jacobpascual/openzfs-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

NixOS: remove encrypted swap section due to system bug

Browse Source 
See https://github.com/NixOS/nixpkgs/issues/157989

Signed-off-by: Maurice Zhou <jasper@apvc.uk>
This commit is contained in:
Maurice Zhou
2022-02-06 15:56:32 +01:00
committed by George Melikov
parent bbea2a1c1b
commit 891a5e1659
1 changed files with 0 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
docs/Getting Started/NixOS/Root on ZFS/3-optional-configuration.rst
View File

@@ -189,58 +189,3 @@ root pool will be replaced by keyfile, embedded in initrd.
In the possible event of LUKS container corruption, In the possible event of LUKS container corruption,
data on root set will only be available data on root set will only be available
with this key. with this key.
Persistent swap and hibernation
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#. Optional: enable persistent swap partition. By default
encryption key of swap partition is discarded on reboot::
INST_SWAPKEY=/mnt/etc/cryptkey.d/${INST_PRIMARY_DISK##*/}-part4-key-luks-swap
INST_SWAPMAPPER=${INST_PRIMARY_DISK##*/}-part4-luks-swap
# fstab
# remove existing swap entries
for i in $DISK; do echo $i; done | grep -v ${INST_PRIMARY_DISK##*/} \
| while read j; do sed -i "\,$j-part4\"; randomEncryption.enable,d" /mnt/etc/nixos/${INST_CONFIG_FILE} ; done
sed -i "s|${INST_PRIMARY_DISK}-part4\"; randomEncryption.enable = true|/dev/mapper/${INST_SWAPMAPPER}\"|g" /mnt/etc/nixos/${INST_CONFIG_FILE}
# create key and format partition as LUKS container
dd bs=32 count=1 if=/dev/urandom of=${INST_SWAPKEY};
chmod u=r,go= /mnt/etc/cryptkey.d/*
cryptsetup luksFormat -q --type luks2 --key-file ${INST_SWAPKEY} ${INST_PRIMARY_DISK}-part4
cryptsetup luksOpen ${INST_PRIMARY_DISK}-part4 ${INST_SWAPMAPPER} --key-file ${INST_SWAPKEY}
# initialize swap space
mkswap /dev/mapper/${INST_SWAPMAPPER}
# add initrd key
tee -a /mnt/etc/nixos/${INST_CONFIG_FILE} <<EOF
boot.initrd.secrets = {
"/etc/cryptkey.d/${INST_PRIMARY_DISK##*/}-part4-key-luks-swap" = "/etc/cryptkey.d/${INST_PRIMARY_DISK##*/}-part4-key-luks-swap";
};
boot.initrd.luks.devices = {
"${INST_SWAPMAPPER}" = {
device = "${INST_PRIMARY_DISK}-part4";
allowDiscards = true;
keyFile = "/etc/cryptkey.d/${INST_PRIMARY_DISK##*/}-part4-key-luks-swap";
};
};
EOF
#. Optional: after enabling persistent swap partition,
enable hibernation::
tee -a /mnt/etc/nixos/${INST_CONFIG_FILE} <<EOF
boot.resumeDevice = "/dev/mapper/${INST_SWAPMAPPER}";
EOF
Note that hibernation might not work with discrete graphics, virtio graphics or
AMD APU integrated graphics. This is not specific to this guide.
Computer must resume from a continuous swap space, resume
from multiple swap partitions is not supported.
Do not touch anything on disk while the computer is
in hibernation, see `kernel documentation
<https://www.kernel.org/doc/html/latest/power/swsusp.html>`__.