileSystems."/var".neededForBoot = true; fileSystems."/var".neededForBoot = true;
fileSystems."/home".neededForBoot = true; fileSystems."/home".neededForBoot = true;
fileSystems."/nix".neededForBoot = true; fileSystems."/nix".neededForBoot = true;
fileSystems."/data".neededForBoot = true;
}; };
} }

2
machines/modules/malobeo/initssh.nix
View File

@@ -24,7 +24,7 @@ in
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
boot = { boot = {
loader.systemd-boot.enable = true; loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true; loader.efi.canTouchEfiVariables = true;

1
machines/testvm/default.nix
View File

@@ -22,6 +22,7 @@ in
malobeo.disks = { malobeo.disks = {
enable = true; enable = true;
encryption = false;
hostId = "83abc8cb"; hostId = "83abc8cb";
devNodes = "/dev/disk/by-path/"; devNodes = "/dev/disk/by-path/";
root = { root = {