added clevis

hosts/Aphelion/hardware-Aphelion.nix

@@ -15,6 +15,12 @@
   boot.supportedFilesystems = [ "zfs" ];
   boot.kernelPackages = pkgs.linuxPackages_latest;
   boot.zfs.package = pkgs.zfs_2_4;
+
+  boot.initrd.clevis = {
+    enable = true;
+    devices."aphelion-zroot/data/sensitive".secretFile = ../../secrets/Aphelion/sensitive.jwe;
+    devices."aphelion-zroot/nix-enc".secretFile = ../../secrets/Aphelion/sensitive.jwe;
+  };
   fileSystems."/" =
     { device = "none";
     fsType = "tmpfs";
@@ -28,7 +34,7 @@
     };
 
   fileSystems."/nix" =
-    { device = "aphelion-zroot/nix";
+    { device = "aphelion-zroot/nix-enc";
       fsType = "zfs";
     };
 
@@ -52,6 +58,12 @@
         fsType = "ext4";
         options = [ "x-mount.mkdir" "rw" ];
       };
+    fileSystems."/Volumes/Sensitive" =
+      {
+        device = "aphelion-zroot/data/sensitive";
+        fsType = "zfs";
+        options = [ "x-mount.mkdir" "rw" ];
+      };
 #    fileSystems."/Volumes/ssd_g" =
 #      {
 #        device = "/dev/disk/by-id/ata-KINGSTON_SA400S37240G_50026B77846D940A-part1";

secrets/Aphelion/sensitive.jwe

@@ -0,0 +1 @@
+eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlJXzBfY0tfX2xQUVl5VjZOVHpQZXp3TjFtRW5STDZKSENfVDZiM29nRU5MQUJDenVyRDRiRjFrWXFWVjZmZkVLeEJOTE5nZ19YTldVcUR6VktrZU1fR21DdUNmeFFMWFF5SzhrckdHRzI2M21YVVZSdlJqUVdibWx4TUhvUEFqOWg4bnkwUnMyNFZhRjRjUW9SSUF6STIyVmxaRkpwc1g3SWF3djZqT3NxbWQ3SlBITl9TbUpCSEhCSDV0d09Rb0F5aHQzbWVfQm1mZWhHaEN1bWt3eW9RVE91MFVpak83aXg5QkEtYmJWeEkwZmtzLXhFM0RsYmppQmp3T1NrNUdwS0NvS2xmN1RTWEcwbXMtSldZWlF0d0N2Rm1lZERfcTB0SWVOZU5PSkw5anR0TGdSYmhMMEE4UExfS0YiLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJTFFjQ1lQZUtuVVRVY2Z3cG5wUjRzMEVMaHJuWUlheS03OGFDNVBXbGtPNCIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..oEVHsx4QXe2S2mLF.dNllN0zvGW70Q85SwcsSHcU.cnv7VoY4wqB9XqI31B6txA