nixfiles/extras/mk-encrypted-drive.nix

83 lines
2.6 KiB
Nix
Raw Permalink Normal View History

2023-09-20 15:46:20 +01:00
{
parted,
cryptsetup,
e2fsprogs,
dosfstools,
writeShellApplication,
}: let
driveData = import ../data/drives/encryptedDrive.nix;
2024-03-10 18:29:49 +00:00
in
writeShellApplication {
name = "mk-encrypted-drive";
runtimeInputs = [
parted
cryptsetup
e2fsprogs
dosfstools
];
text = ''
if [ -z "''${BIOS-}" ]; then
echo "If making a drive for bios then you will need to set BIOS env variable"
fi
2023-09-20 15:46:20 +01:00
2024-03-30 09:28:16 +00:00
echo "If the drive is for a encrypted server then set \$2/KEY_FILE as password file with no trailing newline (nano -L)"
2023-09-20 15:46:20 +01:00
2024-03-30 09:28:16 +00:00
if [ -z "''${DRIVE_PATH-}" ] && [ -z "''${1-}" ]; then
echo "Please specify a path to drive as first argument or set DRIVE_PATH"
2024-03-10 18:29:49 +00:00
exit 1
2024-03-30 09:28:16 +00:00
else
if [ -n "''${1-}" ]; then DRIVE_PATH=$1; fi
2024-03-10 18:29:49 +00:00
fi
2023-09-20 15:46:20 +01:00
2024-03-30 09:28:16 +00:00
if [ -z "''${KEY_FILE-}" ] && [ -z "''${2-}" ]; then
echo "Please specify a path to key file as second argument or set KEY_FILE"
2024-03-10 18:29:49 +00:00
exit 1
2024-03-30 09:28:16 +00:00
else
if [ -n "''${2-}" ]; then KEY_FILE=$2; fi
2024-03-10 18:29:49 +00:00
fi
2023-09-20 15:46:20 +01:00
2024-03-10 18:29:49 +00:00
if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then
PARTITION_SEPARATOR="p"
else
PARTITION_SEPARATOR=""
fi
2023-09-20 15:46:20 +01:00
2024-03-10 18:29:49 +00:00
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
2023-09-20 15:46:20 +01:00
2024-03-10 18:29:49 +00:00
echo "Creating Partitions..."
if [ -n "''${BIOS-}" ]; then
# EFI Install
parted "$DRIVE_PATH" -- mklabel gpt
parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB
parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB
parted "$DRIVE_PATH" -- set 1 esp on
parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}"
parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}"
else
parted "$DRIVE_PATH" -- mklabel gpt
parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB
parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB
parted "$DRIVE_PATH" -- set 1 boot on
parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}"
parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}"
fi
2023-09-20 15:46:20 +01:00
2024-03-10 18:29:49 +00:00
echo "Formatting boot partition"
mkfs.fat -n "${driveData.bootLabel}" "''${DRIVE_PATH}''${PARTITION_SEPARATOR}1"
2023-09-20 15:46:20 +01:00
2024-03-10 18:29:49 +00:00
echo "Creating Encrypted Partition"
cryptsetup luksFormat "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE"
2023-09-20 15:46:20 +01:00
2024-03-10 18:29:49 +00:00
echo "Opening Encrypted Partition"
cryptsetup open "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" "mk_encrypted_drive" --key-file "$KEY_FILE"
2023-09-20 15:46:20 +01:00
2024-03-10 18:29:49 +00:00
echo "Formatting Encrypted Root Filesystem"
mkfs.ext4 -L "${driveData.unencryptedLabel}" /dev/mapper/mk_encrypted_drive
2023-09-20 15:46:20 +01:00
2024-03-10 18:29:49 +00:00
echo "mount /dev/mapper/mk_encrypted_drive to install"
'';
}