nixfiles/presets/nixos/encryptedDrive.nix

{
  self,
  config,
  pkgs,
  lib,
  ...
}: let
  inherit (lib.modules) mkBefore;

  encryptedUSB = import "${self}/data/drives/encryptedUSB.nix";
  driveData = import "${self}/data/drives/encryptedDrive.nix";
in {
  boot = {
    initrd.availableKernelModules = [
      # For USB w/ Encryption Key
      "usb_storage"
      "usbcore"
      "uas"
      "sd_mod"
      # For USB Keyboards
      "usbhid"
      # For Cryptography
      "aesni_intel"
      "cryptd"
    ];
    initrd.postDeviceCommands = mkBefore ''
        mkdir -m 0755 -p /keys
        mkdir -m 0755 -p ${encryptedUSB.mountpoint}

        if grep --quiet "cryptsetup_password" /proc/cmdline; then
          USE_PASSWORD=true
        else
          USE_PASSWORD=false
        fi

        while !(test -b ${encryptedUSB.encryptedPath}) && [ "$USE_PASSWORD" == "false" ]
        do
          ${
        if config.boot.plymouth.enable
        then ''
          ${pkgs.plymouth}/bin/plymouth display-message --text="Please Plug In USB"
        ''
        else ''
          echo "Please Plug In USB"
        ''
      }
          sleep 1
        done

        ${
        if config.boot.plymouth.enable
        then ''
          ${pkgs.plymouth}/bin/plymouth hide-message --text="Please Plug In USB"

          if [ "$USE_PASSWORD" == "true" ]; then
            ${pkgs.plymouth}/bin/plymouth ask-for-password \
              --prompt="Please Enter Password" \
              --command="cryptsetup -T1 open ${driveData.encryptedPath} ${driveData.mapperName}" \
              --number-of-tries=3
          else
            ${pkgs.plymouth}/bin/plymouth ask-for-password \
              --prompt="Please Decrypt USB" \
              --command="cryptsetup -T1 open ${encryptedUSB.encryptedPath} ${encryptedUSB.preBootMapperName}" \
              --number-of-tries=3
          fi
        ''
        else ''
          if [ "$USE_PASSWORD" == "true" ]; then
            echo "Please Decrypt Drive"
            cryptsetup open ${driveData.encryptedPath} ${driveData.mapperName}
          else
            echo "Please Decrypt USB"
            cryptsetup open ${encryptedUSB.encryptedPath} ${encryptedUSB.preBootMapperName}
          fi
        ''
      }

        if [ "$USE_PASSWORD" == "false" ]; then
          mount -n -t ${encryptedUSB.unencryptedFSType} -o ro ${encryptedUSB.preBootMapperPath} ${encryptedUSB.mountpoint}

          cp ${encryptedUSB.encryptionKeysPath}/${config.networking.hostName}.key /keys
          chmod 0755 /keys/${config.networking.hostName}.key
          umount -f ${encryptedUSB.mountpoint}

          cryptsetup close ${encryptedUSB.preBootMapperName}
      fi
    '';
    initrd.luks.devices = {
      "${driveData.mapperName}" = {
        device = "${driveData.encryptedPath}";
        keyFile = "/keys/${config.networking.hostName}.key";
        preLVM = false;
        allowDiscards = true;
        fallbackToPassword = true;
      };
    };
  };

  fileSystems = {
    "/" = {
      device = "${driveData.decryptedPath}";
      fsType = "${driveData.unencryptedFSType}";
    };
    "/boot" = {
      device = "${driveData.bootPath}";
      fsType = "${driveData.bootFSType}";
    };
  };
}
tidy files, switch to alejandra for formatting, add private aliases to mailserver 2022-12-04 13:45:43 +00:00			`{`
major tidy 2023-09-18 03:56:58 +01:00			`self,`
tidy files, switch to alejandra for formatting, add private aliases to mailserver 2022-12-04 13:45:43 +00:00			`config,`
			`pkgs,`
major tidy 2023-09-18 03:56:58 +01:00			`lib,`
tidy files, switch to alejandra for formatting, add private aliases to mailserver 2022-12-04 13:45:43 +00:00			`...`
			`}: let`
major tidy 2023-09-18 03:56:58 +01:00			`inherit (lib.modules) mkBefore;`

fix up some path names 2023-09-20 18:17:50 +01:00			`encryptedUSB = import "${self}/data/drives/encryptedUSB.nix";`
			`driveData = import "${self}/data/drives/encryptedDrive.nix";`
Storage updates, tablet updates, presets & more 2022-11-10 14:57:07 +00:00			`in {`
major tidy 2023-09-18 03:56:58 +01:00			`boot = {`
Storage updates, tablet updates, presets & more 2022-11-10 14:57:07 +00:00			`initrd.availableKernelModules = [`
			`# For USB w/ Encryption Key`
			`"usb_storage"`
			`"usbcore"`
			`"uas"`
			`"sd_mod"`
			`# For USB Keyboards`
			`"usbhid"`
			`# For Cryptography`
			`"aesni_intel"`
			`"cryptd"`
			`];`
major tidy 2023-09-18 03:56:58 +01:00			`initrd.postDeviceCommands = mkBefore ''`
updates & formatting 2023-12-20 17:38:38 +00:00			`mkdir -m 0755 -p /keys`
			`mkdir -m 0755 -p ${encryptedUSB.mountpoint}`
Storage updates, tablet updates, presets & more 2022-11-10 14:57:07 +00:00
updates & formatting 2023-12-20 17:38:38 +00:00			`if grep --quiet "cryptsetup_password" /proc/cmdline; then`
			`USE_PASSWORD=true`
			`else`
			`USE_PASSWORD=false`
			`fi`
hopefully allow unlock encrypt drive with password 2023-12-08 14:28:19 +00:00
updates & formatting 2023-12-20 17:38:38 +00:00			`while !(test -b ${encryptedUSB.encryptedPath}) && [ "$USE_PASSWORD" == "false" ]`
			`do`
			`${`
updates, tidying, hetzner-vm container scripts, better cryptsetup unlock with plymouth 2023-09-01 01:46:14 +01:00			`if config.boot.plymouth.enable`
			`then ''`
			`${pkgs.plymouth}/bin/plymouth display-message --text="Please Plug In USB"`
			`''`
			`else ''`
			`echo "Please Plug In USB"`
			`''`
			`}`
updates & formatting 2023-12-20 17:38:38 +00:00			`sleep 1`
			`done`
Storage updates, tablet updates, presets & more 2022-11-10 14:57:07 +00:00
updates & formatting 2023-12-20 17:38:38 +00:00			`${`
updates, tidying, hetzner-vm container scripts, better cryptsetup unlock with plymouth 2023-09-01 01:46:14 +01:00			`if config.boot.plymouth.enable`
			`then ''`
			`${pkgs.plymouth}/bin/plymouth hide-message --text="Please Plug In USB"`
Storage updates, tablet updates, presets & more 2022-11-10 14:57:07 +00:00
updates & formatting 2023-12-20 17:38:38 +00:00			`if [ "$USE_PASSWORD" == "true" ]; then`
hopefully allow unlock encrypt drive with password 2023-12-08 14:28:19 +00:00			`${pkgs.plymouth}/bin/plymouth ask-for-password \`
			`--prompt="Please Enter Password" \`
			`--command="cryptsetup -T1 open ${driveData.encryptedPath} ${driveData.mapperName}" \`
			`--number-of-tries=3`
			`else`
			`${pkgs.plymouth}/bin/plymouth ask-for-password \`
			`--prompt="Please Decrypt USB" \`
			`--command="cryptsetup -T1 open ${encryptedUSB.encryptedPath} ${encryptedUSB.preBootMapperName}" \`
			`--number-of-tries=3`
			`fi`
updates, tidying, hetzner-vm container scripts, better cryptsetup unlock with plymouth 2023-09-01 01:46:14 +01:00			`''`
			`else ''`
updates & formatting 2023-12-20 17:38:38 +00:00			`if [ "$USE_PASSWORD" == "true" ]; then`
hopefully allow unlock encrypt drive with password 2023-12-08 14:28:19 +00:00			`echo "Please Decrypt Drive"`
			`cryptsetup open ${driveData.encryptedPath} ${driveData.mapperName}`
updates & formatting 2023-12-20 17:38:38 +00:00			`else`
hopefully allow unlock encrypt drive with password 2023-12-08 14:28:19 +00:00			`echo "Please Decrypt USB"`
			`cryptsetup open ${encryptedUSB.encryptedPath} ${encryptedUSB.preBootMapperName}`
			`fi`
updates, tidying, hetzner-vm container scripts, better cryptsetup unlock with plymouth 2023-09-01 01:46:14 +01:00			`''`
			`}`
Storage updates, tablet updates, presets & more 2022-11-10 14:57:07 +00:00
updates & formatting 2023-12-20 17:38:38 +00:00			`if [ "$USE_PASSWORD" == "false" ]; then`
			`mount -n -t ${encryptedUSB.unencryptedFSType} -o ro ${encryptedUSB.preBootMapperPath} ${encryptedUSB.mountpoint}`
change how usb drive automount works 2022-12-14 10:08:14 +00:00
updates & formatting 2023-12-20 17:38:38 +00:00			`cp ${encryptedUSB.encryptionKeysPath}/${config.networking.hostName}.key /keys`
			`chmod 0755 /keys/${config.networking.hostName}.key`
			`umount -f ${encryptedUSB.mountpoint}`
change how usb drive automount works 2022-12-14 10:08:14 +00:00
updates & formatting 2023-12-20 17:38:38 +00:00			`cryptsetup close ${encryptedUSB.preBootMapperName}`
			`fi`
Storage updates, tablet updates, presets & more 2022-11-10 14:57:07 +00:00			`'';`
			`initrd.luks.devices = {`
major tidy 2023-09-18 03:56:58 +01:00			`"${driveData.mapperName}" = {`
			`device = "${driveData.encryptedPath}";`
change how usb drive automount works 2022-12-14 10:08:14 +00:00			`keyFile = "/keys/${config.networking.hostName}.key";`
Storage updates, tablet updates, presets & more 2022-11-10 14:57:07 +00:00			`preLVM = false;`
			`allowDiscards = true;`
fix mk-enc-usb to use correct partition 2023-11-10 19:00:15 +00:00			`fallbackToPassword = true;`
Storage updates, tablet updates, presets & more 2022-11-10 14:57:07 +00:00			`};`
			`};`
			`};`
major tidy 2023-09-18 03:56:58 +01:00
			`fileSystems = {`
Storage updates, tablet updates, presets & more 2022-11-10 14:57:07 +00:00			`"/" = {`
major tidy 2023-09-18 03:56:58 +01:00			`device = "${driveData.decryptedPath}";`
			`fsType = "${driveData.unencryptedFSType}";`
Storage updates, tablet updates, presets & more 2022-11-10 14:57:07 +00:00			`};`
			`"/boot" = {`
major tidy 2023-09-18 03:56:58 +01:00			`device = "${driveData.bootPath}";`
			`fsType = "${driveData.bootFSType}";`
Storage updates, tablet updates, presets & more 2022-11-10 14:57:07 +00:00			`};`
			`};`
			`}`