From 3541fd13e4e6a391d8b29ae13f9424ad6767f52d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Numbus?= Date: Fri, 9 Jan 2026 12:18:23 +0100 Subject: [PATCH] Change to get TPM2 auto decryption working --- deploy.sh | 17 +++++++++++------ templates/nix-config/configuration.nix | 2 +- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/deploy.sh b/deploy.sh index 4b724fc..98ff266 100644 --- a/deploy.sh +++ b/deploy.sh @@ -298,6 +298,7 @@ disks_selection() { for i in ${!DISK_NAME[@]}; do if printf '%s' "$SELECTED_BOOT_DISK" | grep -iqw "${DISK_NAME[${i}]}"; then BOOT_DISKS_ID+=("${DISK_ID[${i}]:-${DISK_DEVPATH[${i}]}}") + BOOT_DISKS_NAME+=("${DISK_NAME[${i}]}") unset "GUM_PRINTED_ELEMENTS[${i}]" fi done @@ -308,13 +309,16 @@ disks_selection() { elif [[ "${#BOOT_DISKS_ID[@]}" -eq 1 ]]; then echo -e "\n\n⚠️ One boot disk selected, continuing with striped boot disk configuration." echo -e "Consider using 2 boot disks instead to get data protection features on the boot disks." - export BOOT_DISK_1_ID=${BOOT_DISKS_ID[0]} + export BOOT_DISK_1_ID="${BOOT_DISKS_ID[0]}" + export BOOT_DISK_1_NAME="${DISK_NAME[0]}" elif [[ "${#BOOT_DISKS_ID[@]}" -eq 2 ]]; then echo -e "\n\n✅ Two boot disks selected, continuing with mirrored boot disks configuration." echo -e "\n\n⚠️ If the two disks are different sizes, the resulting usable space size will be \ the one of the smallest disk." - export BOOT_DISK_1_ID=${BOOT_DISKS_ID[0]} - export BOOT_DISK_2_ID=${BOOT_DISKS_ID[1]} + export BOOT_DISK_1_ID="${BOOT_DISKS_ID[0]}" + export BOOT_DISK_2_ID="${BOOT_DISKS_ID[1]}" + export BOOT_DISK_1_NAME="${BOOT_DISKS_NAME[0]}" + export BOOT_DISK_2_NAME="${BOOT_DISKS_NAME[1]}" else echo -e "\n\n❌ Unexpected bug. Please contact the developer. Aborting." exit 1 @@ -613,6 +617,7 @@ nix_generation() { sed -i "s|TRAEFIK_REF_NETWORKS|${TRAEFIK_REF_NETWORKS//$'\n'/\\n}|" final-nix-config/etc/nixos/podman/traefik.nix if [[ "${TARGET_TPM}" == "true" ]]; then sed -i "s|# boot.initrd.systemd.tpm2.enable = true;| boot.initrd.systemd.tpm2.enable = true;|" final-nix-config/etc/nixos/configuration.nix + sed -i "s|# ./disks/pcr-check.nix| ./disks/pcr-check.nix|" final-nix-config/etc/nixos/configuration.nix fi } @@ -740,10 +745,10 @@ postrun_action() { sed -i "s|# ./disks/pcr-check.nix| ./disks/pcr-check.nix|" /etc/nixos/configuration.nix if [[ ${#BOOT_DISKS_ID[@]} -eq 1 ]]; then - echo $REMOTE_PASS | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/mapper/crypted-boot-1 + echo $REMOTE_PASS | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-1 /dev/${BOOT_DISKS_1_NAME} elif [[ ${#BOOT_DISKS_ID[@]} -eq 2 ]]; then - echo $REMOTE_PASS | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/mapper/crypted-boot-1 - echo $REMOTE_PASS | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/mapper/crypted-boot-2 + echo $REMOTE_PASS | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-1 /dev/${BOOT_DISKS_1_NAME} + echo $REMOTE_PASS | sudo -S systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --unlock-key-file=/etc/secrets/disks/boot-2 /dev/${BOOT_DISKS_2_NAME} fi PCR_HASH=\$(echo $REMOTE_PASS | sudo -S systemd-analyze pcrs 15 --json=short) diff --git a/templates/nix-config/configuration.nix b/templates/nix-config/configuration.nix index 8d2a321..702fec1 100644 --- a/templates/nix-config/configuration.nix +++ b/templates/nix-config/configuration.nix @@ -10,8 +10,8 @@ ./misc/mail.nix ./misc/networking.nix ./misc/smart.nix -# ./disks/snapraid.nix # ./disks/pcr-check.nix +# ./disks/snapraid.nix # ./pcie-coral/coral.nix ];