diff --git a/curacao/dk.nix b/curacao/dk.nix index d66bd20..5f14889 100644 --- a/curacao/dk.nix +++ b/curacao/dk.nix @@ -1,5 +1,7 @@ { passwordFile ? "/should_not_be_needed_in_this_context", ... }: # FIXME Subvolumes for backup. If they're not created with the script. Add the script btw. +# Doesn't seem like it's possible to decrypt luks partition at stage2, hence why everything is with a password now +# TODO Find a way to use keys in filesystem # TODO Not relatime everywhere, thank you # TODO Default options let @@ -72,11 +74,10 @@ in content = { type = "luks"; name = "boot"; - initrdUnlock = false; extraFormatArgs = [ "--type luks1" ]; passwordFile = passwordFile; settings = { - keyFile = "/etc/keys/boot"; + # keyFile = "/etc/keys/boot"; }; content = { type = "filesystem"; @@ -95,9 +96,9 @@ in content = { type = "luks"; name = "razmo"; - initrdUnlock = false; + passwordFile = passwordFile; settings = { - keyFile = "/etc/keys/razmo"; + # keyFile = "/etc/keys/razmo"; }; content = { type = "btrfs"; @@ -130,9 +131,9 @@ in content = { type = "luks"; name = "rapswap"; - initrdUnlock = false; + passwordFile = passwordFile; settings = { - keyFile = "/etc/keys/rapswap"; + # keyFile = "/etc/keys/rapswap"; allowDiscards = true; }; content = { diff --git a/curacao/os.nix b/curacao/os.nix index b92c72c..16f476b 100644 --- a/curacao/os.nix +++ b/curacao/os.nix @@ -9,6 +9,7 @@ networking.hostName = "curacao"; boot = { + initrd.luks.reusePassphrases = true; loader = { efi.efiSysMountPoint = "/efi"; }; diff --git a/os/geoffrey.nix b/os/geoffrey.nix index cd27181..08b09a7 100644 --- a/os/geoffrey.nix +++ b/os/geoffrey.nix @@ -4,6 +4,8 @@ ]; + users.users.root.initialHashedPassword = "$y$j9T$e64bjL7iyVlniEKwKbM9g0$cCn74za0r6L9QMO20Fdxz3/SX0yvhz3Xd6.2BhtbRL1"; # Not a real password + users.users.geoffrey = { isNormalUser = true; extraGroups = [ "adbusers" "wheel" ];