nixfiles/presets/nixos/dual-encrypted-drive.nix

{
  config,
  pkgs,
  ...
}: let
  usb_data = import ../../data/usb_data.nix {};
  drive_data = import ../../data/dual_drive_data.nix {};
in {
  config.boot = {
    initrd.availableKernelModules = [
      # For USB w/ Encryption Key
      "usb_storage"
      "usbcore"
      "uas"
      "sd_mod"
      # For USB Keyboards
      "usbhid"
      # For Cryptography
      "aesni_intel"
      "cryptd"
    ];
    initrd.postDeviceCommands = pkgs.lib.mkBefore ''
      mkdir -m 0755 -p /keys
      mkdir -m 0755 -p ${usb_data.mountpoint}

      while !(test -b ${usb_data.encrypted_path})
      do
        ${
        if config.boot.plymouth.enable
        then ''
          ${pkgs.plymouth}/bin/plymouth display-message --text="Please Plug In USB"
        ''
        else ''
          echo "Please Plug In USB"
        ''
      }
        sleep 1
      done

      ${
        if config.boot.plymouth.enable
        then ''
          ${pkgs.plymouth}/bin/plymouth hide-message --text="Please Plug In USB"

          ${pkgs.plymouth}/bin/plymouth ask-for-password \
            --prompt="Please Decrypt USB" \
            --command="cryptsetup -T1 open ${usb_data.encrypted_path} ${usb_data.mapper_name}" \
            --number-of-tries=3
        ''
        else ''
          echo "Please Decrypt USB"
          cryptsetup open ${usb_data.encrypted_path} ${usb_data.mapper_name}
        ''
      }

      mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}

      cp ${usb_data.encryption_keys_path}/${config.networking.hostName}.key /keys

      umount -f ${usb_data.mountpoint}

      cryptsetup close ${usb_data.mapper_name}
    '';

    initrd.luks.devices = {
      "${drive_data.root_mapper_name}" = {
        device = "${drive_data.encrypted_root_path}";
        keyFile = "/keys/${config.networking.hostName}.key";
        preLVM = false;
        allowDiscards = true;
      };
    };
  };
  config.fileSystems = {
    "/" = {
      device = "${drive_data.decrypted_root_path}";
      fsType = "${drive_data.unencrypted_root_fs_type}";
    };
    "/boot" = {
      device = "${drive_data.boot_path}";
      fsType = "${drive_data.boot_fs_type}";
    };
  };
}
add dual boot encrypted drive option 2023-08-28 18:50:25 +01:00			`{`
			`config,`
			`pkgs,`
			`...`
			`}: let`
			`usb_data = import ../../data/usb_data.nix {};`
			`drive_data = import ../../data/dual_drive_data.nix {};`
			`in {`
			`config.boot = {`
			`initrd.availableKernelModules = [`
			`# For USB w/ Encryption Key`
			`"usb_storage"`
			`"usbcore"`
			`"uas"`
			`"sd_mod"`
			`# For USB Keyboards`
			`"usbhid"`
			`# For Cryptography`
			`"aesni_intel"`
			`"cryptd"`
			`];`
			`initrd.postDeviceCommands = pkgs.lib.mkBefore ''`
			`mkdir -m 0755 -p /keys`
			`mkdir -m 0755 -p ${usb_data.mountpoint}`

			`while !(test -b ${usb_data.encrypted_path})`
			`do`
updates, tidying, hetzner-vm container scripts, better cryptsetup unlock with plymouth 2023-09-01 01:46:14 +01:00			`${`
			`if config.boot.plymouth.enable`
			`then ''`
			`${pkgs.plymouth}/bin/plymouth display-message --text="Please Plug In USB"`
			`''`
			`else ''`
			`echo "Please Plug In USB"`
			`''`
			`}`
add dual boot encrypted drive option 2023-08-28 18:50:25 +01:00			`sleep 1`
			`done`

updates, tidying, hetzner-vm container scripts, better cryptsetup unlock with plymouth 2023-09-01 01:46:14 +01:00			`${`
			`if config.boot.plymouth.enable`
			`then ''`
			`${pkgs.plymouth}/bin/plymouth hide-message --text="Please Plug In USB"`
add dual boot encrypted drive option 2023-08-28 18:50:25 +01:00
updates, tidying, hetzner-vm container scripts, better cryptsetup unlock with plymouth 2023-09-01 01:46:14 +01:00			`${pkgs.plymouth}/bin/plymouth ask-for-password \`
			`--prompt="Please Decrypt USB" \`
			`--command="cryptsetup -T1 open ${usb_data.encrypted_path} ${usb_data.mapper_name}" \`
			`--number-of-tries=3`
			`''`
			`else ''`
			`echo "Please Decrypt USB"`
			`cryptsetup open ${usb_data.encrypted_path} ${usb_data.mapper_name}`
			`''`
			`}`
add dual boot encrypted drive option 2023-08-28 18:50:25 +01:00
			`mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}`

			`cp ${usb_data.encryption_keys_path}/${config.networking.hostName}.key /keys`

			`umount -f ${usb_data.mountpoint}`

			`cryptsetup close ${usb_data.mapper_name}`
			`'';`

			`initrd.luks.devices = {`
			`"${drive_data.root_mapper_name}" = {`
			`device = "${drive_data.encrypted_root_path}";`
			`keyFile = "/keys/${config.networking.hostName}.key";`
			`preLVM = false;`
			`allowDiscards = true;`
			`};`
			`};`
			`};`
			`config.fileSystems = {`
			`"/" = {`
			`device = "${drive_data.decrypted_root_path}";`
			`fsType = "${drive_data.unencrypted_root_fs_type}";`
			`};`
			`"/boot" = {`
			`device = "${drive_data.boot_path}";`
			`fsType = "${drive_data.boot_fs_type}";`
			`};`
			`};`
			`}`