45 lines
1.6 KiB
Nix
45 lines
1.6 KiB
Nix
|
{pkgs, ...}: let
|
||
|
external_drive_data = import ../../../data/raspberry_ext_drive.nix {};
|
||
|
|
||
|
mount_external_drive = let
|
||
|
jq = "${pkgs.jq}/bin/jq";
|
||
|
vault = "${pkgs.vault-bin}/bin/vault";
|
||
|
cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
|
||
|
in
|
||
|
pkgs.writeShellScriptBin "mount_external_drive" ''
|
||
|
${unmount_external_drive}/bin/unmount_external_drive
|
||
|
|
||
|
vault-login
|
||
|
|
||
|
${vault} kv get -format json "/private-public-keys/cryptsetup/raspberry-ext-drive" \
|
||
|
| ${jq} -r ".data.data.key" \
|
||
|
| base64 -d \
|
||
|
| ${cryptsetup} open ${external_drive_data.encrypted_path} ${external_drive_data.mapper_name} --key-file=/dev/stdin
|
||
|
mount ${external_drive_data.mapper_path} -o rw,compress=zstd ${external_drive_data.mountpoint}
|
||
|
'';
|
||
|
|
||
|
unmount_external_drive = let
|
||
|
cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
|
||
|
in
|
||
|
pkgs.writeShellScriptBin "unmount_external_drive" ''
|
||
|
umount -flR ${external_drive_data.mountpoint} || true
|
||
|
${cryptsetup} close ${external_drive_data.mapper_name} || true
|
||
|
'';
|
||
|
in {
|
||
|
environment.systemPackages =
|
||
|
(with pkgs; [
|
||
|
cryptsetup
|
||
|
])
|
||
|
++ [
|
||
|
mount_external_drive
|
||
|
unmount_external_drive
|
||
|
];
|
||
|
|
||
|
systemd.tmpfiles.rules = ["d ${external_drive_data.mountpoint} - root root"];
|
||
|
|
||
|
# services.udev.extraRules = ''
|
||
|
# ACTION=="add", ENV{PARTNAME}=="${external_drive_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="mount-external-drive.service"
|
||
|
# ACTION=="remove", ENV{PARTNAME}=="${external_drive_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="unmount-external-drive.service"
|
||
|
# '';
|
||
|
}
|