some work on external drive for raspberry

2023-10-07 10:01:27 +01:00 · 2023-10-07 10:01:27 +01:00 · 232280d338
parent 7583c0f482
commit 232280d338
2 changed files with 84 additions and 0 deletions
--- a/hosts/lappy-t495/lappy-t495.nix
+++ b/hosts/lappy-t495/lappy-t495.nix
@ -13,6 +13,8 @@
    profiles.chaosInternalWireGuard
    profiles.fingerprint

+    ./profiles/raspberryExtDrive.nix
+
    ./secrets.nix
  ];

--- a/hosts/lappy-t495/profiles/raspberryExtDrive.nix
+++ b/hosts/lappy-t495/profiles/raspberryExtDrive.nix
@ -0,0 +1,82 @@
+{
+  self,
+  pkgs,
+  lib,
+  ...
+}: let
+  externalDriveData = import "${self}/data/drives/raspberryExternalDrive.nix";
+
+  unlockExternalDrive = let
+    jq = "${pkgs.jq}/bin/jq";
+    vault = "${pkgs.vault-bin}/bin/vault";
+    cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
+  in
+    pkgs.writeShellScriptBin "unlock_external_drive" ''
+      ${lockExternalDrive}/bin/lock_external_drive
+
+      vault-login || true
+
+      export VAULT_ADDR="https://vault.owo.monster"
+
+      cat /root/.vault-token | ${vault} login -
+
+      ${vault} kv get -format json "/private-public-keys/cryptsetup/raspberry-ext-drive" \
+        | ${jq} -r ".data.data.key" \
+        | base64 -d \
+        | ${cryptsetup} open ${externalDriveData.encryptedPath} ${externalDriveData.mapperName} --key-file=/dev/stdin
+    '';
+
+  lockExternalDrive = let
+    cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
+  in
+    pkgs.writeShellScriptBin "lock_external_drive" ''
+      ${cryptsetup} close ${externalDriveData.mapperName} || true
+    '';
+
+  mountName =
+    (
+      builtins.replaceStrings ["/"] ["-"] (
+        lib.strings.removePrefix "/" externalDriveData.mountpoint
+      )
+    )
+    + ".mount";
+in {
+  environment.systemPackages = [
+    unlockExternalDrive
+    lockExternalDrive
+  ];
+
+  systemd.tmpfiles.rules = ["d ${externalDriveData.mountpoint} - root root"];
+
+  systemd.services.ext-drive-unlock = {
+    path = with pkgs; [
+      util-linux
+      cryptsetup
+      getent
+    ];
+    partOf = [mountName];
+    wantedBy = ["multi-user.target"];
+    serviceConfig = {
+      User = "root";
+      Group = "root";
+    };
+    script = ''
+      ${unlockExternalDrive}/bin/unlock_external_drive
+    '';
+  };
+
+  systemd.mounts = [
+    {
+      what = "${externalDriveData.mapperPath}";
+      where = "${externalDriveData.mountpoint}";
+      after = ["ext-drive-unlock.service"];
+      description = "Raspberry's External Encrypted Drive";
+      type = "btrfs";
+      options = "rw,compress=zstd";
+      mountConfig = {
+        LazyUnmount = true;
+        ForceUnmount = true;
+      };
+    }
+  ];
+}