chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

change how usb drive automount works

Browse source
This commit is contained in:
Chaos 2022-12-14 10:08:14 +00:00
parent dc142e8471
commit 4b9263c54f
No known key found for this signature in database
2 changed files with 24 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
presets/nixos/normal-encrypted-drive.nix
View file

@ -20,6 +20,7 @@ in {
"cryptd" "cryptd"
]; ];
initrd.postDeviceCommands = pkgs.lib.mkBefore '' initrd.postDeviceCommands = pkgs.lib.mkBefore ''
mkdir -m 0755 -p /keys
mkdir -m 0755 -p ${usb_data.mountpoint} mkdir -m 0755 -p ${usb_data.mountpoint}
while !(test -b ${usb_data.encrypted_path}) while !(test -b ${usb_data.encrypted_path})
@ -33,12 +34,18 @@ in {
cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name} cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}
mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint} mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}
cp ${usb_data.encryption_keys_path}/${config.networking.hostName}.key /keys
umount -f ${usb_data.mountpoint}
cryptsetup close ${usb_data.mapper_name}
''; '';
initrd.luks.devices = { initrd.luks.devices = {
"${drive_data.root_mapper_name}" = { "${drive_data.root_mapper_name}" = {
device = "${drive_data.encrypted_root_path}"; device = "${drive_data.encrypted_root_path}";
keyFile = "${usb_data.encryption_keys_path}/${config.networking.hostName}.key"; keyFile = "/keys/${config.networking.hostName}.key";
preLVM = false; preLVM = false;
allowDiscards = true; allowDiscards = true;
}; };

33
profiles/usb-automount.nix
View file

@ -1,39 +1,38 @@
{pkgs, ...}: let {pkgs, ...}: let
usb_data = import ../data/usb_data.nix {}; usb_data = import ../data/usb_data.nix {};
mapper_name = "usb_unencrypted_afterboot"; enc_usb_mount = pkgs.writeShellScriptBin "enc_usb_mount" ''
mapper_path = "/dev/mapper/${mapper_name}"; set -x
mount_usb = pkgs.writeShellScriptBin "mount_usb" '' ${enc_usb_unmount}/bin/enc_usb_unmount
umount ${usb_data.mountpoint} || true cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}_afterboot -
cryptsetup close ${mapper_name} || true mount ${usb_data.mapper_path}_afterboot -o rw ${usb_data.mountpoint}
cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${usb_data.encrypted_path} ${mapper_name} -
mount ${mapper_path} -o rw ${usb_data.mountpoint}
''; '';
unmount_usb = pkgs.writeShellScriptBin "unmount_usb" '' enc_usb_unmount = pkgs.writeShellScriptBin "enc_usb_unmount" ''
set -x
umount -flR ${usb_data.mountpoint} || true umount -flR ${usb_data.mountpoint} || true
cryptsetup close ${mapper_name} || true cryptsetup close ${usb_data.mapper_name}_afterboot || true
''; '';
in { in {
environment.systemPackages = [mount_usb unmount_usb]; environment.systemPackages = [enc_usb_mount enc_usb_unmount];
systemd.tmpfiles.rules = ["d ${usb_data.mountpoint} - chaos root"]; systemd.tmpfiles.rules = ["d ${usb_data.mountpoint} - chaos root"];
systemd.services.usb-mount = { systemd.services.enc-usb-mount = {
path = [pkgs.util-linux pkgs.cryptsetup]; path = [pkgs.util-linux pkgs.cryptsetup];
wantedBy = ["multi-user.target"];
script = '' script = ''
${mount_usb}/bin/mount_usb ${enc_usb_mount}/bin/enc_usb_mount
''; '';
}; };
systemd.services.usb-unmount = { systemd.services.enc-usb-unmount = {
path = [pkgs.util-linux pkgs.cryptsetup]; path = [pkgs.util-linux pkgs.cryptsetup];
script = '' script = ''
${unmount_usb}/bin/unmount_usb ${enc_usb_unmount}/bin/enc_usb_unmount
''; '';
}; };
services.udev.extraRules = '' services.udev.extraRules = ''
ACTION=="add", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-mount.service", ENV{UDISKS_PRESENTATION_HIDE}="1" ACTION=="add", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="enc-usb-mount.service", ENV{UDISKS_PRESENTATION_HIDE}="1"
ACTION=="remove", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-unmount.service" ACTION=="remove", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="enc-usb-unmount.service"
''; '';
} }