From 232280d338b16addf568ea3219b291ffa60d5ac7 Mon Sep 17 00:00:00 2001
From: chaos <chaos@owo.monster>
Date: Sat, 7 Oct 2023 10:01:27 +0100
Subject: [PATCH] some work on external drive for raspberry

---
 hosts/lappy-t495/lappy-t495.nix               |  2 +
 .../lappy-t495/profiles/raspberryExtDrive.nix | 82 +++++++++++++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 hosts/lappy-t495/profiles/raspberryExtDrive.nix

diff --git a/hosts/lappy-t495/lappy-t495.nix b/hosts/lappy-t495/lappy-t495.nix
index f65d465..4f79d4f 100644
--- a/hosts/lappy-t495/lappy-t495.nix
+++ b/hosts/lappy-t495/lappy-t495.nix
@@ -13,6 +13,8 @@
     profiles.chaosInternalWireGuard
     profiles.fingerprint
 
+    ./profiles/raspberryExtDrive.nix
+
     ./secrets.nix
   ];
 
diff --git a/hosts/lappy-t495/profiles/raspberryExtDrive.nix b/hosts/lappy-t495/profiles/raspberryExtDrive.nix
new file mode 100644
index 0000000..0d15dcc
--- /dev/null
+++ b/hosts/lappy-t495/profiles/raspberryExtDrive.nix
@@ -0,0 +1,82 @@
+{
+  self,
+  pkgs,
+  lib,
+  ...
+}: let
+  externalDriveData = import "${self}/data/drives/raspberryExternalDrive.nix";
+
+  unlockExternalDrive = let
+    jq = "${pkgs.jq}/bin/jq";
+    vault = "${pkgs.vault-bin}/bin/vault";
+    cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
+  in
+    pkgs.writeShellScriptBin "unlock_external_drive" ''
+      ${lockExternalDrive}/bin/lock_external_drive
+
+      vault-login || true
+
+      export VAULT_ADDR="https://vault.owo.monster"
+
+      cat /root/.vault-token | ${vault} login -
+
+      ${vault} kv get -format json "/private-public-keys/cryptsetup/raspberry-ext-drive" \
+        | ${jq} -r ".data.data.key" \
+        | base64 -d \
+        | ${cryptsetup} open ${externalDriveData.encryptedPath} ${externalDriveData.mapperName} --key-file=/dev/stdin
+    '';
+
+  lockExternalDrive = let
+    cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
+  in
+    pkgs.writeShellScriptBin "lock_external_drive" ''
+      ${cryptsetup} close ${externalDriveData.mapperName} || true
+    '';
+
+  mountName =
+    (
+      builtins.replaceStrings ["/"] ["-"] (
+        lib.strings.removePrefix "/" externalDriveData.mountpoint
+      )
+    )
+    + ".mount";
+in {
+  environment.systemPackages = [
+    unlockExternalDrive
+    lockExternalDrive
+  ];
+
+  systemd.tmpfiles.rules = ["d ${externalDriveData.mountpoint} - root root"];
+
+  systemd.services.ext-drive-unlock = {
+    path = with pkgs; [
+      util-linux
+      cryptsetup
+      getent
+    ];
+    partOf = [mountName];
+    wantedBy = ["multi-user.target"];
+    serviceConfig = {
+      User = "root";
+      Group = "root";
+    };
+    script = ''
+      ${unlockExternalDrive}/bin/unlock_external_drive
+    '';
+  };
+
+  systemd.mounts = [
+    {
+      what = "${externalDriveData.mapperPath}";
+      where = "${externalDriveData.mountpoint}";
+      after = ["ext-drive-unlock.service"];
+      description = "Raspberry's External Encrypted Drive";
+      type = "btrfs";
+      options = "rw,compress=zstd";
+      mountConfig = {
+        LazyUnmount = true;
+        ForceUnmount = true;
+      };
+    }
+  ];
+}