i001 auto unlock with usb key

hosts/i001/hardware-configuration.nix

@@ -28,6 +28,14 @@
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
+  # SWAP
+  swapDevices = [
+    # {
+    #   device = "/.swap/swapfile";
+    #   size = 8 * 1024; # Creates an 8GB swap file
+    # }
+  ];
+
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction

hosts/i001/hardware-mounts.nix

@@ -4,12 +4,12 @@
   ...
 }:
 let
+  USB_KEY = "/dev/disk/by-uuid/63a7bd87-d644-43ea-83ba-547c03012fb6";
+
   BOOT = "/dev/disk/by-uuid/ABDB-2A38";
   PRIMARY_UUID = "08610781-26d3-456f-9026-35dd4a40846f";
   PRIMARY = "/dev/disk/by-uuid/${PRIMARY_UUID}";
 
-  USB_KEY = "/dev/disk/by-uuid/9985-EBD1";
-
   inherit (utils) escapeSystemdPath;
 
   primaryDeviceUnit = "${escapeSystemdPath PRIMARY}.device";
@@ -60,15 +60,6 @@ in
       "relatime"
     ];
   };
-  fileSystems."/.swap" = {
-    device = PRIMARY;
-    fsType = "bcachefs";
-    options = [
-      "X-mount.mkdir"
-      "X-mount.subdir=@swap"
-      "noatime"
-    ];
-  };
   # (optional) for preservation/impermanence
   fileSystems."/persist" = {
     device = PRIMARY;
@@ -87,7 +78,7 @@ in
     # }
   ];
 
-  # PRIMARY unencrypt
+  # PRIMARY Bcache utilities
   boot.initrd.systemd.enable = true;
   boot.supportedFilesystems = [
     "bcachefs"
@@ -123,17 +114,20 @@ in
       #   /bin/sh -c 'echo "password" | ${pkgs.bcachefs-tools}/bin/bcachefs unlock ${PRIMARY}'
       # '';
       # ExecStart = ''
-      #   /bin/sh -c 'mount -o ro ${USB_KEY} /key && \
+      #   /bin/sh -c 'mount --mkdir -o ro ${USB_KEY} /key  && \
       #     cat /key/bcachefs.key | ${pkgs.bcachefs-tools}/bin/bcachefs unlock ${PRIMARY}'
       # '';
 
       # We inline a script that roughly mimics tryUnlock + openCommand behavior,
       # but uses a key file from the USB stick instead of systemd-ask-password.
       script = ''
-        echo "Using test password..."
+        echo "Using USB key for bcachefs unlock: ${USB_KEY}"
-        echo "test" | ${pkgs.bcachefs-tools}/bin/bcachefs unlock "${PRIMARY}"
+        mount -t bcachefs --mkdir "${USB_KEY}" /usb_key
+        ${pkgs.bcachefs-tools}/bin/bcachefs unlock -f /usb_key/key "${PRIMARY}"
         echo "bcachefs unlock successful for ${PRIMARY}"
       '';
+      # Hard code password (useless in real env)
+      # echo "test" | ${pkgs.bcachefs-tools}/bin/bcachefs unlock "${PRIMARY}"
 
     };
   };

utilities/nixos-installers/install_bcachefs.md

@@ -14,7 +14,10 @@ DEVICE=sda
 parted /dev/$DEVICE -- mklabel gpt
 parted /dev/$DEVICE -- mkpart ESP fat32 1MB 2GB
 parted /dev/$DEVICE -- set 1 esp on
-# TODO make swap partition instead here? Bcachefs not working with swapfile
+
+parted /dev/$DEVICE -- mkpart PRIMARY 2GB -8GB
+parted /dev/$DEVICE -- mkpart SWAP linux-swap -8GB 100%
+
 parted /dev/$DEVICE -- mkpart PRIMARY 2GB 100%
 ```
 
@@ -31,16 +34,23 @@ mkfs.fat -F 32 -n BOOT /dev/$BOOT
 
 ```sh
 PRIMARY=sda2
-keyctl link @u @s
+# keyctl link @u @s
 bcachefs format --label=nixos --encrypted /dev/$PRIMARY
 bcachefs unlock /dev/$PRIMARY
 ```
 
+- swap (optional)
+
+```sh
+SWAP=sda3
+mkswap /dev/$SWAP
+swapon /dev/$SWAP
+```
+
 ### Setup subvolumes
 
 ```sh
 # keyctl link @u @s
-# TODO check this is it 7 or 8 for print?
 U=$(lsblk -o fsType,uuid | grep bcachefs | awk '{print $2}')
 echo $U
 mount /dev/disk/by-uuid/$U /mnt
@@ -50,8 +60,6 @@ bcachefs subvolume create /mnt/@nix
 bcachefs set-file-option /mnt/@nix --compression=zstd
 bcachefs subvolume create /mnt/@snapshots
 bcachefs set-file-option /mnt/@snapshots --compression=zstd
-bcachefs subvolume create /mnt/@swap
-bcachefs set-file-option /mnt/@swap --nocow
 bcachefs subvolume create /mnt/@persist
 
 umount /mnt
@@ -64,13 +72,12 @@ umount /mnt
 ### Mount subvolumes
 
 ```sh
-DEV_B="/dev/disk/by-uuid/"$(lsblk -o NAME,UUID | grep $BOOT | awk '{print $2}')
+DEV_B="/dev/disk/by-uuid/"$(lsblk -o name,uuid | grep $BOOT | awk '{print $2}')
-DEV_P="/dev/disk/by-uuid/"$(lsblk -o NAME,UUID | grep $PRIMARY | awk '{print $2}')
+DEV_P="/dev/disk/by-uuid/"$(lsblk -o name,uuid | grep $PRIMARY | awk '{print $2}')
 mount -t bcachefs -o X-mount.subdir=@root $DEV_P /mnt
 mount -t vfat $DEV_B /mnt/boot --mkdir
 mount -t bcachefs -o X-mount.mkdir,X-mount.subdir=@nix,relatime $DEV_P /mnt/nix
 mount -t bcachefs -o X-mount.mkdir,X-mount.subdir=@snapshots,relatime $DEV_P /mnt/.snapshots
-mount -t bcachefs -o X-mount.mkdir,X-mount.subdir=@swap,noatime $DEV_P /mnt/.swap
 mount -t bcachefs -o X-mount.mkdir,X-mount.subdir=@persist $DEV_P /mnt/persist
 ```
 
@@ -80,7 +87,7 @@ mount -t bcachefs -o X-mount.mkdir,X-mount.subdir=@persist $DEV_P /mnt/persist
 nixos-generate-config --root /mnt
 ```
 
-- Copy useful bits out into real config in repo
+- Copy useful bits out into real config in repo (primarily swap/kernel modules)
 - Run nixos-install
 
 ```sh
@@ -94,3 +101,20 @@ or from host machine? TODO haven't tried this fully
 NIX_SSHOPTS="-i /run/agenix/nix2nix" sudo nixos-rebuild switch --flake "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=hosts/i001#i001" --target-host luser@10.12.14.157 --build-host localhost
 
 ```
+
+## USB Key
+
+```sh
+DEVICE=sdc
+parted /dev/$DEVICE -- mklabel gpt
+parted /dev/$DEVICE -- mkpart KEY fat32 1MB 100%
+DEVICE=$DEVICE"1"
+bcachefs format /dev/$DEVICE
+UUID=$(lsblk -o name,uuid | grep $DEVICE | awk '{print $2}')
+echo For setting up in config: $UUID
+# TODO mount and write key to /key
+mount -t bcachefs --mkdir /dev/$DEVICE /usb_key
+echo "test" > /usb_key/key
+umount /usb_key && rmdir /usb_key
+```
+