search

nix-community / disko

Declarative disk partitioning and formatting using nix [maintainers=@Lassulus @Enzime @iFreilicht]
MIT License
1.82k stars 194 forks source link

How to use `sops-nix` when first partitioning disk with `disko`? #641

Closed poperigby closed 5 months ago

poperigby commented 5 months ago

How do I go about using sops-nix to supply a LUKS password when I'm first partitioning my disks?

This is the Nix file I define my disks in:

{ config, ... }:

{
    # Setup the primary disk
    disko.devices.disk.primary = {
        device = "/dev/nvme0n1";
        type = "disk";
        content = {
            type = "gpt";
            partitions = {
                esp = {
                    # This code corresponds to a EFI system partition
                    type = "EF00";
                    size = "500M";
                    content = {
                        type = "filesystem";
                        format = "vfat";
                        mountpoint = "/boot";
                    };
                };
                root = {
                    # Take up the rest of the space on the disk
                    size = "100%";
                    content = {
                        name = "root";
                        type = "luks";
                        passwordFile = config.sops.secrets."snowy/luks_password".path;
                        settings.allowDiscards = true;
                        content = {
                            type = "btrfs";
                            subvolumes = {
                                "@" = {
                                    mountpoint = "/";
                                    mountOptions = [ "noatime" ];
                                };
                                "@home" = {
                                    mountpoint = "/home";
                                    mountOptions = [ "compress=zstd" "noatime" ];
                                };
                                "@nix" = {
                                    mountpoint = "/nix";
                                    mountOptions = [ "compress=ztsd" "noatime" ];
                                };
                            };
                        };
                    };
                };
            };
        };
    };

    sops.secrets = {
        "snowy/luks_password" = {};
    };
}

Then I partition with this command:

sudo disko --mode disko --flake ~/config#snowy

I then get this output:

trace: true
these 2 derivations will be built:
  /nix/store/dg8x1iflyrpkbn2fpl0w2qb1ghbdlnx6-disko.drv
  /nix/store/7qaqxkbwkxj78k3nkfgqy9ddnr30j9dy-disko.drv
building '/nix/store/dg8x1iflyrpkbn2fpl0w2qb1ghbdlnx6-disko.drv'...
building '/nix/store/7qaqxkbwkxj78k3nkfgqy9ddnr30j9dy-disko.drv'...
umount: /mnt: not mounted
++ realpath /dev/vda
+ disk=/dev/vda
+ lsblk -a -f
NAME  FSTYPE   FSVER            LABEL                      UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
loop0 squashfs 4.0                                                                                    0   100% /nix/.ro-store
loop1
loop2
loop3
loop4
loop5
loop6
loop7
sr0   iso9660  Joliet Extension nixos-minimal-24.05-x86_64 1980-01-01-00-00-00-00                     0   100% /iso
vda
+ lsblk --output-all --json
+ bash -x
++ dirname /nix/store/pin3a1kj24rp3axk9f1f0n00yxgr7div-disk-deactivate/disk-deactivate
+ jq -r --arg disk_to_clear /dev/vda -f /nix/store/pin3a1kj24rp3axk9f1f0n00yxgr7div-disk-deactivate/disk-deactivate.jq
+ set -fu
++ zdb -l /dev/vda
++ sed -nr 's/ +name: '\''(.*)'\''/\1/p'
+ zpool=
+ [[ -n '' ]]
+ unset zpool
++ lsblk /dev/vda -l -p -o type,name
++ awk 'match($1,"raid.*") {print $2}'
+ md_dev=
+ [[ -n '' ]]
+ wipefs --all -f /dev/vda
+ dd if=/dev/zero of=/dev/vda bs=440 count=1
1+0 records in
1+0 records out
440 bytes copied, 0.000254363 s, 1.7 MB/s
+ lsblk -a -f
NAME  FSTYPE   FSVER            LABEL                      UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
loop0 squashfs 4.0                                                                                    0   100% /nix/.ro-store
loop1
loop2
loop3
loop4
loop5
loop6
loop7
sr0   iso9660  Joliet Extension nixos-minimal-24.05-x86_64 1980-01-01-00-00-00-00                     0   100% /iso
vda
++ mktemp -d
+ disko_devices_dir=/tmp/tmp.ZGKrk7K4Uw
+ trap 'rm -rf "$disko_devices_dir"' EXIT
+ mkdir -p /tmp/tmp.ZGKrk7K4Uw
+ device=/dev/vda
+ imageSize=2G
+ name=primary
+ type=disk
+ device=/dev/vda
+ efiGptPartitionFirst=1
+ type=gpt
+ blkid /dev/vda
+ sgdisk --clear /dev/vda
Creating new GPT entries in memory.
The operation has completed successfully.
+ sgdisk --align-end --new=1:0:+500M --change-name=1:disk-primary-esp --typecode=1:EF00 /dev/vda
The operation has completed successfully.
+ partprobe /dev/vda
+ udevadm trigger --subsystem-match=block
+ udevadm settle
+ sgdisk --align-end --new=2:0:-0 --change-name=2:disk-primary-root --typecode=2:8300 /dev/vda
The operation has completed successfully.
+ partprobe /dev/vda
+ udevadm trigger --subsystem-match=block
+ udevadm settle
+ device=/dev/disk/by-partlabel/disk-primary-esp
+ extraArgs=()
+ declare -a extraArgs
+ format=vfat
+ mountOptions=('defaults')
+ declare -a mountOptions
+ mountpoint=/boot
+ type=filesystem
+ blkid /dev/disk/by-partlabel/disk-primary-esp
+ grep -q TYPE=
+ mkfs.vfat /dev/disk/by-partlabel/disk-primary-esp
mkfs.fat 4.2 (2021-01-31)
+ additionalKeyFiles=()
+ declare -a additionalKeyFiles
+ askPassword=
+ device=/dev/disk/by-partlabel/disk-primary-root
+ extraFormatArgs=()
+ declare -a extraFormatArgs
+ extraOpenArgs=()
+ declare -a extraOpenArgs
+ initrdUnlock=1
+ keyFile=
+ name=root
+ passwordFile=/run/secrets/snowy/luks_password
+ settings=(['allowDiscards']='1')
+ declare -A settings
+ type=luks
+ blkid /dev/disk/by-partlabel/disk-primary-root
+ blkid /dev/disk/by-partlabel/disk-primary-root -o export
+ grep -q '^TYPE='
+ cryptsetup -q luksFormat /dev/disk/by-partlabel/disk-primary-root --key-file /dev/fd/63
++ set +x
cat: /run/secrets/snowy/luks_password: No such file or directory
Nothing to read on input.
+ rm -rf /tmp/tmp.ZGKrk7K4Uw
Kreyren commented 5 months ago

Same problem with ragenix, it seems to be looking for the secret on the booted system that is used for deployment so i workarounded that by adding a file to /run/agenix/myfile with the password that then successfully deploys, but this is terrible solution security-wise.

[nix-shell:~]# nix run 'github:nix-community/disko#disko-install' -- --flake 'github:kreyren/nixos-config#tsvetan' --disk system /dev/mmcblk2
this derivation will be built:
  /nix/store/nfrif9zks92sz0lwkxdv6j7hh61qcsic-disko.drv
building '/nix/store/nfrif9zks92sz0lwkxdv6j7hh61qcsic-disko.drv'...
umount: /tmp/tmp.xACV0XT8X7: not mounted
++ realpath /dev/mmcblk2
+ disk=/dev/mmcblk2
+ lsblk -a -f
NAME         FSTYPE      FSVER LABEL      UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
loop0                                                                                         
loop1                                                                                         
loop2                                                                                         
loop3                                                                                         
loop4                                                                                         
loop5                                                                                         
loop6                                                                                         
loop7                                                                                         
mmcblk0                                                                                       
`-mmcblk0p1  ext4        1.0   armbi_root 02974c2b-d2c6-4679-8ae6-9d52449f2420   14.5G    49% /var/log.hdd
                                                                                              /
mmcblk2                                                                                       
|-mmcblk2p1  vfat        FAT32            12CE-A600                                           
|-mmcblk2p2  crypto_LUKS 2     CRYPT_NIX  196b1a16-e79e-42a5-931b-33db3e36d540                
`-mmcblk2p3  crypto_LUKS 2     CRYPT_SWAP 64235d8c-88fd-46ed-97a9-1bf8ec1c37b5                
mmcblk2boot0                                                                                  
mmcblk2boot1                                                                                  
zram0                                                                                         [SWAP]
zram1                                                                            35.8M    16% /var/log
zram2                                                                                         
+ lsblk --output-all --json
+ bash -x
++ dirname /nix/store/pin3a1kj24rp3axk9f1f0n00yxgr7div-disk-deactivate/disk-deactivate
+ jq -r --arg disk_to_clear /dev/mmcblk2 -f /nix/store/pin3a1kj24rp3axk9f1f0n00yxgr7div-disk-deactivate/disk-deactivate.jq
+ set -fu
+ wipefs --all -f /dev/mmcblk2p1
/dev/mmcblk2p1: 8 bytes were erased at offset 0x00000052 (vfat): 46 41 54 33 32 20 20 20
/dev/mmcblk2p1: 1 byte was erased at offset 0x00000000 (vfat): eb
/dev/mmcblk2p1: 2 bytes were erased at offset 0x000001fe (vfat): 55 aa
+ wipefs --all -f /dev/mmcblk2p2
/dev/mmcblk2p2: 6 bytes were erased at offset 0x00000000 (crypto_LUKS): 4c 55 4b 53 ba be
/dev/mmcblk2p2: 6 bytes were erased at offset 0x00004000 (crypto_LUKS): 53 4b 55 4c ba be
+ wipefs --all -f /dev/mmcblk2p3
/dev/mmcblk2p3: 6 bytes were erased at offset 0x00000000 (crypto_LUKS): 4c 55 4b 53 ba be
/dev/mmcblk2p3: 6 bytes were erased at offset 0x00004000 (crypto_LUKS): 53 4b 55 4c ba be
++ zdb -l /dev/mmcblk2
++ sed -nr 's/ +name: '\''(.*)'\''/\1/p'
bash: line 5: zdb: command not found
+ zpool=
+ [[ -n '' ]]
+ unset zpool
++ lsblk /dev/mmcblk2 -l -p -o type,name
++ awk 'match($1,"raid.*") {print $2}'
+ md_dev=
+ [[ -n '' ]]
+ wipefs --all -f /dev/mmcblk2
/dev/mmcblk2: 8 bytes were erased at offset 0x00000200 (gpt): 45 46 49 20 50 41 52 54
/dev/mmcblk2: 8 bytes were erased at offset 0x36ffffe00 (gpt): 45 46 49 20 50 41 52 54
/dev/mmcblk2: 2 bytes were erased at offset 0x000001fe (PMBR): 55 aa
+ dd if=/dev/zero of=/dev/mmcblk2 bs=440 count=1
1+0 records in
1+0 records out
440 bytes copied, 0.000194468 s, 2.3 MB/s
+ lsblk -a -f
NAME         FSTYPE FSVER LABEL      UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
loop0                                                                                    
loop1                                                                                    
loop2                                                                                    
loop3                                                                                    
loop4                                                                                    
loop5                                                                                    
loop6                                                                                    
loop7                                                                                    
mmcblk0                                                                                  
`-mmcblk0p1  ext4   1.0   armbi_root 02974c2b-d2c6-4679-8ae6-9d52449f2420   14.5G    49% /var/log.hdd
                                                                                         /
mmcblk2                                                                                  
mmcblk2boot0                                                                             
mmcblk2boot1                                                                             
zram0                                                                                    [SWAP]
zram1                                                                       35.8M    16% /var/log
zram2                                                                                    
++ mktemp -d
+ disko_devices_dir=/tmp/tmp.atzqJOJcnO
+ trap 'rm -rf "$disko_devices_dir"' EXIT
+ mkdir -p /tmp/tmp.atzqJOJcnO
+ device=/dev/mmcblk2
+ imageSize=2G
+ name=system
+ type=disk
+ device=/dev/mmcblk2
+ efiGptPartitionFirst=1
+ type=gpt
+ blkid /dev/mmcblk2
+ sgdisk --clear /dev/mmcblk2
Creating new GPT entries in memory.
The operation has completed successfully.
+ sgdisk --align-end --new=1:30720:1079295 --change-name=1:disk-system-boot --typecode=1:EF00 /dev/mmcblk2
The operation has completed successfully.
+ partprobe /dev/mmcblk2
+ udevadm trigger --subsystem-match=block
+ udevadm settle
+ sgdisk --align-end --new=2:1079296:20447231 --change-name=2:disk-system-nix-store --typecode=2:8300 /dev/mmcblk2
The operation has completed successfully.
+ partprobe /dev/mmcblk2
+ udevadm trigger --subsystem-match=block
+ udevadm settle
+ sgdisk --align-end --new=3:20447232:28833791 --change-name=3:disk-system-swap --typecode=3:8300 /dev/mmcblk2
The operation has completed successfully.
+ partprobe /dev/mmcblk2
+ udevadm trigger --subsystem-match=block
+ udevadm settle
+ device=/dev/disk/by-partlabel/disk-system-boot
+ extraArgs=()
+ declare -a extraArgs
+ format=vfat
+ mountOptions=('defaults')
+ declare -a mountOptions
+ mountpoint=/boot
+ type=filesystem
+ blkid /dev/disk/by-partlabel/disk-system-boot
+ grep -q TYPE=
+ mkfs.vfat /dev/disk/by-partlabel/disk-system-boot
mkfs.fat 4.2 (2021-01-31)
+ additionalKeyFiles=()
+ declare -a additionalKeyFiles
+ askPassword=
+ device=/dev/disk/by-partlabel/disk-system-nix-store
+ extraFormatArgs=('--use-random' '--label=CRYPT_NIX')
+ declare -a extraFormatArgs
+ extraOpenArgs=('--timeout 10')
+ declare -a extraOpenArgs
+ initrdUnlock=1
+ keyFile=
+ name=nix-store
+ passwordFile=/run/agenix/tsvetan-disks-password
+ settings=(['allowDiscards']='1')
+ declare -A settings
+ type=luks
+ blkid /dev/disk/by-partlabel/disk-system-nix-store
+ blkid /dev/disk/by-partlabel/disk-system-nix-store -o export
+ grep -q '^TYPE='
+ cryptsetup -q luksFormat /dev/disk/by-partlabel/disk-system-nix-store --use-random --label=CRYPT_NIX --key-file /dev/fd/63
++ set +x
+ cryptsetup open /dev/disk/by-partlabel/disk-system-nix-store nix-store --allow-discards --timeout 10 --key-file /dev/fd/63 --persistent
++ set +x
+ device=/dev/mapper/nix-store
+ extraArgs=('--label NIX_STORE')
+ declare -a extraArgs
+ mountOptions=('defaults')
+ declare -a mountOptions
+ mountpoint=
+ type=btrfs
+ blkid /dev/mapper/nix-store -o export
+ grep -q '^TYPE='
+ mkfs.btrfs /dev/mapper/nix-store --label NIX_STORE
btrfs-progs v6.6.2
See https://btrfs.readthedocs.io for more information.

Performing full device TRIM /dev/mapper/nix-store (9.22GiB) ...
NOTE: several default settings have changed in version 5.15, please make sure
      this does not affect your deployments:
      - DUP for metadata (-m dup)
      - enabled no-holes (-O no-holes)
      - enabled free-space-tree (-R free-space-tree)

Label:              NIX_STORE
UUID:               51b08b3a-70e9-4d32-a9e5-56b60566b7ff
Node size:          16384
Sector size:        4096
Filesystem size:    9.22GiB
Block group profiles:
  Data:             single            8.00MiB
  Metadata:         DUP             256.00MiB
  System:           DUP               8.00MiB
SSD detected:       yes
Zoned device:       no
Incompat features:  extref, skinny-metadata, no-holes, free-space-tree
Runtime features:   free-space-tree
Checksum:           crc32c
Number of devices:  1
Devices:
   ID        SIZE  PATH                 
    1     9.22GiB  /dev/mapper/nix-store

+ blkid /dev/mapper/nix-store -o export
+ grep -q '^TYPE=btrfs$'
++ mktemp -d
+ MNTPOINT=/tmp/tmp.4CpdF6ZVgS
+ mount /dev/mapper/nix-store /tmp/tmp.4CpdF6ZVgS -o subvol=/
+ trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+ SUBVOL_ABS_PATH=/tmp/tmp.4CpdF6ZVgS/@nix
++ dirname /tmp/tmp.4CpdF6ZVgS/@nix
+ mkdir -p /tmp/tmp.4CpdF6ZVgS
+ btrfs subvolume show /tmp/tmp.4CpdF6ZVgS/@nix
+ btrfs subvolume create /tmp/tmp.4CpdF6ZVgS/@nix
Create subvolume '/tmp/tmp.4CpdF6ZVgS/@nix'
++ umount /tmp/tmp.4CpdF6ZVgS
++ rm -rf /tmp/tmp.4CpdF6ZVgS
++ mktemp -d
+ MNTPOINT=/tmp/tmp.wk7jWVwZ5V
+ mount /dev/mapper/nix-store /tmp/tmp.wk7jWVwZ5V -o subvol=/
+ trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+ SUBVOL_ABS_PATH=/tmp/tmp.wk7jWVwZ5V/@persist
++ dirname /tmp/tmp.wk7jWVwZ5V/@persist
+ mkdir -p /tmp/tmp.wk7jWVwZ5V
+ btrfs subvolume show /tmp/tmp.wk7jWVwZ5V/@persist
+ btrfs subvolume create /tmp/tmp.wk7jWVwZ5V/@persist
Create subvolume '/tmp/tmp.wk7jWVwZ5V/@persist'
++ umount /tmp/tmp.wk7jWVwZ5V
++ rm -rf /tmp/tmp.wk7jWVwZ5V
+ additionalKeyFiles=()
+ declare -a additionalKeyFiles
+ askPassword=
+ device=/dev/disk/by-partlabel/disk-system-swap
+ extraFormatArgs=('--use-random' '--label=CRYPT_SWAP')
+ declare -a extraFormatArgs
+ extraOpenArgs=('--timeout 10')
+ declare -a extraOpenArgs
+ initrdUnlock=1
+ keyFile=
+ name=swap
+ passwordFile=/run/agenix/tsvetan-disks-password
+ settings=(['allowDiscards']='1')
+ declare -A settings
+ type=luks
+ blkid /dev/disk/by-partlabel/disk-system-swap
+ blkid /dev/disk/by-partlabel/disk-system-swap -o export
+ grep -q '^TYPE='
+ cryptsetup -q luksFormat /dev/disk/by-partlabel/disk-system-swap --use-random --label=CRYPT_SWAP --key-file /dev/fd/63
++ set +x
+ cryptsetup open /dev/disk/by-partlabel/disk-system-swap swap --allow-discards --timeout 10 --key-file /dev/fd/63 --persistent
++ set +x
+ device=/dev/mapper/swap
+ discardPolicy=
+ extraArgs=('--label SWAP')
+ declare -a extraArgs
+ priority=
+ randomEncryption=
+ resumeDevice=1
+ type=swap
+ blkid /dev/mapper/swap -o export
+ grep -q '^TYPE='
+ mkswap --label SWAP /dev/mapper/swap
Setting up swapspace version 1, size = 4 GiB (4277137408 bytes)
LABEL=SWAP, UUID=2e347374-0417-414c-84b6-41a3d68387cc
+ device=none
+ fsType=tmpfs
+ mountOptions=('size=1G' 'defaults' 'mode=755')
+ declare -a mountOptions
+ mountpoint=/
+ type=nodev
+ device=none
+ fsType=tmpfs
+ mountOptions=('size=1G' 'defaults' 'mode=755')
+ declare -a mountOptions
+ mountpoint=/home/kreyren
+ type=nodev
+ set -efux
+ device=/dev/mmcblk2
+ imageSize=2G
+ name=system
+ type=disk
+ device=/dev/mmcblk2
+ efiGptPartitionFirst=1
+ type=gpt
+ additionalKeyFiles=()
+ declare -a additionalKeyFiles
+ askPassword=
+ device=/dev/disk/by-partlabel/disk-system-swap
+ extraFormatArgs=('--use-random' '--label=CRYPT_SWAP')
+ declare -a extraFormatArgs
+ extraOpenArgs=('--timeout 10')
+ declare -a extraOpenArgs
+ initrdUnlock=1
+ keyFile=
+ name=swap
+ passwordFile=/run/agenix/tsvetan-disks-password
+ settings=(['allowDiscards']='1')
+ declare -A settings
+ type=luks
+ cryptsetup status swap
+ device=none
+ fsType=tmpfs
+ mountOptions=('size=1G' 'defaults' 'mode=755')
+ declare -a mountOptions
+ mountpoint=/
+ type=nodev
+ findmnt tmpfs /tmp/tmp.xACV0XT8X7/
+ mount -t tmpfs none /tmp/tmp.xACV0XT8X7/ -o size=1G -o defaults -o mode=755 -o X-mount.mkdir
+ device=/dev/mmcblk2
+ imageSize=2G
+ name=system
+ type=disk
+ device=/dev/mmcblk2
+ efiGptPartitionFirst=1
+ type=gpt
+ device=/dev/disk/by-partlabel/disk-system-boot
+ extraArgs=()
+ declare -a extraArgs
+ format=vfat
+ mountOptions=('defaults')
+ declare -a mountOptions
+ mountpoint=/boot
+ type=filesystem
+ findmnt /dev/disk/by-partlabel/disk-system-boot /tmp/tmp.xACV0XT8X7/boot
+ mount /dev/disk/by-partlabel/disk-system-boot /tmp/tmp.xACV0XT8X7/boot -t vfat -o defaults -o X-mount.mkdir
+ device=/dev/mmcblk2
+ imageSize=2G
+ name=system
+ type=disk
+ device=/dev/mmcblk2
+ efiGptPartitionFirst=1
+ type=gpt
+ additionalKeyFiles=()
+ declare -a additionalKeyFiles
+ askPassword=
+ device=/dev/disk/by-partlabel/disk-system-swap
+ extraFormatArgs=('--use-random' '--label=CRYPT_SWAP')
+ declare -a extraFormatArgs
+ extraOpenArgs=('--timeout 10')
+ declare -a extraOpenArgs
+ initrdUnlock=1
+ keyFile=
+ name=swap
+ passwordFile=/run/agenix/tsvetan-disks-password
+ settings=(['allowDiscards']='1')
+ declare -A settings
+ type=luks
+ device=/dev/mapper/swap
+ discardPolicy=
+ extraArgs=('--label SWAP')
+ declare -a extraArgs
+ priority=
+ randomEncryption=
+ resumeDevice=1
+ type=swap
+ swapon --show
++ readlink -f /dev/mapper/swap
+ grep -q '^/dev/dm-1 '
+ swapon /dev/mapper/swap
+ device=none
+ fsType=tmpfs
+ mountOptions=('size=1G' 'defaults' 'mode=755')
+ declare -a mountOptions
+ mountpoint=/home/kreyren
+ type=nodev
+ findmnt tmpfs /tmp/tmp.xACV0XT8X7/home/kreyren
+ mount -t tmpfs none /tmp/tmp.xACV0XT8X7/home/kreyren -o size=1G -o defaults -o mode=755 -o X-mount.mkdir
+ device=/dev/mmcblk2
+ imageSize=2G
+ name=system
+ type=disk
+ device=/dev/mmcblk2
+ efiGptPartitionFirst=1
+ type=gpt
+ additionalKeyFiles=()
+ declare -a additionalKeyFiles
+ askPassword=
+ device=/dev/disk/by-partlabel/disk-system-nix-store
+ extraFormatArgs=('--use-random' '--label=CRYPT_NIX')
+ declare -a extraFormatArgs
+ extraOpenArgs=('--timeout 10')
+ declare -a extraOpenArgs
+ initrdUnlock=1
+ keyFile=
+ name=nix-store
+ passwordFile=/run/agenix/tsvetan-disks-password
+ settings=(['allowDiscards']='1')
+ declare -A settings
+ type=luks
+ device=/dev/mapper/nix-store
+ extraArgs=('--label NIX_STORE')
+ declare -a extraArgs
+ mountOptions=('defaults')
+ declare -a mountOptions
+ mountpoint=
+ type=btrfs
+ findmnt /dev/mapper/nix-store /tmp/tmp.xACV0XT8X7/nix
+ mount /dev/mapper/nix-store /tmp/tmp.xACV0XT8X7/nix -o compress=lzo -o noatime -o subvol=@nix -o X-mount.mkdir
+ device=/dev/mmcblk2
+ imageSize=2G
+ name=system
+ type=disk
+ device=/dev/mmcblk2
+ efiGptPartitionFirst=1
+ type=gpt
+ additionalKeyFiles=()
+ declare -a additionalKeyFiles
+ askPassword=
+ device=/dev/disk/by-partlabel/disk-system-nix-store
+ extraFormatArgs=('--use-random' '--label=CRYPT_NIX')
+ declare -a extraFormatArgs
+ extraOpenArgs=('--timeout 10')
+ declare -a extraOpenArgs
+ initrdUnlock=1
+ keyFile=
+ name=nix-store
+ passwordFile=/run/agenix/tsvetan-disks-password
+ settings=(['allowDiscards']='1')
+ declare -A settings
+ type=luks
+ device=/dev/mapper/nix-store
+ extraArgs=('--label NIX_STORE')
+ declare -a extraArgs
+ mountOptions=('defaults')
+ declare -a mountOptions
+ mountpoint=
+ type=btrfs
+ findmnt /dev/mapper/nix-store /tmp/tmp.xACV0XT8X7/nix/persist/system
+ mount /dev/mapper/nix-store /tmp/tmp.xACV0XT8X7/nix/persist/system -o compress=lzo -o noatime -o subvol=@persist -o X-mount.mkdir
+ rm -rf /tmp/tmp.atzqJOJcnO
Copying store paths
Loading nix database
installing the boot loader...
[agenix] creating new generation in /run/agenix.d/1
[agenix] decrypting secrets...
[agenix] WARNING: config.age.identityPaths entry /etc/ssh/ssh_host_rsa_key not present!
[agenix] WARNING: config.age.identityPaths entry /etc/ssh/ssh_host_ed25519_key not present!
decrypting '/nix/store/88j7qavf1fdmxmsdii1h40qblgvwarya-kreyren-user-password.age' to '/run/agenix.d/1/kreyren-user-password'...
[agenix] WARNING: no readable identities found!
age: error: no identity matched any of the recipients
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/kreyren-user-password.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/kreyren-user-password.tmp': No such file or directory
decrypting '/nix/store/34k34dppa4r2n1942wblpqm9skwd5dws-disks-password.age' to '/run/agenix.d/1/tsvetan-disks-password'...
[agenix] WARNING: no readable identities found!
age: error: no identity matched any of the recipients
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/tsvetan-disks-password.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/tsvetan-disks-password.tmp': No such file or directory
[agenix] symlinking new secrets to /run/agenix (generation 1)...
Activation script snippet 'agenixInstall' failed (1)
warning: password file ‘/run/agenix/kreyren-user-password’ does not exist
[agenix] chowning...
chown: cannot access '/run/agenix.d/1/kreyren-user-password': No such file or directory
chown: cannot access '/run/agenix.d/1/tsvetan-disks-password': No such file or directory
Activation script snippet 'agenixChown' failed (1)
Warning: Source directory '/nix/persist/system/var' does not exist; it will be created for you with the following permissions: owner: 'root:root', mode: '0755'.
Warning: Source directory '/nix/persist/system/var/lib' does not exist; it will be created for you with the following permissions: owner: 'root:root', mode: '0755'.
Warning: Source directory '/nix/persist/system/var/lib/systemd' does not exist; it will be created for you with the following permissions: owner: 'root:root', mode: '0755'.
Warning: Source directory '/nix/persist/system/etc' does not exist; it will be created for you with the following permissions: owner: 'root:root', mode: '0755'.
Warning: Source directory '/nix/persist/system/etc/NetworkManager' does not exist; it will be created for you with the following permissions: owner: 'root:root', mode: '0755'.
Warning: Source directory '/nix/persist/system/var/log' does not exist; it will be created for you with the following permissions: owner: 'root:root', mode: '0755'.
Warning: Source directory '/nix/persist/system/var/lib/bluetooth' does not exist; it will be created for you with the following permissions: owner: 'root:root', mode: '0755'.
Warning: Source directory '/nix/persist/system/var/lib/nixos' does not exist; it will be created for you with the following permissions: owner: 'root:root', mode: '0755'.
Warning: Source directory '/nix/persist/system/var/lib/systemd/coredump' does not exist; it will be created for you with the following permissions: owner: 'root:root', mode: '0755'.
Warning: Source directory '/nix/persist/system/etc/NetworkManager/system-connections' does not exist; it will be created for you with the following permissions: owner: 'root:root', mode: '0755'.
Warning: Source directory '/nix/persist/system/var/lib/colord' does not exist; it will be created for you with the following permissions: owner: 'colord:colord', mode: 'u=rwx,g=rx,o='.
chown: invalid user: 'colord:colord'
Error when executing chown "$user:$group" "$realSource" at line 52!
Warning: Source directory '/nix/persist/system/etc/nix' does not exist; it will be created for you with the following permissions: owner: 'root:root', mode: 'u=rwx,g=,o='.
Warning: Source directory '/nix/persist/system/etc/ssh' does not exist; it will be created for you with the following permissions: owner: 'root:root', mode: '0755'.
Activation script snippet 'createPersistentStorageDirs' failed (1)
setting up /etc...
Initializing machine ID from random generator.
Created "/boot/EFI".
Created "/boot/EFI/systemd".
Created "/boot/EFI/BOOT".
Created "/boot/loader".
Created "/boot/loader/entries".
Created "/boot/EFI/Linux".
Copied "/nix/store/l533347li9f4zikb3lw9hpdcvxf2i811-systemd-254.10/lib/systemd/boot/efi/systemd-bootaa64.efi" to "/boot/EFI/systemd/systemd-bootaa64.efi".
Copied "/nix/store/l533347li9f4zikb3lw9hpdcvxf2i811-systemd-254.10/lib/systemd/boot/efi/systemd-bootaa64.efi" to "/boot/EFI/BOOT/BOOTAA64.EFI".
! Mount point '/boot' which backs the random seed file is world accessible, which is a security hole! !
! Random seed file '/boot/loader/.#bootctlrandom-seed4cd544777dc529b2' is world accessible, which is a security hole! !
Random seed file /boot/loader/random-seed successfully written (32 bytes).
installation finished!
elias-online commented 5 months ago

I am also interested in knowing what the proper way to pass in sops-nix secrets into the disko config is as I get the "No such file or directory" exception currently aswell. It seems that adding in the "config" parameter as a requirement is not enough.

Mic92 commented 5 months ago

Both sops-nix and agenix requires a system activation, so it won't work outside the installed system unless you manually unpack the key to the target location prior to sops-nix.

So the only work around I currently see is that the NixOS installer needs to have the secret in very same location i.e. /run/secrets/snowy/luks_password. If you use nixos-anywhere for installation you can use the --disk-encryption-keys flag to automate this.

Mic92 commented 5 months ago

But another question, given your example configuration, how should password file works in general? Even if disko would provide the key file, it won't be available at boot time anyway, rendering an unbootable system.

poperigby commented 5 months ago

Hmm, that's a good point. So we'll just have to manually move around our disk encryption files?

Mic92 commented 5 months ago

But where do you store the encryption key? If you put it into another unencrypted partition, than you could as well not encrypt your disk at all.

poperigby commented 5 months ago

Wait a second, you don't need to store the password file anywhere. The password just needs to be read by Disko for the intial encryption setup and then you type it in every time you boot.

On May 29, 2024 8:40:25 AM PDT, "Jörg Thalheim" @.***> wrote:

But where do you store the encryption key? If you put it into another unencrypted partition, than you could as well not encrypt your disk at all.

-- Reply to this email directly or view it on GitHub: https://github.com/nix-community/disko/issues/641#issuecomment-2137719539 You are receiving this because you authored the thread.

Message ID: @.***>

poperigby commented 5 months ago

I think you would just need sops to decrypt your LUKS password and place it in /tmp to be used with something like this: https://github.com/nix-community/disko/blob/5f7bdc72053380270f2a88690a14292c63cd5643/example/luks-interactive-login.nix#L25

It would only be needed for the first time setup.

Kreyren commented 5 months ago

Or like considering that i can make it work by supplying the secrets in /run/agenix/myfile -> Just make a management that places the secrets from a generatable bootable media?

poperigby commented 5 months ago

Yes, but that would be less convenient because you would have to copy over both your password file and encryption key for agenix/sops-nix.

Kreyren commented 5 months ago

Yes, but that would be less convenient because you would have to copy over both your password file and encryption key for agenix/sops-nix. -- @poperigby (https://github.com/nix-community/disko/issues/641#issuecomment-2138292247)

Like if you want convidience we can probably grab the files from the secrets.nix and decrypt them in the /run/agenix prior to the system initialization.. At least that seems like the most sane path of least resistance to me.

poperigby commented 5 months ago

This is what I came up with in my custom installation script:

export SOPS_AGE_KEY_FILE=$AGE_KEY_FILE
${sops}/bin/sops --decrypt --extract "['$TARGET_HOST']['luks_password']" "$CONFIG_DIR/secrets/secrets.yaml" > /tmp/luks_password