Added usb key to unlock drive

2025-08-15 15:07:35 +02:00 · 2025-08-15 15:07:35 +02:00 · 0b5ca6c6be
commit 0b5ca6c6be
parent 0ee21f2e5d
3 changed files with 21 additions and 3 deletions
--- a/machines/polysaa/default.nix
+++ b/machines/polysaa/default.nix
@ -21,9 +21,17 @@
    "usb_storage"
    "sd_mod"
  ];
-  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.initrd.luks.devices.cryptroot.device =
-    "/dev/disk/by-uuid/c75f2769-d32f-4eed-9237-ece7e783fec3";
+  boot.initrd.kernelModules = [ "dm-snapshot" "uas" "usbcore" "usb_storage" "ext4" "nls_cp437" "nls_iso8859_1"];
+  boot.initrd.postDeviceCommands = pkgs.lib.mkBefore ''
+    mkdir -m 0755 -p /key/
+    sleep 2
+    mount -n -t ext4 -o ro `findfs UUID=545bfd15-0973-4395-9d05-6c4c78a9e45c` /run/secrets/
+  '';
+  boot.initrd.luks.devices.cryptroot = {
+    device = "/dev/disk/by-uuid/c75f2769-d32f-4eed-9237-ece7e783fec3";
+    keyFile = "/run/secrets/polysaa-drive.key";
+    preLVM = false;
+  };
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  boot.loader.systemd-boot.enable = true;
--- a/profiles/basic/default.nix
+++ b/profiles/basic/default.nix
@ -9,6 +9,7 @@
 }:
 {
  imports = [
+    ./secrets.nix
    ./locale.nix
    ./ssh.nix
  ];
--- a/profiles/basic/secrets.nix
+++ b/profiles/basic/secrets.nix
@ -0,0 +1,9 @@
+{config, lib, pkgs, ...}: {
+
+  fileSystems."/run/secrets" = {
+    device = "/dev/disk/by-uuid/545bfd15-0973-4395-9d05-6c4c78a9e45c";
+    fsType = "ext4";
+    options = ["nofail" "noauto" "ro" "x-systemd.automount"];
+  };
+
+}