diff --git a/flake.lock b/flake.lock index 5d952cb..a1d6717 100644 --- a/flake.lock +++ b/flake.lock @@ -228,11 +228,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716725770, - "narHash": "sha256-8dyp5ZjwGUVRpyUMbmc51a/YR6mP2kqXt4gWGwaiNqA=", + "lastModified": 1716726210, + "narHash": "sha256-usCA/GuvvERo5tcSIYFet5sF0GhKdewcbHfJNNsnNrw=", "ref": "refs/heads/master", - "rev": "e79bdf9bdf923f57e1598637c39b2411f43e4388", - "revCount": 38, + "rev": "2cead67c686ddfb8c5c450ab5b56c545b661005c", + "revCount": 39, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/hosts/bootstrap/default.nix b/hosts/bootstrap/default.nix index acb8b38..408b9f8 100644 --- a/hosts/bootstrap/default.nix +++ b/hosts/bootstrap/default.nix @@ -3,6 +3,7 @@ let pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys); secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; + sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path; in { imports = @@ -10,7 +11,7 @@ in # Disk configuration inputs.sops-nix.nixosModules.sops inputs.disko.nixosModules.disko - (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda"; }) + (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda"; keyFile = "${sopsHashedPasswordFile}"; }) ../common/optional/btrfs-impermanence.nix inputs.impermanence.nixosModules.impermanence diff --git a/hosts/common/disks/luks-btrfs-subvolumes.nix b/hosts/common/disks/luks-btrfs-subvolumes.nix index 4686f0d..b1f6851 100644 --- a/hosts/common/disks/luks-btrfs-subvolumes.nix +++ b/hosts/common/disks/luks-btrfs-subvolumes.nix @@ -1,6 +1,5 @@ -{lib, inputs, config, device ? throw "Must define a device, e.g. /dev/sda", ...}: +{device ? throw "Must define a device, e.g. /dev/sda", keyFile ? throw "LUKS password file not specified"}: let - sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path; in { disko.devices = { @@ -32,7 +31,7 @@ in #passwordFile = "/tmp/secret.key"; # Interactive settings = { allowDiscards = true; - keyFile = "${sopsHashedPasswordFile}"; + inherit keyFile; }; content = { type = "btrfs"; diff --git a/hosts/sparky/default.nix b/hosts/sparky/default.nix index 9781027..fa203dd 100644 --- a/hosts/sparky/default.nix +++ b/hosts/sparky/default.nix @@ -1,10 +1,10 @@ { inputs, config, lib, pkgs, outputs,... }: let dev = "/dev/vda"; -in +in { imports = - [ + [ # Disk configuration inputs.disko.nixosModules.disko (import ../common/disks/std-disk-config.nix { device = dev; })