Use actual encryption passwords
This commit is contained in:
parent
54ec1fc9ba
commit
f20678d134
|
@ -1 +1,2 @@
|
||||||
import ../dk/single_uefi_btrfs.nix { id = "usb-Kingston_DataTraveler_3.0_E0D55EA57414F510489F0F1A-0:0"; name = "curacao_usb"; }
|
{ ... } @ args:
|
||||||
|
import ../dk/single_uefi_btrfs.nix (args // { id = "usb-Kingston_DataTraveler_3.0_E0D55EA57414F510489F0F1A-0:0"; name = "curacao_usb"; })
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ id, name, ... }:
|
{ id, name, passwordFile ? "/should_not_be_needed_in_this_context", ... }:
|
||||||
{
|
{
|
||||||
disko.devices = {
|
disko.devices = {
|
||||||
disk = {
|
disk = {
|
||||||
|
@ -26,7 +26,7 @@
|
||||||
content = {
|
content = {
|
||||||
type = "luks";
|
type = "luks";
|
||||||
name = "${name}";
|
name = "${name}";
|
||||||
passwordFile = "/tmp/secret.key"; # FIXME Generate this somehow
|
passwordFile = passwordFile;
|
||||||
settings = {
|
settings = {
|
||||||
# Not having SSDs die fast is more important than crypto
|
# Not having SSDs die fast is more important than crypto
|
||||||
# nerds that could potentially discover which filesystem I
|
# nerds that could potentially discover which filesystem I
|
||||||
|
|
|
@ -64,6 +64,7 @@ fi
|
||||||
|
|
||||||
mountpoint="/mnt/nixos"
|
mountpoint="/mnt/nixos"
|
||||||
nix_flakes_cmd="nix --extra-experimental-features nix-command --extra-experimental-features flakes"
|
nix_flakes_cmd="nix --extra-experimental-features nix-command --extra-experimental-features flakes"
|
||||||
|
luks_pass_path="luks/$(basename ${profile})"
|
||||||
|
|
||||||
set -x
|
set -x
|
||||||
|
|
||||||
|
@ -73,8 +74,15 @@ sudo mkdir -p "$mountpoint"
|
||||||
# Not great, but fixable with flakes I guess
|
# Not great, but fixable with flakes I guess
|
||||||
sudo ./add_channels.sh
|
sudo ./add_channels.sh
|
||||||
|
|
||||||
|
# Load encryption password
|
||||||
|
luks_pass_file="$(mktemp --suffix="luks_password")"
|
||||||
|
pass $luks_pass_path | head -n1 | tr -d '\n' > $luks_pass_file
|
||||||
|
|
||||||
# Format or mount disk
|
# Format or mount disk
|
||||||
sudo $nix_flakes_cmd run github:nix-community/disko -- --root-mountpoint "$mountpoint" --mode "$disko_mode" "$disko_config"
|
sudo $nix_flakes_cmd run github:nix-community/disko -- --root-mountpoint "$mountpoint" --mode "$disko_mode" --argstr passwordFile "$luks_pass_file" "$disko_config"
|
||||||
|
|
||||||
|
# Unload encryption password
|
||||||
|
rm "$luks_pass_file"
|
||||||
|
|
||||||
# Generate hardware-config.nix
|
# Generate hardware-config.nix
|
||||||
sudo nixos-generate-config --no-filesystems --root "$mountpoint"
|
sudo nixos-generate-config --no-filesystems --root "$mountpoint"
|
||||||
|
|
|
@ -1 +1,2 @@
|
||||||
import ../dk/single_uefi_btrfs.nix { id = "mmc-SN32G_0xfb19ae99"; name = "pindakaas_sd"; }
|
{ ... } @ args:
|
||||||
|
import ../dk/single_uefi_btrfs.nix (args // { id = "mmc-SN32G_0xfb19ae99"; name = "pindakaas_sd"; })
|
||||||
|
|
Loading…
Reference in a new issue