diff options
Diffstat (limited to '')
| -rw-r--r-- | sys/boot/stack/luks-ext4-fscrypt-impermanence.nix | 78 |
1 files changed, 40 insertions, 38 deletions
diff --git a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix index 72336d6..81feb60 100644 --- a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix +++ b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix @@ -1,8 +1,12 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.local.boot.stack.luksExt4FscryptImpermanence; -in -{ +in { options.local.boot.stack.luksExt4FscryptImpermanence = { enable = mkEnableOption "filesystem stack: whatever LUKS approach+ext4+impermanence with per-boot keys"; @@ -30,60 +34,58 @@ in # - /toplevel/boots/... # - /toplevel/boots/last -> 2000-01-01T00:00:00-06:00 (mounted as /) config = mkIf cfg.enable { - boot.initrd.luks.devices.${cfg.target}.postOpenCommands = - let - fscryptctl = "${pkgs.fscryptctl}/bin/fscryptctl"; - in - '' - # FIXME: posiblemente algunos --make-* son innecesarios a partir de aquí - mkdir -p /mnt-root /mnt-toplevel - mount -o noatime /dev/mapper/${cfg.target} /mnt-toplevel - mount --make-private /mnt-toplevel + boot.initrd.luks.devices.${cfg.target}.postOpenCommands = let + fscryptctl = "${pkgs.fscryptctl}/bin/fscryptctl"; + in '' + # FIXME: posiblemente algunos --make-* son innecesarios a partir de aquí + mkdir -p /mnt-root /mnt-toplevel + mount -o noatime /dev/mapper/${cfg.target} /mnt-toplevel + mount --make-private /mnt-toplevel - boot_stamp="$(date -Is)" - root_from_toplevel="/mnt-toplevel/boots/$boot_stamp" + boot_stamp="$(date -Is)" + root_from_toplevel="/mnt-toplevel/boots/$boot_stamp" - mkdir -p "$root_from_toplevel" /mnt-toplevel/boot-keys - chmod 700 /mnt-toplevel/boot-keys + mkdir -p "$root_from_toplevel" /mnt-toplevel/boot-keys + chmod 700 /mnt-toplevel/boot-keys - head -c64 /dev/urandom >/boot-key - key_id=$(${fscryptctl} add_key /mnt-toplevel </boot-key) - ${fscryptctl} set_policy "$key_id" "$root_from_toplevel" - (umask 077; test -f /mnt-toplevel/boot-archive.pub && \ - ${pkgs.openssl}/bin/openssl pkeyutl -encrypt \ - -in /boot-key -pubin -inkey /mnt-toplevel/boot-archive.pub \ - -out "/mnt-toplevel/boot-keys/$boot_stamp.key.crypt") - rm -f /boot-key + head -c64 /dev/urandom >/boot-key + key_id=$(${fscryptctl} add_key /mnt-toplevel </boot-key) + ${fscryptctl} set_policy "$key_id" "$root_from_toplevel" + (umask 077; test -f /mnt-toplevel/boot-archive.pub && \ + ${pkgs.openssl}/bin/openssl pkeyutl -encrypt \ + -in /boot-key -pubin -inkey /mnt-toplevel/boot-archive.pub \ + -out "/mnt-toplevel/boot-keys/$boot_stamp.key.crypt") + rm -f /boot-key - ln -Tsf "$boot_stamp" /mnt-toplevel/boots/last - ln -Tsf "$boot_stamp.key.crypt" /mnt-toplevel/boot-keys/last.key.crypt + ln -Tsf "$boot_stamp" /mnt-toplevel/boots/last + ln -Tsf "$boot_stamp.key.crypt" /mnt-toplevel/boot-keys/last.key.crypt - mount --bind "$root_from_toplevel" /mnt-root - mount --make-shared /mnt-root + mount --bind "$root_from_toplevel" /mnt-root + mount --make-shared /mnt-root - # mount --move es mala idea, ya que "moving a mount residing under a - # shared mount is unsupported" - mkdir -p /mnt-root/toplevel - mount --bind /mnt-toplevel /mnt-root/toplevel - mount --make-private /mnt-root/toplevel - umount /mnt-toplevel - ''; + # mount --move es mala idea, ya que "moving a mount residing under a + # shared mount is unsupported" + mkdir -p /mnt-root/toplevel + mount --bind /mnt-toplevel /mnt-root/toplevel + mount --make-private /mnt-root/toplevel + umount /mnt-toplevel + ''; fileSystems = { "/" = { device = "none"; fsType = "ext4"; - options = [ "remount" ]; + options = ["remount"]; }; "/nix" = { device = "/persist/nix"; - options = [ "bind" ]; + options = ["bind"]; }; "/persist" = { device = "/toplevel/persist"; - options = [ "bind" ]; + options = ["bind"]; neededForBoot = true; }; }; |