fix: exhaustive logical audit of installer, live-iso and system configurations

2026-04-13 19:26:47 +01:00
parent 2d587d40ff
commit cabc668c77
5 changed files with 59 additions and 8 deletions
--- a/installer/disko-golden.nix
+++ b/installer/disko-golden.nix
@@ -38,9 +38,10 @@
              content = {
                type = "luks";
                name = "crypted";
-                # Password will be provided interactively or via stdin
+                # Password will be provided via /tmp/secret.key
                settings = {
                  allowDiscards = true;  # Enable TRIM for SSDs
+                  passwordFile = "/tmp/secret.key";
                };
                content = {
                  type = "btrfs";
--- a/installer/install.sh
+++ b/installer/install.sh
@@ -338,8 +338,10 @@ execute_installation() {

    sed "s|@TARGET_DRIVE@|${TARGET_DRIVE}|g" "$disko_file" > "$tmp_disko"

-    # Provide the LUKS passphrase via stdin for disk encryption
-    echo -n "$LUKS_PASSWORD" | disko --mode disko "$tmp_disko"
+    # Provide the LUKS passphrase via a temporary file for disk encryption
+    echo -n "$LUKS_PASSWORD" > /tmp/secret.key
+    disko --mode disko "$tmp_disko"
+    rm /tmp/secret.key
    success "Disk partitioned"

    # 9.2 Generate hardware config
@@ -439,7 +441,7 @@ FLAKE_EOF
 { inputs, ... }:
 {
  imports = [
-    $(echo -e "$HARDWARE_MODULES")
+    $HARDWARE_MODULES
  ];
  $NOMARCHY_HW_OPTS
 }