diff --git a/hosts/idols-aquamarine/disko-fs.nix b/hosts/idols-aquamarine/disko-fs.nix index 7f1cc959..8dba92af 100644 --- a/hosts/idols-aquamarine/disko-fs.nix +++ b/hosts/idols-aquamarine/disko-fs.nix @@ -1,8 +1,19 @@ # auto disk partitioning: # nix run github:nix-community/disko -- --mode disko ./disko-fs.nix -{ +let + cryptKeyFile = "/etc/agenix/hdd-luks-crypt-key"; + unlockDisk = "data-encrypted"; +in { fileSystems."/data/fileshare/public".depends = ["/data/fileshare"]; + # By adding this crypttab entry, the disk will be unlocked by systemd-cryptsetup@xxx.service at boot time. + # This systemd service is running after agenix, so that the keyfile is already available. + environment.etc = { + "crypttab".text = '' + ${unlockDisk} /dev/disk/by-partlabel/disk-${unlockDisk}-luks ${cryptKeyFile} luks,discard,keyfile-size=32768,keyfile-offset=65536 + ''; + }; + disko.devices = { disk.data-encrypted = { type = "disk"; @@ -16,7 +27,7 @@ type = "luks"; name = "data-encrypted"; settings = { - keyFile = "/etc/agenix/hdd-luks-crypt-key"; + keyFile = cryptKeyFile; # The maximum size of the keyfile is 8192 KiB # type `cryptsetup --help` to see the compiled-in key and passphrase maximum sizes # to generate a key file: @@ -27,7 +38,8 @@ allowDiscards = true; }; # Whether to add a boot.initrd.luks.devices entry for the specified disk. - # This data disk is not needed to boot the system, so we don't need to unlock it in the initrd. + # The keyfile do not exist before agenix decrypts its data, do we have to disable this option. + # Otherwise, the initrd will fail to unlock the disk, which causes the boot process to fail. initrdUnlock = false; # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.