nullbox: setup auto decrypt

2024-03-01 20:52:40 -05:00 · 2024-03-01 20:52:40 -05:00 · cef77e2a56
commit cef77e2a56
parent f2bc1b7d0b
2 changed files with 29 additions and 10 deletions
--- a/hosts/nullbox/configuration.nix
+++ b/hosts/nullbox/configuration.nix
@ -10,6 +10,8 @@
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
+      # Encryption
+      ./luks.nix
    ];

  config = {
@ -54,16 +56,6 @@
      packageSets.gaming.enable = true;
    };

-    # cryptsetup
-    boot.initrd.luks.devices = {
-      lvmroot = {
-        device="/dev/disk/by-uuid/85b5f22e-0fa5-4f0d-8fba-f800a0b41671";
-        allowDiscards = true;
-        fallbackToPassword = true;
-        preLVM = true;
-      };
-    };
-
    # bootloader setup
    boot.loader = {
      efi = {
--- a/hosts/nullbox/luks.nix
+++ b/hosts/nullbox/luks.nix
@ -0,0 +1,27 @@
+{ pkgs, config, lib, ... }:
+let
+  usb = "903D-DF5B";
+in
+{
+  config = {
+    # cryptsetup
+    boot.initrd.kernelModules = ["uas" "usbcore" "usb_storage"];
+    boot.initrd.supportedFilesystems = ["vfat"];
+
+    boot.initrd.luks.devices = {
+      lvmroot = {
+        preOpenCommands = ''
+          mkdir -m 0755 /key
+          sleep 1
+          mount -n -t vfat -o ro `findfs UUID=${usb}` /key
+        '';
+
+        device="/dev/disk/by-uuid/85b5f22e-0fa5-4f0d-8fba-f800a0b41671";
+        keyFile = "/key/image.png"; # yes it's literally an image file. bite me
+        allowDiscards = true;
+        fallbackToPassword = true;
+        preLVM = true;
+      };
+    };
+  };
+}