From 58726dc1bafb4385751be7bee36763f91a2205af Mon Sep 17 00:00:00 2001 From: "RingOfStorms (Joshua Bell)" Date: Mon, 15 Dec 2025 15:04:34 -0600 Subject: [PATCH] i001 auto unlock with usb key --- hosts/i001/hardware-configuration.nix | 8 ++++ hosts/i001/hardware-mounts.nix | 24 ++++------- .../nixos-installers/install_bcachefs.md | 42 +++++++++++++++---- 3 files changed, 50 insertions(+), 24 deletions(-) diff --git a/hosts/i001/hardware-configuration.nix b/hosts/i001/hardware-configuration.nix index b1bcc122..8f651ba4 100644 --- a/hosts/i001/hardware-configuration.nix +++ b/hosts/i001/hardware-configuration.nix @@ -28,6 +28,14 @@ boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; + # SWAP + swapDevices = [ + # { + # device = "/.swap/swapfile"; + # size = 8 * 1024; # Creates an 8GB swap file + # } + ]; + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction diff --git a/hosts/i001/hardware-mounts.nix b/hosts/i001/hardware-mounts.nix index 64d8da01..1ac376de 100644 --- a/hosts/i001/hardware-mounts.nix +++ b/hosts/i001/hardware-mounts.nix @@ -4,12 +4,12 @@ ... }: let + USB_KEY = "/dev/disk/by-uuid/63a7bd87-d644-43ea-83ba-547c03012fb6"; + BOOT = "/dev/disk/by-uuid/ABDB-2A38"; PRIMARY_UUID = "08610781-26d3-456f-9026-35dd4a40846f"; PRIMARY = "/dev/disk/by-uuid/${PRIMARY_UUID}"; - USB_KEY = "/dev/disk/by-uuid/9985-EBD1"; - inherit (utils) escapeSystemdPath; primaryDeviceUnit = "${escapeSystemdPath PRIMARY}.device"; @@ -60,15 +60,6 @@ in "relatime" ]; }; - fileSystems."/.swap" = { - device = PRIMARY; - fsType = "bcachefs"; - options = [ - "X-mount.mkdir" - "X-mount.subdir=@swap" - "noatime" - ]; - }; # (optional) for preservation/impermanence fileSystems."/persist" = { device = PRIMARY; @@ -87,7 +78,7 @@ in # } ]; - # PRIMARY unencrypt + # PRIMARY Bcache utilities boot.initrd.systemd.enable = true; boot.supportedFilesystems = [ "bcachefs" @@ -123,17 +114,20 @@ in # /bin/sh -c 'echo "password" | ${pkgs.bcachefs-tools}/bin/bcachefs unlock ${PRIMARY}' # ''; # ExecStart = '' - # /bin/sh -c 'mount -o ro ${USB_KEY} /key && \ + # /bin/sh -c 'mount --mkdir -o ro ${USB_KEY} /key && \ # cat /key/bcachefs.key | ${pkgs.bcachefs-tools}/bin/bcachefs unlock ${PRIMARY}' # ''; # We inline a script that roughly mimics tryUnlock + openCommand behavior, # but uses a key file from the USB stick instead of systemd-ask-password. script = '' - echo "Using test password..." - echo "test" | ${pkgs.bcachefs-tools}/bin/bcachefs unlock "${PRIMARY}" + echo "Using USB key for bcachefs unlock: ${USB_KEY}" + mount -t bcachefs --mkdir "${USB_KEY}" /usb_key + ${pkgs.bcachefs-tools}/bin/bcachefs unlock -f /usb_key/key "${PRIMARY}" echo "bcachefs unlock successful for ${PRIMARY}" ''; + # Hard code password (useless in real env) + # echo "test" | ${pkgs.bcachefs-tools}/bin/bcachefs unlock "${PRIMARY}" }; }; diff --git a/utilities/nixos-installers/install_bcachefs.md b/utilities/nixos-installers/install_bcachefs.md index 1ad81c7a..9649f2d8 100644 --- a/utilities/nixos-installers/install_bcachefs.md +++ b/utilities/nixos-installers/install_bcachefs.md @@ -14,7 +14,10 @@ DEVICE=sda parted /dev/$DEVICE -- mklabel gpt parted /dev/$DEVICE -- mkpart ESP fat32 1MB 2GB parted /dev/$DEVICE -- set 1 esp on -# TODO make swap partition instead here? Bcachefs not working with swapfile + +parted /dev/$DEVICE -- mkpart PRIMARY 2GB -8GB +parted /dev/$DEVICE -- mkpart SWAP linux-swap -8GB 100% + parted /dev/$DEVICE -- mkpart PRIMARY 2GB 100% ``` @@ -31,16 +34,23 @@ mkfs.fat -F 32 -n BOOT /dev/$BOOT ```sh PRIMARY=sda2 -keyctl link @u @s +# keyctl link @u @s bcachefs format --label=nixos --encrypted /dev/$PRIMARY bcachefs unlock /dev/$PRIMARY ``` +- swap (optional) + +```sh +SWAP=sda3 +mkswap /dev/$SWAP +swapon /dev/$SWAP +``` + ### Setup subvolumes ```sh # keyctl link @u @s -# TODO check this is it 7 or 8 for print? U=$(lsblk -o fsType,uuid | grep bcachefs | awk '{print $2}') echo $U mount /dev/disk/by-uuid/$U /mnt @@ -50,8 +60,6 @@ bcachefs subvolume create /mnt/@nix bcachefs set-file-option /mnt/@nix --compression=zstd bcachefs subvolume create /mnt/@snapshots bcachefs set-file-option /mnt/@snapshots --compression=zstd -bcachefs subvolume create /mnt/@swap -bcachefs set-file-option /mnt/@swap --nocow bcachefs subvolume create /mnt/@persist umount /mnt @@ -64,13 +72,12 @@ umount /mnt ### Mount subvolumes ```sh -DEV_B="/dev/disk/by-uuid/"$(lsblk -o NAME,UUID | grep $BOOT | awk '{print $2}') -DEV_P="/dev/disk/by-uuid/"$(lsblk -o NAME,UUID | grep $PRIMARY | awk '{print $2}') +DEV_B="/dev/disk/by-uuid/"$(lsblk -o name,uuid | grep $BOOT | awk '{print $2}') +DEV_P="/dev/disk/by-uuid/"$(lsblk -o name,uuid | grep $PRIMARY | awk '{print $2}') mount -t bcachefs -o X-mount.subdir=@root $DEV_P /mnt mount -t vfat $DEV_B /mnt/boot --mkdir mount -t bcachefs -o X-mount.mkdir,X-mount.subdir=@nix,relatime $DEV_P /mnt/nix mount -t bcachefs -o X-mount.mkdir,X-mount.subdir=@snapshots,relatime $DEV_P /mnt/.snapshots -mount -t bcachefs -o X-mount.mkdir,X-mount.subdir=@swap,noatime $DEV_P /mnt/.swap mount -t bcachefs -o X-mount.mkdir,X-mount.subdir=@persist $DEV_P /mnt/persist ``` @@ -80,7 +87,7 @@ mount -t bcachefs -o X-mount.mkdir,X-mount.subdir=@persist $DEV_P /mnt/persist nixos-generate-config --root /mnt ``` -- Copy useful bits out into real config in repo +- Copy useful bits out into real config in repo (primarily swap/kernel modules) - Run nixos-install ```sh @@ -94,3 +101,20 @@ or from host machine? TODO haven't tried this fully NIX_SSHOPTS="-i /run/agenix/nix2nix" sudo nixos-rebuild switch --flake "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=hosts/i001#i001" --target-host luser@10.12.14.157 --build-host localhost ``` + +## USB Key + +```sh +DEVICE=sdc +parted /dev/$DEVICE -- mklabel gpt +parted /dev/$DEVICE -- mkpart KEY fat32 1MB 100% +DEVICE=$DEVICE"1" +bcachefs format /dev/$DEVICE +UUID=$(lsblk -o name,uuid | grep $DEVICE | awk '{print $2}') +echo For setting up in config: $UUID +# TODO mount and write key to /key +mount -t bcachefs --mkdir /dev/$DEVICE /usb_key +echo "test" > /usb_key/key +umount /usb_key && rmdir /usb_key +``` +