more unlock tries
This commit is contained in:
RingOfStorms (Joshua Bell)
parent
28c36e5efa
commit
e95c4211f2
1 changed files with 100 additions and 86 deletions
|
|
@ -1,9 +1,12 @@
|
||||||
{ lib, pkgs, ... }:
|
{ lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
BOOT = "/dev/disk/by-uuid/ABDB-2A38";
|
BOOT = "/dev/disk/by-uuid/ABDB-2A38";
|
||||||
PRIMARY = "/dev/disk/by-uuid/08610781-26d3-456f-9026-35dd4a40846f";
|
PRIMARY_UUID = "08610781-26d3-456f-9026-35dd4a40846f";
|
||||||
|
PRIMARY = "/dev/disk/by-uuid/${PRIMARY_UUID}";
|
||||||
|
|
||||||
USB_KEY = "/dev/disk/by-uuid/9985-EBD1";
|
USB_KEY = "/dev/disk/by-uuid/9985-EBD1";
|
||||||
|
|
||||||
|
escape = lib.mkDefault lib.escapeSystemdPath;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# BOOT
|
# BOOT
|
||||||
|
|
@ -79,96 +82,107 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
# PRIMARY unencrypt
|
# PRIMARY unencrypt
|
||||||
# TODO how to auto unencrypt with options...
|
boot.initrd.systemd.enable = true;
|
||||||
# - USB key
|
|
||||||
# - TPM
|
|
||||||
# boot.initrd.availableKernelModules = [ "bcachefs" ];
|
|
||||||
# boot.initrd.extraUtilsCommands = ''
|
|
||||||
# copy_bin_and_libs ${pkgs.bcachefs-tools}/bin/bcachefs
|
|
||||||
# '';
|
|
||||||
#
|
|
||||||
# # Method 1, prompt user for password on boot
|
|
||||||
# boot.initrd.preDeviceCommands = ''
|
|
||||||
# ${pkgs.bcachefs-tools}/bin/bcachefs unlock ${PRIMARY}
|
|
||||||
# '';
|
|
||||||
|
|
||||||
# # Run unlock before devices are scanned/mounted
|
|
||||||
# boot.initrd.preDeviceCommands = ''
|
|
||||||
# echo "Unlocking bcachefs..."
|
|
||||||
# # Example: ask for a passphrase
|
|
||||||
# /bin/echo -n "Bcachefs passphrase: "
|
|
||||||
# /bin/stty -echo
|
|
||||||
# read PASSPHRASE
|
|
||||||
# /bin/stty echo
|
|
||||||
# echo
|
|
||||||
#
|
|
||||||
# # Use the passphrase to unlock the device
|
|
||||||
# # Replace /dev/disk/by-uuid/XXXX with your actual device
|
|
||||||
# echo "$PASSPHRASE" | ${pkgs.bcachefs-tools}/bin/bcachefs unlock /dev/disk/by-uuid/XXXX
|
|
||||||
# '';
|
|
||||||
# boot.initrd.systemd.enable = true;
|
|
||||||
boot.supportedFilesystems = [
|
boot.supportedFilesystems = [
|
||||||
"bcachefs"
|
"bcachefs"
|
||||||
"vfat"
|
"vfat"
|
||||||
];
|
];
|
||||||
boot.initrd.extraUtilsCommands = ''
|
|
||||||
copy_bin_and_libs ${pkgs.bcachefs-tools}/bin/bcachefs
|
# 1. Disable the automatically generated unlock services
|
||||||
copy_bin_and_libs ${pkgs.keyutils}/bin/keyctl
|
boot.initrd.systemd.services = {
|
||||||
'';
|
# the module creates services named unlock-bcachefs-<escaped-mountpoint>
|
||||||
# boot.initrd.systemd.services.unlock-primary = {
|
"unlock-bcachefs-${escape "/"}".enable = false;
|
||||||
# description = "Unlock bcachefs root with key";
|
"unlock-bcachefs-${escape "/.old_roots"}".enable = false;
|
||||||
# wantedBy = [ "initrd-root-device.target" ];
|
"unlock-bcachefs-${escape "/nix"}".enable = false;
|
||||||
# before = [ "initrd-root-device.target" ];
|
"unlock-bcachefs-${escape "/.snapshots"}".enable = false;
|
||||||
# unitConfig.DefaultDependencies = "no";
|
"unlock-bcachefs-${escape "/.swap"}".enable = false;
|
||||||
# serviceConfig = {
|
"unlock-bcachefs-${escape "/persist"}".enable = false;
|
||||||
# Type = "oneshot";
|
|
||||||
# # Wait for USB disk; you can refine this with udev-based Wants=/Requires=
|
# 2. Your single custom unlock unit
|
||||||
# ExecStart = pkgs.writeShellScript "bcachefs-unlock-initrd" ''
|
unlock-bcachefs-custom = {
|
||||||
# set -eu
|
description = "Custom single bcachefs unlock for all subvolumes";
|
||||||
# ${pkgs.keyutils}/bin/keyctl link @u @s
|
|
||||||
# echo "test" | ${pkgs.bcachefs-tools}/bin/bcachefs unlock ${PRIMARY}
|
wantedBy = [ "initrd.target" ];
|
||||||
# exit 0
|
before = [ "sysroot.mount" ];
|
||||||
|
|
||||||
|
# Wait for udev so the /dev/disk/by-uuid path and the USB key appear
|
||||||
|
requires = [ "systemd-udev-settle.service" ];
|
||||||
|
after = [ "systemd-udev-settle.service" ];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
# NOTE: put the real password here, or better: read it from USB_KEY
|
||||||
|
# ExecStart = ''
|
||||||
|
# /bin/sh -c 'echo "password" | ${pkgs.bcachefs-tools}/bin/bcachefs unlock ${PRIMARY}'
|
||||||
# '';
|
# '';
|
||||||
# };
|
# ExecStart = ''
|
||||||
# };
|
# /bin/sh -c 'mount -o ro ${USB_KEY} /key && \
|
||||||
# boot.initrd.systemd.services.unlock-primary = {
|
# cat /key/bcachefs.key | ${pkgs.bcachefs-tools}/bin/bcachefs unlock ${PRIMARY}'
|
||||||
# description = "Unlock bcachefs root with key";
|
# '';
|
||||||
# wantedBy = [ "initrd-root-device.target" ];
|
|
||||||
# before = [ "initrd-root-device.target" ];
|
# We inline a script that roughly mimics tryUnlock + openCommand behavior,
|
||||||
# unitConfig.DefaultDependencies = "no";
|
# but uses a key file from the USB stick instead of systemd-ask-password.
|
||||||
# serviceConfig = {
|
ExecStart = ''
|
||||||
# Type = "oneshot";
|
/bin/sh -eu
|
||||||
# # Wait for USB disk; you can refine this with udev-based Wants=/Requires=
|
|
||||||
# ExecStart = pkgs.writeShellScript "bcachefs-unlock-initrd" ''
|
DEVICE="${PRIMARY_UUID}"
|
||||||
# echo "Waiting for USB key with label SECRETKEY..."
|
UUID="${PRIMARY_UUID}"
|
||||||
# for i in $(seq 1 20); do
|
|
||||||
# if [ -e /dev/disk/by-label/SECRETKEY ]; then
|
echo "waiting for device to appear ''${DEVICE}"
|
||||||
# break
|
success=false
|
||||||
# fi
|
target=""
|
||||||
# sleep 0.5
|
|
||||||
# done
|
# approximate tryUnlock loop from the module
|
||||||
|
for try in $(seq 10); do
|
||||||
|
if [ -e "''${DEVICE}" ]; then
|
||||||
|
target="$(readlink -f "''${DEVICE}")"
|
||||||
|
success=true
|
||||||
|
break
|
||||||
|
else
|
||||||
|
# try to resolve by uuid via blkid
|
||||||
|
if target="$(blkid --uuid "''${UUID}" 2>/dev/null)"; then
|
||||||
|
success=true
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
echo -n "."
|
||||||
|
sleep 1
|
||||||
|
done
|
||||||
|
echo
|
||||||
|
|
||||||
|
if [ "''${success}" != true ]; then
|
||||||
|
echo "Cannot find device ''${DEVICE} (UUID=''${UUID})" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
DEVICE="''${target}"
|
||||||
|
|
||||||
|
# pre-check: is it encrypted / already unlocked?
|
||||||
|
if ! ${pkgs.bcachefs-tools}/bin/bcachefs unlock -c "''${DEVICE}" > /dev/null 2>&1; then
|
||||||
|
echo "Device ''${DEVICE} is not encrypted or cannot be probed with -c" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# mount USB, read key, unlock – adjust paths as you like
|
||||||
|
# mkdir -p /key
|
||||||
|
# mount -o ro "${USB_KEY}" /key
|
||||||
#
|
#
|
||||||
# if [ ! -e /dev/disk/by-label/SECRETKEY ]; then
|
# if [ ! -f /key/bcachefs.key ]; then
|
||||||
# echo "USB key not found; failing."
|
# echo "Missing /key/bcachefs.key on USB; cannot unlock" >&2
|
||||||
|
# umount /key || true
|
||||||
# exit 1
|
# exit 1
|
||||||
# fi
|
# fi
|
||||||
#
|
|
||||||
# mkdir -p /mnt-key
|
|
||||||
# mount -t vfat /dev/disk/by-label/SECRETKEY /mnt-key
|
|
||||||
#
|
|
||||||
# echo "Unlocking bcachefs..."
|
|
||||||
# ${pkgs.bcachefs-tools}/bin/bcachefs unlock \
|
|
||||||
# --keyfile /mnt-key/bcachefs.key \
|
|
||||||
# /dev/disk/by-uuid/YOUR_BCACHEFS_UUID
|
|
||||||
#
|
|
||||||
# umount /mnt-key
|
|
||||||
# '';
|
|
||||||
# };
|
|
||||||
# };
|
|
||||||
|
|
||||||
boot.initrd.postResumeCommands = lib.mkAfter ''
|
# cat /key/bcachefs.key | ${pkgs.bcachefs-tools}/bin/bcachefs unlock "''${DEVICE}"
|
||||||
echo "test" | bcachefs unlock -k session ${PRIMARY}
|
echo "test" | ${pkgs.bcachefs-tools}/bin/bcachefs unlock "''${DEVICE}"
|
||||||
|
|
||||||
|
# umount /key || true
|
||||||
|
|
||||||
|
echo "bcachefs unlock successful for ''${DEVICE}"
|
||||||
'';
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# TODO this works for resetting root!
|
# TODO this works for resetting root!
|
||||||
# boot.initrd.postResumeCommands = lib.mkAfter ''
|
# boot.initrd.postResumeCommands = lib.mkAfter ''
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue