From c5481909a1b70ddde8c2937024880f1f99d6f88a Mon Sep 17 00:00:00 2001 From: mjallen Date: Mon, 26 Jan 2026 23:08:34 +0000 Subject: [PATCH] isk --- modules/nixos/boot/common/default.nix | 25 +++++++++ modules/nixos/disko/options.nix | 2 +- secrets/nuc-nixos.jwe | 1 + systems/x86_64-linux/nuc-nixos/default.nix | 2 +- test.sh | 60 ++++++++++++++++++++++ 5 files changed, 88 insertions(+), 2 deletions(-) create mode 100644 secrets/nuc-nixos.jwe create mode 100755 test.sh diff --git a/modules/nixos/boot/common/default.nix b/modules/nixos/boot/common/default.nix index 6ca38c4..fc04318 100644 --- a/modules/nixos/boot/common/default.nix +++ b/modules/nixos/boot/common/default.nix @@ -44,6 +44,31 @@ in bootspec.enable = (!isArm); initrd = { + secrets = { + "/etc/clevis/nuc-nixos.jwe" = (lib.snowfall.fs.get-file "secrets/nuc-nixos.jwe"); + }; + + systemd.services."unlock-disk" = { + enable = true; + path = [ + pkgs.clevis + pkgs.bcachefs-tools + ]; + script = '' + clevis decrypt < "/etc/clevis/nuc-nixos.jwe" | bcachefs unlock -k session /dev/disk/by-label/disk-main-nuc-nixos-bcachefs-root + ''; + serviceConfig = { + Type = "oneshot"; + TimeoutSec = "10s"; # Limit how long we wait for network + }; + }; + + clevis = mkIf (config.${namespace}.hardware.disko.filesystem == "bcachefs"){ + enable = true; +# devices = { + # "/dev/disk/by-partlabel/${config.disko.devices.disk.main.content.partitions.root.name}".secretFile = (lib.snowfall.fs.get-file "secrets/nuc-nixos.jwe"); + # }; + }; luks = mkIf cfg.yubikeyEncryption { devices = { "${config.disko.devices.disk.main.content.partitions.root.name}" = { diff --git a/modules/nixos/disko/options.nix b/modules/nixos/disko/options.nix index abfd25c..f6554b0 100644 --- a/modules/nixos/disko/options.nix +++ b/modules/nixos/disko/options.nix @@ -26,7 +26,7 @@ in swapSize = mkOpt types.str "16G" "size of swap part"; - rootDisk = mkOpt types.str "/dev/sdd" "Root disk"; + rootDisk = mkOpt types.str "/dev/nvme0n1" "Root disk"; compression = mkOpt types.str "zstd" "Type of compression to enable"; diff --git a/secrets/nuc-nixos.jwe b/secrets/nuc-nixos.jwe new file mode 100644 index 0000000..cb03f03 --- /dev/null +++ b/secrets/nuc-nixos.jwe @@ -0,0 +1 @@ +eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlBTHViRk8zUzZXOFREN2c1Y1RLdEhlLU5CaGRXTFJIWVRCcDUzWWZHd0ZLQUJENG1oRERGTXlfN2JSOENVX0oyVHZfM0MtaWRxaldRdVdkVkU2RVFrd3lwb1VBMmtRNW8zdG5kZkxfRHJkV1MwTndQUjBwVHVuQWxDcS1kRzFjSXJ4bEZaMGdTWlpNd0tRRFIzNk1hLVNXMjhGZkFnY0pKWnhNcFhGa3dtTHhGMTZyc0NTV1l5dGc5TzRZN09kd2ZsMVJLRy1VQVlmaWJ2QkVaMDZ2Y3V4LXdLOHZ6WTRhVDNheE5lbVRPX09MRVBvLVdKTi1adXN5OTY3V0lnT0htaW1OeVZXVHY1MjFkU3BLRWZEaENjTVVKdXpJZEs2aGt2aVRRRXQ1am9yNXVJblRnZy16MVRXZE8tbjIiLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJQUNCOTBNOUFqU3lOQTcxdXNueDRTd055UEFkR2pQWklHNEltRmhfV1BpYiIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..4-bjLiF31S6XOqia.9QMbvmJ4NePa5r4.LfReU5-wWfaH2X89dfnSOA \ No newline at end of file diff --git a/systems/x86_64-linux/nuc-nixos/default.nix b/systems/x86_64-linux/nuc-nixos/default.nix index 40633ae..8aa741f 100644 --- a/systems/x86_64-linux/nuc-nixos/default.nix +++ b/systems/x86_64-linux/nuc-nixos/default.nix @@ -9,7 +9,7 @@ # # Boot # # # ################################################### - boot.systemd-boot.enable = true; + bootloader.lanzaboote.enable = true; # ################################################### # # Hardware # # diff --git a/test.sh b/test.sh new file mode 100755 index 0000000..5e1d62c --- /dev/null +++ b/test.sh @@ -0,0 +1,60 @@ +#!/usr/bin/env bash + +disk=/dev/nvme0n1p + +# sudo mkfs.vfat "$disk"1 +# sudo bcachefs format --encrypted "$disk"2 + +sudo mount -t tmpfs -o mode=755 none /mnt +sudo mkdir -p /mnt/{boot,home,root,etc,nix,var/log,tmp,persist} +sudo mount "$disk"1 /mnt/boot +# sudo mkdir -p /mnt/boot/firmware +# sudo mount "$disk"2 /mnt/boot/firmware +# sudo mount "$disk"2 -o compress=zstd,subvol=home /mnt/home +# sudo mount "$disk"2 -o compress=zstd,noatime,subvol=root /mnt/root +# sudo mount "$disk"2 -o compress=zstd,noatime,subvol=etc /mnt/etc +# sudo mount "$disk"2 -o compress=zstd,noatime,subvol=nix /mnt/nix +# sudo mount "$disk"2 -o compress=zstd,noatime,subvol=log /mnt/var/log + +clevis decrypt < "secrets/nuc-nixos.jwe" | bcachefs unlock -k session /dev/disk/by-partlabel/disk-main-nuc-nixos-bcachefs-root + +# sudo bcachefs unlock -k session "$disk"2 +# sudo mount "$disk"2 /mnt/tmp +# cd /mnt/tmp +# sudo bcachefs subvolume create nix +# sudo bcachefs subvolume create etc +# sudo bcachefs subvolume create log +# sudo bcachefs subvolume create root +# sudo bcachefs subvolume create persist +# sudo bcachefs subvolume create home +# cd /etc/nixos +# sudo umount /mnt/tmp + +sudo mount -o noatime,X-mount.subdir=nix "$disk"2 /mnt/nix +sudo mount -o noatime,X-mount.subdir=etc "$disk"2 /mnt/etc +sudo mount -o noatime,X-mount.subdir=log "$disk"2 /mnt/var/log +sudo mount -o noatime,X-mount.subdir=root "$disk"2 /mnt/root +sudo mount -o noatime,X-mount.subdir=persist "$disk"2 /mnt/persist +sudo mount -o X-mount.subdir=home "$disk"2 /mnt/home + +# tree /mnt + +# sudo nixos-install --flake /etc/nixos#nuc-nixos + +# sudo umount /mnt/boot +# sudo umount /mnt/var/log +# sudo umount /mnt/persist +# sudo umount /mnt/home +# sudo umount /mnt/root +# sudo umount /mnt/etc +# sudo umount /mnt/nix +# sudo umount /mnt + +# wpa_passphrase "Joey's Jungle 5G" "kR8v&3Qd" > 5g.conf +# wpa_supplicant -i wlp6s0 -c 5g.conf -B +# dhcpcd + +# keyctl link @u @s +# clevis decrypt < "/etc/clevis/nas_pool.jwe" | bcachefs unlock /dev/disk/by-label/nas_pool + +