add tang and clevis to palatine-hill

2026-05-03 13:29:39 -04:00
parent f5d0f97400
commit 24d451f825
4 changed files with 263 additions and 36 deletions
@@ -1,11 +1,7 @@
-{ lib, pkgs, ... }:
+{ lib, ... }:
 {

  boot = {
-    zfs.requestEncryptionCredentials = lib.mkForce false;
-    postBootCommands = ''
-      ${pkgs.zfs}/bin/zfs load-key -a
-    '';
    initrd = {
      services.lvm.enable = true;
      luks.devices = {
@@ -16,6 +12,28 @@
        };
      };

+      clevis = {
+        enable = true;
+        useTang = true;
+        devices = {
+          # Unlock LUKS root device via Tang
+          "nixos-pv".secretFile = ./nixos-pv.jwe;
+          # Unlock ZFS native-encrypted dataset via Tang
+          "ZFS-primary/nix".secretFile = ./nix-store.jwe;
+        };
+      };
+
+      # Static networking needed in initrd so Tang is reachable before any disk mounts
+      systemd.network = {
+        enable = true;
+        networks."10-initrd-eno1" = {
+          matchConfig.Name = "eno1";
+          address = [ "192.168.76.2/24" ];
+          routes = [ { Gateway = "192.168.76.1"; } ];
+          dns = [ "192.168.76.1" ];
+          linkConfig.RequiredForOnline = "routable";
+        };
+      };
    };
  };

@@ -37,10 +55,7 @@
      "dmask=0077"
    ];

-    "/nix".depends = [
-      "/"
-      "/crypto"
-    ];
+    "/nix".depends = [ "/" ];

  };
 }