load zfs key from tpm

2024-06-01 16:58:34 -05:00
parent 6b194cf24f
commit b5a52ee878
1 changed files with 33 additions and 22 deletions
--- a/hosts/nas/configuration.nix
+++ b/hosts/nas/configuration.nix
@@ -73,10 +73,7 @@ in
      httpsPort = "9443";
    };

-    #    ollama.enable = true;
-
    open-webui.enable = true;
-    #    open-webui.port = "3000";

    orca-slicer.enable = true;

@@ -161,10 +158,14 @@ in

    supportedFilesystems = [ "zfs" ];

-    zfs.extraPools = [ "junk" ];
+    zfs.extraPools = [ "junk" "MainPool" "SSD" ];
    zfs.requestEncryptionCredentials = false;
  };

+  security.tpm2 = {
+    enable = true;
+  };
+
  # Services configs
  services = {
    udisks2.enable = true;
@@ -174,13 +175,14 @@ in
      enable = enableDisplayManager;

      # Enable the Plasma 6 Desktop Environment.
-      displayManager = {
-        sddm.enable = enableDisplayManager;
-        #defaultSession = "plasma";
-      };
      desktopManager.plasma5.enable = enableDisplayManager;
    };

+    displayManager = {
+      sddm.enable = enableDisplayManager;
+      #defaultSession = "plasma";
+    };
+
    # Set to enable Flatpak
    flatpak.enable = false;

@@ -193,7 +195,7 @@ in

    avahi = {
      enable = true;
-      nssmdns = true;
+      nssmdns4 = true;
      publish = {
        enable = true;
        addresses = true;
@@ -285,20 +287,28 @@ in
      path = [
        pkgs.zfs
        pkgs.bash
+        pkgs.tpm2-tools
      ];
-      script = ''
-        if test -d /home/admin/ssd/ssd_app_data; then
-          echo "NAS ZFS Pools Mounted."
-        else
-          zpool import -f "MainPool"
-          zpool import -f "SSD"
-          zfs load-key -L file:///root/main-pool.key "MainPool"
-          zfs load-key -L file:///root/ssd.key "SSD"
-          zfs mount -a
-          echo "NAS ZFS Pools Mounted."
-        fi
-      '';
+
      wantedBy = [ "multi-user.target" ];
+
+      script = ''
+        tpm2_nvread 0x1500016 -C o -s 65 > /tmp/mainpool
+        tpm2_nvread 0x1600016 -C o -s 65 > /tmp/ssd
+
+        zfs load-key -L file:///tmp/mainpool "MainPool"
+        zfs load-key -L file:///tmp/ssd "SSD"
+
+        rm /tmp/mainpool
+        rm /tmp/ssd
+      '';
+
+      description = "Unlock ZFS pool using fTPM";
+      requires = [ "zfs-import-MainPool.service" "zfs-import-SSD.service" ];
+      after = [ "zfs-import-MainPool.service" "zfs-import-SSD.service" ];
+      before = [ "zfs-mount.service" ];
+      serviceConfig.Type = "oneshot";
+      serviceConfig.RemainAfterExit = true;
    };

    glances-server = {
@@ -307,7 +317,6 @@ in
        pkgs.glances
      ];
      script = ''
-        #!/user/bin/env bash
        glances -w
      '';
      wantedBy = [ "multi-user.target" ];
@@ -479,6 +488,8 @@ in
        aha
        papirus-icon-theme
        firefox
+        tpm2-tools
+        tpm2-tss
      ];
    };