l hilum.r: pass luks passphrase in flash script
This commit is contained in:
lassulus
parent
f10b0ca342
commit
34360eb931
|
|
@ -1,4 +1,4 @@
|
||||||
{ lib, disk, ... }:
|
{ lib, disk, keyFile, ... }:
|
||||||
{
|
{
|
||||||
disk = {
|
disk = {
|
||||||
main = {
|
main = {
|
||||||
|
|
@ -37,7 +37,7 @@
|
||||||
content = {
|
content = {
|
||||||
type = "luks";
|
type = "luks";
|
||||||
name = "hilum_luks";
|
name = "hilum_luks";
|
||||||
# keyFile = "/tmp/secret.key";
|
keyFile = keyFile;
|
||||||
content = {
|
content = {
|
||||||
type = "filesystem";
|
type = "filesystem";
|
||||||
format = "xfs";
|
format = "xfs";
|
||||||
|
|
|
||||||
14
lass/1systems/hilum/flash-stick.sh
Normal file → Executable file
14
lass/1systems/hilum/flash-stick.sh
Normal file → Executable file
|
|
@ -4,14 +4,24 @@ set -efux
|
||||||
disk=$1
|
disk=$1
|
||||||
|
|
||||||
export NIXPKGS_ALLOW_UNFREE=1
|
export NIXPKGS_ALLOW_UNFREE=1
|
||||||
|
(umask 077; pass show admin/hilum/luks > /tmp/hilum.luks)
|
||||||
|
trap 'rm -f /tmp/hilum.luks' EXIT
|
||||||
stockholm_root=$(git rev-parse --show-toplevel)
|
stockholm_root=$(git rev-parse --show-toplevel)
|
||||||
ssh root@localhost -t -- $(nix-build \
|
ssh root@localhost -t -- $(nix-build \
|
||||||
--no-out-link \
|
--no-out-link \
|
||||||
-I nixpkgs=/var/src/nixpkgs \
|
-I nixpkgs=/var/src/nixpkgs \
|
||||||
-I stockholm="$stockholm_root" \
|
-I stockholm="$stockholm_root" \
|
||||||
-I secrets="$stockholm_root"/lass/2configs/tests/dummy-secrets \
|
-I secrets="$stockholm_root"/lass/2configs/tests/dummy-secrets \
|
||||||
-E "with import <nixpkgs> {}; (pkgs.nixos [ { mainDisk = \"$disk\"; disko.rootMountPoint = \"/mnt/hilum\"; } ./physical.nix ]).mountScript"
|
-E "with import <nixpkgs> {}; (pkgs.nixos [
|
||||||
|
{
|
||||||
|
luksPassFile = \"/tmp/hilum.luks\";
|
||||||
|
mainDisk = \"$disk\";
|
||||||
|
disko.rootMountPoint = \"/mnt/hilum\";
|
||||||
|
}
|
||||||
|
./physical.nix
|
||||||
|
]).disko"
|
||||||
)
|
)
|
||||||
|
rm -f /tmp/hilum.luks
|
||||||
$(nix-build \
|
$(nix-build \
|
||||||
--no-out-link \
|
--no-out-link \
|
||||||
-I nixpkgs=/var/src/nixpkgs \
|
-I nixpkgs=/var/src/nixpkgs \
|
||||||
|
|
@ -21,7 +31,7 @@ $(nix-build \
|
||||||
--arg force true
|
--arg force true
|
||||||
)
|
)
|
||||||
ssh root@localhost << SSH
|
ssh root@localhost << SSH
|
||||||
nixos-install --no-root-password --root /mnt/hilum -I /var/src
|
NIXOS_CONFIG=/mnt/hilum/var/src/nixos-config nixos-install --no-root-password --root /mnt/hilum -I /var/src
|
||||||
nixos-enter --root /mnt/hilum -- nixos-rebuild -I /var/src switch --install-bootloader
|
nixos-enter --root /mnt/hilum -- nixos-rebuild -I /var/src switch --install-bootloader
|
||||||
umount -Rv /mnt/hilum
|
umount -Rv /mnt/hilum
|
||||||
SSH
|
SSH
|
||||||
|
|
|
||||||
|
|
@ -12,11 +12,18 @@
|
||||||
};
|
};
|
||||||
config.environment.etc.hilum-disk.text = config.mainDisk;
|
config.environment.etc.hilum-disk.text = config.mainDisk;
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
options.luksPassFile = lib.mkOption {
|
||||||
|
type = lib.types.nullOr lib.types.str;
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
disko.devices = import ./disk.nix {
|
disko.devices = import ./disk.nix {
|
||||||
inherit lib;
|
inherit lib;
|
||||||
disk = config.mainDisk;
|
disk = config.mainDisk;
|
||||||
|
keyFile = config.luksPassFile;
|
||||||
};
|
};
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
|
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user