add tang and clevis to palatine-hill

2026-05-03 13:29:39 -04:00
parent f5d0f97400
commit 24d451f825
4 changed files with 263 additions and 36 deletions
@@ -1,11 +1,7 @@
-{ lib, pkgs, ... }:
+{ lib, ... }:
 {

  boot = {
-    zfs.requestEncryptionCredentials = lib.mkForce false;
-    postBootCommands = ''
-      ${pkgs.zfs}/bin/zfs load-key -a
-    '';
    initrd = {
      services.lvm.enable = true;
      luks.devices = {
@@ -16,6 +12,28 @@
        };
      };

+      clevis = {
+        enable = true;
+        useTang = true;
+        devices = {
+          # Unlock LUKS root device via Tang
+          "nixos-pv".secretFile = ./nixos-pv.jwe;
+          # Unlock ZFS native-encrypted dataset via Tang
+          "ZFS-primary/nix".secretFile = ./nix-store.jwe;
+        };
+      };
+
+      # Static networking needed in initrd so Tang is reachable before any disk mounts
+      systemd.network = {
+        enable = true;
+        networks."10-initrd-eno1" = {
+          matchConfig.Name = "eno1";
+          address = [ "192.168.76.2/24" ];
+          routes = [ { Gateway = "192.168.76.1"; } ];
+          dns = [ "192.168.76.1" ];
+          linkConfig.RequiredForOnline = "routable";
+        };
+      };
    };
  };

@@ -37,10 +55,7 @@
      "dmask=0077"
    ];

-    "/nix".depends = [
-      "/"
-      "/crypto"
-    ];
+    "/nix".depends = [ "/" ];

  };
 }
@@ -7,6 +7,7 @@
 {
  boot = {
    zfs.extraPools = [ "ZFS-primary" ];
+    zfs.requestEncryptionCredentials = false;
    filesystem = "zfs";
    extraModprobeConfig = ''
      options zfs zfs_arc_min=82463372083
@@ -85,33 +86,6 @@
          fi
        '';
      };
-
-      zfs-load-nix-key = {
-        description = "Load ZFS key for ZFS-primary/nix in initrd";
-        wantedBy = [ "initrd-fs.target" ];
-        requires = [
-          "sysroot.mount"
-          "zfs-import-zfs-primary.service"
-        ];
-        after = [
-          "sysroot.mount"
-          "zfs-import-zfs-primary.service"
-        ];
-        before = [
-          "initrd-fs.target"
-          "sysroot-nix.mount"
-        ];
-        unitConfig.DefaultDependencies = "no";
-        serviceConfig = {
-          Type = "oneshot";
-          RemainAfterExit = true;
-        };
-        path = with pkgs; [ zfs ];
-        script = ''
-          key_file="/sysroot/crypto/keys/zfs-nix-store-key"
-          zfs load-key -L "file://$key_file" "ZFS-primary/nix"
-        '';
-      };
    };
  };