i001 auto unlock with usb key

2025-12-15 15:04:34 -06:00 · 2025-12-15 15:04:34 -06:00 · 58726dc1ba
commit 58726dc1ba
parent c0dd59d2d8
3 changed files with 50 additions and 24 deletions
--- a/hosts/i001/hardware-configuration.nix
+++ b/hosts/i001/hardware-configuration.nix
@ -28,6 +28,14 @@
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

+  # SWAP
+  swapDevices = [
+    # {
+    #   device = "/.swap/swapfile";
+    #   size = 8 * 1024; # Creates an 8GB swap file
+    # }
+  ];
+
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
--- a/hosts/i001/hardware-mounts.nix
+++ b/hosts/i001/hardware-mounts.nix
@ -4,12 +4,12 @@
  ...
 }:
 let
+  USB_KEY = "/dev/disk/by-uuid/63a7bd87-d644-43ea-83ba-547c03012fb6";
+
  BOOT = "/dev/disk/by-uuid/ABDB-2A38";
  PRIMARY_UUID = "08610781-26d3-456f-9026-35dd4a40846f";
  PRIMARY = "/dev/disk/by-uuid/${PRIMARY_UUID}";

-  USB_KEY = "/dev/disk/by-uuid/9985-EBD1";
-
  inherit (utils) escapeSystemdPath;

  primaryDeviceUnit = "${escapeSystemdPath PRIMARY}.device";
@ -60,15 +60,6 @@ in
      "relatime"
    ];
  };
-  fileSystems."/.swap" = {
-    device = PRIMARY;
-    fsType = "bcachefs";
-    options = [
-      "X-mount.mkdir"
-      "X-mount.subdir=@swap"
-      "noatime"
-    ];
-  };
  # (optional) for preservation/impermanence
  fileSystems."/persist" = {
    device = PRIMARY;
@ -87,7 +78,7 @@ in
    # }
  ];

-  # PRIMARY unencrypt
+  # PRIMARY Bcache utilities
  boot.initrd.systemd.enable = true;
  boot.supportedFilesystems = [
    "bcachefs"
@ -123,17 +114,20 @@ in
      #   /bin/sh -c 'echo "password" | ${pkgs.bcachefs-tools}/bin/bcachefs unlock ${PRIMARY}'
      # '';
      # ExecStart = ''
-      #   /bin/sh -c 'mount -o ro ${USB_KEY} /key && \
+      #   /bin/sh -c 'mount --mkdir -o ro ${USB_KEY} /key  && \
      #     cat /key/bcachefs.key | ${pkgs.bcachefs-tools}/bin/bcachefs unlock ${PRIMARY}'
      # '';

      # We inline a script that roughly mimics tryUnlock + openCommand behavior,
      # but uses a key file from the USB stick instead of systemd-ask-password.
      script = ''
-        echo "Using test password..."
-        echo "test" | ${pkgs.bcachefs-tools}/bin/bcachefs unlock "${PRIMARY}"
+        echo "Using USB key for bcachefs unlock: ${USB_KEY}"
+        mount -t bcachefs --mkdir "${USB_KEY}" /usb_key
+        ${pkgs.bcachefs-tools}/bin/bcachefs unlock -f /usb_key/key "${PRIMARY}"
        echo "bcachefs unlock successful for ${PRIMARY}"
      '';
+      # Hard code password (useless in real env)
+      # echo "test" | ${pkgs.bcachefs-tools}/bin/bcachefs unlock "${PRIMARY}"

    };
  };