isk
This commit is contained in:
@@ -44,6 +44,31 @@ in
|
|||||||
bootspec.enable = (!isArm);
|
bootspec.enable = (!isArm);
|
||||||
|
|
||||||
initrd = {
|
initrd = {
|
||||||
|
secrets = {
|
||||||
|
"/etc/clevis/nuc-nixos.jwe" = (lib.snowfall.fs.get-file "secrets/nuc-nixos.jwe");
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services."unlock-disk" = {
|
||||||
|
enable = true;
|
||||||
|
path = [
|
||||||
|
pkgs.clevis
|
||||||
|
pkgs.bcachefs-tools
|
||||||
|
];
|
||||||
|
script = ''
|
||||||
|
clevis decrypt < "/etc/clevis/nuc-nixos.jwe" | bcachefs unlock -k session /dev/disk/by-label/disk-main-nuc-nixos-bcachefs-root
|
||||||
|
'';
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
TimeoutSec = "10s"; # Limit how long we wait for network
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
clevis = mkIf (config.${namespace}.hardware.disko.filesystem == "bcachefs"){
|
||||||
|
enable = true;
|
||||||
|
# devices = {
|
||||||
|
# "/dev/disk/by-partlabel/${config.disko.devices.disk.main.content.partitions.root.name}".secretFile = (lib.snowfall.fs.get-file "secrets/nuc-nixos.jwe");
|
||||||
|
# };
|
||||||
|
};
|
||||||
luks = mkIf cfg.yubikeyEncryption {
|
luks = mkIf cfg.yubikeyEncryption {
|
||||||
devices = {
|
devices = {
|
||||||
"${config.disko.devices.disk.main.content.partitions.root.name}" = {
|
"${config.disko.devices.disk.main.content.partitions.root.name}" = {
|
||||||
|
|||||||
@@ -26,7 +26,7 @@ in
|
|||||||
|
|
||||||
swapSize = mkOpt types.str "16G" "size of swap part";
|
swapSize = mkOpt types.str "16G" "size of swap part";
|
||||||
|
|
||||||
rootDisk = mkOpt types.str "/dev/sdd" "Root disk";
|
rootDisk = mkOpt types.str "/dev/nvme0n1" "Root disk";
|
||||||
|
|
||||||
compression = mkOpt types.str "zstd" "Type of compression to enable";
|
compression = mkOpt types.str "zstd" "Type of compression to enable";
|
||||||
|
|
||||||
|
|||||||
1
secrets/nuc-nixos.jwe
Normal file
1
secrets/nuc-nixos.jwe
Normal file
@@ -0,0 +1 @@
|
|||||||
|
eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlBTHViRk8zUzZXOFREN2c1Y1RLdEhlLU5CaGRXTFJIWVRCcDUzWWZHd0ZLQUJENG1oRERGTXlfN2JSOENVX0oyVHZfM0MtaWRxaldRdVdkVkU2RVFrd3lwb1VBMmtRNW8zdG5kZkxfRHJkV1MwTndQUjBwVHVuQWxDcS1kRzFjSXJ4bEZaMGdTWlpNd0tRRFIzNk1hLVNXMjhGZkFnY0pKWnhNcFhGa3dtTHhGMTZyc0NTV1l5dGc5TzRZN09kd2ZsMVJLRy1VQVlmaWJ2QkVaMDZ2Y3V4LXdLOHZ6WTRhVDNheE5lbVRPX09MRVBvLVdKTi1adXN5OTY3V0lnT0htaW1OeVZXVHY1MjFkU3BLRWZEaENjTVVKdXpJZEs2aGt2aVRRRXQ1am9yNXVJblRnZy16MVRXZE8tbjIiLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJQUNCOTBNOUFqU3lOQTcxdXNueDRTd055UEFkR2pQWklHNEltRmhfV1BpYiIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..4-bjLiF31S6XOqia.9QMbvmJ4NePa5r4.LfReU5-wWfaH2X89dfnSOA
|
||||||
@@ -9,7 +9,7 @@
|
|||||||
# # Boot # #
|
# # Boot # #
|
||||||
# ###################################################
|
# ###################################################
|
||||||
|
|
||||||
boot.systemd-boot.enable = true;
|
bootloader.lanzaboote.enable = true;
|
||||||
|
|
||||||
# ###################################################
|
# ###################################################
|
||||||
# # Hardware # #
|
# # Hardware # #
|
||||||
|
|||||||
60
test.sh
Executable file
60
test.sh
Executable file
@@ -0,0 +1,60 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
disk=/dev/nvme0n1p
|
||||||
|
|
||||||
|
# sudo mkfs.vfat "$disk"1
|
||||||
|
# sudo bcachefs format --encrypted "$disk"2
|
||||||
|
|
||||||
|
sudo mount -t tmpfs -o mode=755 none /mnt
|
||||||
|
sudo mkdir -p /mnt/{boot,home,root,etc,nix,var/log,tmp,persist}
|
||||||
|
sudo mount "$disk"1 /mnt/boot
|
||||||
|
# sudo mkdir -p /mnt/boot/firmware
|
||||||
|
# sudo mount "$disk"2 /mnt/boot/firmware
|
||||||
|
# sudo mount "$disk"2 -o compress=zstd,subvol=home /mnt/home
|
||||||
|
# sudo mount "$disk"2 -o compress=zstd,noatime,subvol=root /mnt/root
|
||||||
|
# sudo mount "$disk"2 -o compress=zstd,noatime,subvol=etc /mnt/etc
|
||||||
|
# sudo mount "$disk"2 -o compress=zstd,noatime,subvol=nix /mnt/nix
|
||||||
|
# sudo mount "$disk"2 -o compress=zstd,noatime,subvol=log /mnt/var/log
|
||||||
|
|
||||||
|
clevis decrypt < "secrets/nuc-nixos.jwe" | bcachefs unlock -k session /dev/disk/by-partlabel/disk-main-nuc-nixos-bcachefs-root
|
||||||
|
|
||||||
|
# sudo bcachefs unlock -k session "$disk"2
|
||||||
|
# sudo mount "$disk"2 /mnt/tmp
|
||||||
|
# cd /mnt/tmp
|
||||||
|
# sudo bcachefs subvolume create nix
|
||||||
|
# sudo bcachefs subvolume create etc
|
||||||
|
# sudo bcachefs subvolume create log
|
||||||
|
# sudo bcachefs subvolume create root
|
||||||
|
# sudo bcachefs subvolume create persist
|
||||||
|
# sudo bcachefs subvolume create home
|
||||||
|
# cd /etc/nixos
|
||||||
|
# sudo umount /mnt/tmp
|
||||||
|
|
||||||
|
sudo mount -o noatime,X-mount.subdir=nix "$disk"2 /mnt/nix
|
||||||
|
sudo mount -o noatime,X-mount.subdir=etc "$disk"2 /mnt/etc
|
||||||
|
sudo mount -o noatime,X-mount.subdir=log "$disk"2 /mnt/var/log
|
||||||
|
sudo mount -o noatime,X-mount.subdir=root "$disk"2 /mnt/root
|
||||||
|
sudo mount -o noatime,X-mount.subdir=persist "$disk"2 /mnt/persist
|
||||||
|
sudo mount -o X-mount.subdir=home "$disk"2 /mnt/home
|
||||||
|
|
||||||
|
# tree /mnt
|
||||||
|
|
||||||
|
# sudo nixos-install --flake /etc/nixos#nuc-nixos
|
||||||
|
|
||||||
|
# sudo umount /mnt/boot
|
||||||
|
# sudo umount /mnt/var/log
|
||||||
|
# sudo umount /mnt/persist
|
||||||
|
# sudo umount /mnt/home
|
||||||
|
# sudo umount /mnt/root
|
||||||
|
# sudo umount /mnt/etc
|
||||||
|
# sudo umount /mnt/nix
|
||||||
|
# sudo umount /mnt
|
||||||
|
|
||||||
|
# wpa_passphrase "Joey's Jungle 5G" "kR8v&3Qd" > 5g.conf
|
||||||
|
# wpa_supplicant -i wlp6s0 -c 5g.conf -B
|
||||||
|
# dhcpcd
|
||||||
|
|
||||||
|
# keyctl link @u @s
|
||||||
|
# clevis decrypt < "/etc/clevis/nas_pool.jwe" | bcachefs unlock /dev/disk/by-label/nas_pool
|
||||||
|
|
||||||
|
|
||||||
Reference in New Issue
Block a user