From b9959b267c443a93bb3d81ee2fd08eea6a417492 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Mon, 25 Mar 2024 20:17:52 +0000 Subject: [PATCH] rexxar: encrypt zu2 --- ops/nixos/rexxar/default.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/ops/nixos/rexxar/default.nix b/ops/nixos/rexxar/default.nix index 3c5822f047..85ab32e79b 100644 --- a/ops/nixos/rexxar/default.nix +++ b/ops/nixos/rexxar/default.nix @@ -22,12 +22,27 @@ "sd_mod" "sr_mod" ]; + systemd.enable = true; + systemd.services."zfs-import-zu2" = { + after = [ "zfs-import-zboot.service" ]; + requires = [ "zfs-import-zboot.service" ]; + + script = lib.mkBefore '' + test -d /sysroot/persist || mount -t zfs zboot/local/root /sysroot + test -f /sysroot/persist/zu2-key || mount -t zfs zboot/safe/persist /sysroot/persist + ln -s /sysroot/persist /persist + ''; + }; }; + security.tpm2.enable = true; boot.kernelModules = [ "kvm-amd" ]; hardware.cpu.amd.updateMicrocode = true; boot.kernelParams = [ "nomodeset" ]; + environment.systemPackages = with pkgs; [ + clevis + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true;