summaryrefslogtreecommitdiff
path: root/sys/boot/stack
diff options
context:
space:
mode:
Diffstat (limited to 'sys/boot/stack')
-rw-r--r--sys/boot/stack/btrfs-toplevel-multidrive.nix21
-rw-r--r--sys/boot/stack/luks-ext4-fscrypt-impermanence.nix78
2 files changed, 53 insertions, 46 deletions
diff --git a/sys/boot/stack/btrfs-toplevel-multidrive.nix b/sys/boot/stack/btrfs-toplevel-multidrive.nix
index 1dbfa14..52db865 100644
--- a/sys/boot/stack/btrfs-toplevel-multidrive.nix
+++ b/sys/boot/stack/btrfs-toplevel-multidrive.nix
@@ -1,8 +1,11 @@
-{ config, lib, ... }:
+{
+ config,
+ lib,
+ ...
+}:
with lib; let
cfg = config.local.boot.stack.btrfsToplevelMultidrive;
-in
-{
+in {
options.local.boot.stack.btrfsToplevelMultidrive = {
enable = mkEnableOption "filesystem stack: persistent btrfs toplevel with optional hdd drive";
@@ -80,15 +83,17 @@ in
};
};
- snapper = optionalAttrs cfg.toplevel.snapshot
+ snapper =
+ optionalAttrs cfg.toplevel.snapshot
{
root = "/";
- } // optionalAttrs cfg.secondary.snapshot {
- home = "/home";
- };
+ }
+ // optionalAttrs cfg.secondary.snapshot {
+ home = "/home";
+ };
};
# Asegura que /hdd sea descifrado antes de intentar montar /home
- fileSystems."/home".depends = [ "/hdd" ];
+ fileSystems."/home".depends = ["/hdd"];
};
}
diff --git a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
index 72336d6..81feb60 100644
--- a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
+++ b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
@@ -1,8 +1,12 @@
-{ config, lib, pkgs, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
with lib; let
cfg = config.local.boot.stack.luksExt4FscryptImpermanence;
-in
-{
+in {
options.local.boot.stack.luksExt4FscryptImpermanence = {
enable = mkEnableOption "filesystem stack: whatever LUKS approach+ext4+impermanence with per-boot keys";
@@ -30,60 +34,58 @@ in
# - /toplevel/boots/...
# - /toplevel/boots/last -> 2000-01-01T00:00:00-06:00 (mounted as /)
config = mkIf cfg.enable {
- boot.initrd.luks.devices.${cfg.target}.postOpenCommands =
- let
- fscryptctl = "${pkgs.fscryptctl}/bin/fscryptctl";
- in
- ''
- # FIXME: posiblemente algunos --make-* son innecesarios a partir de aquí
- mkdir -p /mnt-root /mnt-toplevel
- mount -o noatime /dev/mapper/${cfg.target} /mnt-toplevel
- mount --make-private /mnt-toplevel
+ boot.initrd.luks.devices.${cfg.target}.postOpenCommands = let
+ fscryptctl = "${pkgs.fscryptctl}/bin/fscryptctl";
+ in ''
+ # FIXME: posiblemente algunos --make-* son innecesarios a partir de aquí
+ mkdir -p /mnt-root /mnt-toplevel
+ mount -o noatime /dev/mapper/${cfg.target} /mnt-toplevel
+ mount --make-private /mnt-toplevel
- boot_stamp="$(date -Is)"
- root_from_toplevel="/mnt-toplevel/boots/$boot_stamp"
+ boot_stamp="$(date -Is)"
+ root_from_toplevel="/mnt-toplevel/boots/$boot_stamp"
- mkdir -p "$root_from_toplevel" /mnt-toplevel/boot-keys
- chmod 700 /mnt-toplevel/boot-keys
+ mkdir -p "$root_from_toplevel" /mnt-toplevel/boot-keys
+ chmod 700 /mnt-toplevel/boot-keys
- head -c64 /dev/urandom >/boot-key
- key_id=$(${fscryptctl} add_key /mnt-toplevel </boot-key)
- ${fscryptctl} set_policy "$key_id" "$root_from_toplevel"
- (umask 077; test -f /mnt-toplevel/boot-archive.pub && \
- ${pkgs.openssl}/bin/openssl pkeyutl -encrypt \
- -in /boot-key -pubin -inkey /mnt-toplevel/boot-archive.pub \
- -out "/mnt-toplevel/boot-keys/$boot_stamp.key.crypt")
- rm -f /boot-key
+ head -c64 /dev/urandom >/boot-key
+ key_id=$(${fscryptctl} add_key /mnt-toplevel </boot-key)
+ ${fscryptctl} set_policy "$key_id" "$root_from_toplevel"
+ (umask 077; test -f /mnt-toplevel/boot-archive.pub && \
+ ${pkgs.openssl}/bin/openssl pkeyutl -encrypt \
+ -in /boot-key -pubin -inkey /mnt-toplevel/boot-archive.pub \
+ -out "/mnt-toplevel/boot-keys/$boot_stamp.key.crypt")
+ rm -f /boot-key
- ln -Tsf "$boot_stamp" /mnt-toplevel/boots/last
- ln -Tsf "$boot_stamp.key.crypt" /mnt-toplevel/boot-keys/last.key.crypt
+ ln -Tsf "$boot_stamp" /mnt-toplevel/boots/last
+ ln -Tsf "$boot_stamp.key.crypt" /mnt-toplevel/boot-keys/last.key.crypt
- mount --bind "$root_from_toplevel" /mnt-root
- mount --make-shared /mnt-root
+ mount --bind "$root_from_toplevel" /mnt-root
+ mount --make-shared /mnt-root
- # mount --move es mala idea, ya que "moving a mount residing under a
- # shared mount is unsupported"
- mkdir -p /mnt-root/toplevel
- mount --bind /mnt-toplevel /mnt-root/toplevel
- mount --make-private /mnt-root/toplevel
- umount /mnt-toplevel
- '';
+ # mount --move es mala idea, ya que "moving a mount residing under a
+ # shared mount is unsupported"
+ mkdir -p /mnt-root/toplevel
+ mount --bind /mnt-toplevel /mnt-root/toplevel
+ mount --make-private /mnt-root/toplevel
+ umount /mnt-toplevel
+ '';
fileSystems = {
"/" = {
device = "none";
fsType = "ext4";
- options = [ "remount" ];
+ options = ["remount"];
};
"/nix" = {
device = "/persist/nix";
- options = [ "bind" ];
+ options = ["bind"];
};
"/persist" = {
device = "/toplevel/persist";
- options = [ "bind" ];
+ options = ["bind"];
neededForBoot = true;
};
};
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-10 22:41:09 +0000