add encrypted usb and move paths to data files

hosts/lappy/hardware.nix

@@ -1,8 +1,7 @@
 { pkgs, ... }:
 let
-  usb_label = "my_usb";
-  encrypted_root_partlabel = "nixos_encrypted";
-  unencrypted_root_uuid = "";
+  usb_data = import ./hardware/usb_data.nix {};
+  ssd_data = import ./hardware/ssd_data.nix {};
 in {
   boot = {
     loader = {
@@ -29,33 +28,39 @@ in {
   
 
   initrd.postDeviceCommands = pkgs.lib.mkBefore ''
-    mkdir -m 0755 -p /key
-    while !(findfs LABEL=${usb_label})
+    mkdir -m 0755 -p ${usb_data.mountpoint}
+
+    while !(test -b ${usb_data.encrypted_path})
     do
       echo "Please Plug In USB"
       sleep 1
     done
-    mount -n -t vfat -o ro `findfs LABEL=${usb_label}` /key
+
+    echo "Please Decrypt USB"
+
+    cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}
+
+    mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}
   '';
 
-  initrd.luks.devices."cryptroot".device =
-    "/dev/disk/by-partlabel/${encrypted_root_partlabel}";
-
-  initrd.luks.devices."cryptroot" = {
-    keyFile = "/key/encryption-keys/lappy.key";
-    preLVM = false;
-    allowDiscards = true;
+  initrd.luks.devices = {
+    "${ssd_data.root_mapper_name}" = {
+      device = "${ssd_data.encrypted_root_path}";
+      keyFile = "${usb_data.lappy_encryption_key_path}";
+      preLVM = false;
+      allowDiscards = true;
+    };
   };
 };
 
   fileSystems = {
     "/" = {
-      device = "/dev/mapper/cryptroot";
-      fsType = "ext4";
+      device = "${ssd_data.decrypted_root_path}";
+      fsType = "${ssd_data.unencrypted_root_fs_type}";
     };
     "/boot" = {
-      device = "/dev/disk/by-label/nixboot";
-      fsType = "vfat";
+      device = "${ssd_data.boot_path}";
+      fsType = "${ssd_data.boot_fs_type}";
     };
   };
 

hosts/lappy/hardware/ssd_data.nix

@@ -0,0 +1,23 @@
+{}: rec {
+    # Mountpoints
+    root_mountpoint = "/";
+    boot_mountpoint = "/boot";
+
+    # Partition Labels
+    boot_label = "nixboot";
+    encrypted_root_partlabel = "nixos_encrypted";
+
+    # Partition Filesystems
+    unencrypted_root_fs_type = "ext4";
+    boot_fs_type = "vfat";
+
+    # Mapper Name
+    root_mapper_name = "cryptroot";
+
+    # FS Paths
+    encrypted_root_path = "/dev/disk/by-partlabel/${encrypted_root_partlabel}";
+    decrypted_root_path = "/dev/mapper/${root_mapper_name}";
+
+    boot_path = "/dev/disk/by-label/${boot_label}";
+
+}

hosts/lappy/hardware/usb_data.nix

@@ -0,0 +1,24 @@
+{...}: rec {
+    # Mountpoints
+    mountpoint = "/usb";
+
+    # Partition Labels
+    encrypted_partlabel = "usb";
+    unencrypted_label = "usb_unencrypted";
+
+    # Partition Filesystems
+    unencrypted_fs_type = "ext4";
+
+    # Mapper Information
+    mapper_name = "usb_unencrypted";
+
+    # FS Paths
+    encrypted_path = "/dev/disk/by-partlabel/${encrypted_partlabel}";
+    unencrypted_path = "/dev/disk/by-label/${unencrypted_label}";
+    mapper_path = "/dev/mapper/${mapper_name}";
+
+
+    # Paths to some important files
+    lappy_encryption_key_path = "${mountpoint}/encryption-keys/lappy.key";
+
+}

hosts/lappy/lappy.nix

@@ -9,7 +9,7 @@
     #profiles.printing
     profiles.sshd
 
-    hosts.lappy.profiles.usb-automount
+    #hosts.lappy.profiles.usb-automount
 
     # required for dualsense controller
     profiles.kernels.latest
@@ -80,21 +80,25 @@
     intel-media-driver
   ];
 
-
-  services.getty.extraArgs =
-    [ "--skip-login" "--login-options" "chaos" ];
+  services.getty.extraArgs = [ "--skip-login" "--login-options" "chaos" ];
 
   networking.firewall.enable = true;
   # let vscode, vivaldi, etc work.
   security.unprivilegedUsernsClone = true;
 
+  nix.settings.auto-optimise-store = true;
+  nix.gc = {
+    automatic = true;
+    dates = "daily";
+    options = "--delete-older-than 4d";
+  };
+
   networking.hostName = "lappy";
   time.timeZone = "Europe/London";
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
 
   services.fstrim.enable = true;
 
-
   system.stateVersion = "21.11";
 }