mirror of
https://github.com/ryan4yin/nix-config.git
synced 2026-07-02 19:11:33 +02:00
fix: hdd storage - auto unlock after booted (#158)
This commit is contained in:
@@ -1,8 +1,19 @@
|
|||||||
# auto disk partitioning:
|
# auto disk partitioning:
|
||||||
# nix run github:nix-community/disko -- --mode disko ./disko-fs.nix
|
# nix run github:nix-community/disko -- --mode disko ./disko-fs.nix
|
||||||
{
|
let
|
||||||
|
cryptKeyFile = "/etc/agenix/hdd-luks-crypt-key";
|
||||||
|
unlockDisk = "data-encrypted";
|
||||||
|
in {
|
||||||
fileSystems."/data/fileshare/public".depends = ["/data/fileshare"];
|
fileSystems."/data/fileshare/public".depends = ["/data/fileshare"];
|
||||||
|
|
||||||
|
# By adding this crypttab entry, the disk will be unlocked by systemd-cryptsetup@xxx.service at boot time.
|
||||||
|
# This systemd service is running after agenix, so that the keyfile is already available.
|
||||||
|
environment.etc = {
|
||||||
|
"crypttab".text = ''
|
||||||
|
${unlockDisk} /dev/disk/by-partlabel/disk-${unlockDisk}-luks ${cryptKeyFile} luks,discard,keyfile-size=32768,keyfile-offset=65536
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
disko.devices = {
|
disko.devices = {
|
||||||
disk.data-encrypted = {
|
disk.data-encrypted = {
|
||||||
type = "disk";
|
type = "disk";
|
||||||
@@ -16,7 +27,7 @@
|
|||||||
type = "luks";
|
type = "luks";
|
||||||
name = "data-encrypted";
|
name = "data-encrypted";
|
||||||
settings = {
|
settings = {
|
||||||
keyFile = "/etc/agenix/hdd-luks-crypt-key";
|
keyFile = cryptKeyFile;
|
||||||
# The maximum size of the keyfile is 8192 KiB
|
# The maximum size of the keyfile is 8192 KiB
|
||||||
# type `cryptsetup --help` to see the compiled-in key and passphrase maximum sizes
|
# type `cryptsetup --help` to see the compiled-in key and passphrase maximum sizes
|
||||||
# to generate a key file:
|
# to generate a key file:
|
||||||
@@ -27,7 +38,8 @@
|
|||||||
allowDiscards = true;
|
allowDiscards = true;
|
||||||
};
|
};
|
||||||
# Whether to add a boot.initrd.luks.devices entry for the specified disk.
|
# Whether to add a boot.initrd.luks.devices entry for the specified disk.
|
||||||
# This data disk is not needed to boot the system, so we don't need to unlock it in the initrd.
|
# The keyfile do not exist before agenix decrypts its data, do we have to disable this option.
|
||||||
|
# Otherwise, the initrd will fail to unlock the disk, which causes the boot process to fail.
|
||||||
initrdUnlock = false;
|
initrdUnlock = false;
|
||||||
|
|
||||||
# encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
|
# encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
|
||||||
|
|||||||
Reference in New Issue
Block a user