zfs full pool encryption

2025-01-29 23:47:35 -05:00 · 2025-01-29 23:47:35 -05:00 · f836aa06b4
commit f836aa06b4
parent 199b9f3d78
4 changed files with 27 additions and 26 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -101,14 +101,10 @@
      mkdir -p ${config.boot.lanzaboote.pkiBundle}
      ${pkgs.gnutar}/bin/tar xf /etc/nixos/secrets/secureboot.tar -C ${config.boot.lanzaboote.pkiBundle}
    '';
-
-    "zfs-encryption-keys".text = ''
-      #!/bin/sh
-      rm -fr /etc/zfs-key
-      cp /etc/nixos/secrets/zfs-key /etc/zfs-key
-    '';
  };

+  boot.initrd.secrets."/etc/zfs-key" = /etc/nixos/secrets/zfs-key;
+
  environment.etc = {
    "issue".text = "";
  };
@ -292,6 +288,9 @@
      "wheel"
      "video"
      "render"
+      "postgres"
+      "owntracks"
+      "immich"
    ];
    hashedPasswordFile = "/etc/nixos/secrets/hashedPass";

@ -353,5 +352,5 @@
    "d ${config.services.postgresql.dataDir} 0700 postgres postgres"
  ];

-  system.stateVersion = "24.05";
+  system.stateVersion = "24.11";
 }
--- a/flake.lock
+++ b/flake.lock
@ -163,11 +163,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1738028598,
-        "narHash": "sha256-0AjsOFj8Tyl1S8mEgr2MKCHIj0Y+/Gy275xas2kduqQ=",
+        "lastModified": 1738201338,
+        "narHash": "sha256-yO1zdfkSyNWywriGUTRbDnJsoZkjFwpl/1DVwdv9GNA=",
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
-        "rev": "381b2e789876208216b26725009826c80c99399f",
+        "rev": "ce78a3fcb768948c3b2ed1196fdd124a4316a863",
        "type": "github"
      },
      "original": {
@ -194,11 +194,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1737885640,
-        "narHash": "sha256-GFzPxJzTd1rPIVD4IW+GwJlyGwBDV1Tj5FLYwDQQ9sM=",
+        "lastModified": 1738023785,
+        "narHash": "sha256-BPHmb3fUwdHkonHyHi1+x89eXB3kA1jffIpwPVJIVys=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "4e96537f163fad24ed9eb317798a79afc85b51b7",
+        "rev": "2b4230bf03deb33103947e2528cac2ed516c5c89",
        "type": "github"
      },
      "original": {
--- a/services/minecraft.nix
+++ b/services/minecraft.nix
@ -64,8 +64,8 @@ in
            };

            moonrise = fetchurl {
-              url = "https://cdn.modrinth.com/data/KOHu7RCS/versions/a8Zqa1bJ/Moonrise-Fabric-0.2.0-beta.7%2B6ec14ff.jar";
-              sha512 = "4ebc97764038aebd0b4bc5f6b25f9356419cf32f6c8bd64016665d9aad5c9f79ca9df2decac3038f7f713ff595c2b3286b3a1eb4d6debcd6639a52556416581a";
+              url = "https://cdn.modrinth.com/data/KOHu7RCS/versions/J5ayzvZp/Moonrise-Fabric-0.2.0-beta.8%2B0cbff02.jar";
+              sha512 = "d6f8b698226ebfcd87635cc2796022b0dad030f1d9ff5fd77d184b729c4d0c1f7dcfd265ab0f80186178c8c89fbdce20407b1025af05edec8c4a4f8df605ebf6";
            };

            squaremap = fetchurl {
--- a/services/qbittorrent.nix
+++ b/services/qbittorrent.nix
@ -64,17 +64,19 @@
        QueueingSystemEnabled = false; # seed all torrents all the time

        AddTrackersEnabled = true;
-        AdditionalTrackers = (lib.concatStrings (
-          map (url: url + "\\n") [
-            "udp://tracker.opentrackr.org:1337/announce"
-            "udp://open.stealth.si:80/announce"
-            "udp://open.demonii.com:1337"
-            "udp://exodus.desync.com:6969/announce"
-            "udp://tracker.dler.org:6969/announce"
-            "udp://tracker.bittor.pw:1337/announce"
-            "udp://tracker.torrent.eu.org:451/announce"
-          ]
-        ));
+        AdditionalTrackers = (
+          lib.concatStrings (
+            map (url: url + "\\n") [
+              "udp://tracker.opentrackr.org:1337/announce"
+              "udp://open.stealth.si:80/announce"
+              "udp://open.demonii.com:1337"
+              "udp://exodus.desync.com:6969/announce"
+              "udp://tracker.dler.org:6969/announce"
+              "udp://tracker.bittor.pw:1337/announce"
+              "udp://tracker.torrent.eu.org:451/announce"
+            ]
+          )
+        );
      };
    };
  };