diff --git a/extras/mk-enc-usb.nix b/extras/mk-enc-usb.nix index 8fbe61f..0a1c248 100644 --- a/extras/mk-enc-usb.nix +++ b/extras/mk-enc-usb.nix @@ -5,47 +5,48 @@ writeShellApplication, }: let encryptedUSBData = import ../data/drives/encryptedUSB.nix; -in writeShellApplication { - name = "mk-enc-usb"; - runtimeInputs = [ - parted - cryptsetup - e2fsprogs - ]; - text = '' - if [ -z "''${1-}" ]; then - echo "Please specify a path to device as first argument" - exit 1 - fi +in + writeShellApplication { + name = "mk-enc-usb"; + runtimeInputs = [ + parted + cryptsetup + e2fsprogs + ]; + text = '' + if [ -z "''${1-}" ]; then + echo "Please specify a path to device as first argument" + exit 1 + fi - # e.g /dev/sdb - USB_DEVICE=$1 + # e.g /dev/sdb + USB_DEVICE=$1 - if [ "$EUID" -ne 0 ]; then - echo "Please run as root" - exit - fi + if [ "$EUID" -ne 0 ]; then + echo "Please run as root" + exit + fi - echo "Creating Encrypted USB." + echo "Creating Encrypted USB." - echo "Creating Partitions..." - parted "$USB_DEVICE" -- mklabel gpt - parted "$USB_DEVICE" -- mkpart primary 0% 100% + echo "Creating Partitions..." + parted "$USB_DEVICE" -- mklabel gpt + parted "$USB_DEVICE" -- mkpart primary 0% 100% - echo "Creating Encrypted Partition" - cryptsetup luksFormat "''${USB_DEVICE}1" + echo "Creating Encrypted Partition" + cryptsetup luksFormat "''${USB_DEVICE}1" - echo "Opening Encrypted Partition" - cryptsetup open "''${USB_DEVICE}1" "mk_enc_usb" + echo "Opening Encrypted Partition" + cryptsetup open "''${USB_DEVICE}1" "mk_enc_usb" - echo "Making Encrypted Filesystem" - mkfs.ext4 -L "${encryptedUSBData.unencryptedLabel}" /dev/mapper/mk_enc_usb + echo "Making Encrypted Filesystem" + mkfs.ext4 -L "${encryptedUSBData.unencryptedLabel}" /dev/mapper/mk_enc_usb - echo "Closing Encrypted Partition" - cryptsetup close "mk_enc_usb" + echo "Closing Encrypted Partition" + cryptsetup close "mk_enc_usb" - # Do this now so that i can run the damn script with usb-automount and stop it trying to mount - echo "Naming Partitions" - parted "$USB_DEVICE" -- name 1 ${encryptedUSBData.encryptedPartLabel} - ''; -} + # Do this now so that i can run the damn script with usb-automount and stop it trying to mount + echo "Naming Partitions" + parted "$USB_DEVICE" -- name 1 ${encryptedUSBData.encryptedPartLabel} + ''; + } diff --git a/extras/mk-encrypted-drive.nix b/extras/mk-encrypted-drive.nix index b0d4f44..7235a93 100644 --- a/extras/mk-encrypted-drive.nix +++ b/extras/mk-encrypted-drive.nix @@ -6,80 +6,81 @@ writeShellApplication, }: let driveData = import ../data/drives/encryptedDrive.nix; -in writeShellApplication { - name = "mk-encrypted-drive"; - runtimeInputs = [ - parted - cryptsetup - e2fsprogs - dosfstools - ]; - text = '' - if [ -z "''${BIOS-}" ]; then - echo "If making a drive for bios then you will need to set BIOS env variable" - fi +in + writeShellApplication { + name = "mk-encrypted-drive"; + runtimeInputs = [ + parted + cryptsetup + e2fsprogs + dosfstools + ]; + text = '' + if [ -z "''${BIOS-}" ]; then + echo "If making a drive for bios then you will need to set BIOS env variable" + fi - if [ -z "''${PASSWORD_FILE-}" ]; then - echo "If the drive is for a encrypted server then password will need to be set with PASSWORD_FILE" - fi + if [ -z "''${PASSWORD_FILE-}" ]; then + echo "If the drive is for a encrypted server then password will need to be set with PASSWORD_FILE" + fi - if [ -z "''${1-}" ]; then - echo "Please specify a path to device as first argument" - exit 1 - fi + if [ -z "''${1-}" ]; then + echo "Please specify a path to device as first argument" + exit 1 + fi - if [ -z "''${2-}" ]; then - echo "Please specify a path to key file as second argument" - exit 1 - fi + if [ -z "''${2-}" ]; then + echo "Please specify a path to key file as second argument" + exit 1 + fi - DRIVE_PATH=$1 - KEY_FILE=$2 + DRIVE_PATH=$1 + KEY_FILE=$2 - if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then - PARTITION_SEPARATOR="p" - else - PARTITION_SEPARATOR="" - fi + if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then + PARTITION_SEPARATOR="p" + else + PARTITION_SEPARATOR="" + fi - if [ "$EUID" -ne 0 ]; then - echo "Please run as root" - exit - fi + if [ "$EUID" -ne 0 ]; then + echo "Please run as root" + exit + fi - echo "Creating Partitions..." - if [ -n "''${BIOS-}" ]; then - # EFI Install - parted "$DRIVE_PATH" -- mklabel gpt - parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB - parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB - parted "$DRIVE_PATH" -- set 1 esp on - parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}" - parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}" - else - parted "$DRIVE_PATH" -- mklabel gpt - parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB - parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB - parted "$DRIVE_PATH" -- set 1 boot on - parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}" - parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}" - fi + echo "Creating Partitions..." + if [ -n "''${BIOS-}" ]; then + # EFI Install + parted "$DRIVE_PATH" -- mklabel gpt + parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB + parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB + parted "$DRIVE_PATH" -- set 1 esp on + parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}" + parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}" + else + parted "$DRIVE_PATH" -- mklabel gpt + parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB + parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB + parted "$DRIVE_PATH" -- set 1 boot on + parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}" + parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}" + fi - echo "Formatting boot partition" - mkfs.fat -n "${driveData.bootLabel}" "''${DRIVE_PATH}''${PARTITION_SEPARATOR}1" + echo "Formatting boot partition" + mkfs.fat -n "${driveData.bootLabel}" "''${DRIVE_PATH}''${PARTITION_SEPARATOR}1" - echo "Creating Encrypted Partition" - cryptsetup luksFormat "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" - if [ -n "''${PASSWORD_FILE-}" ]; then - cryptsetup luksAddKey "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" < "$PASSWORD_FILE" - fi + echo "Creating Encrypted Partition" + cryptsetup luksFormat "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" + if [ -n "''${PASSWORD_FILE-}" ]; then + cryptsetup luksAddKey "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" < "$PASSWORD_FILE" + fi - echo "Opening Encrypted Partition" - cryptsetup open "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" "mk_encrypted_drive" --key-file "$KEY_FILE" + echo "Opening Encrypted Partition" + cryptsetup open "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" "mk_encrypted_drive" --key-file "$KEY_FILE" - echo "Formatting Encrypted Root Filesystem" - mkfs.ext4 -L "${driveData.unencryptedLabel}" /dev/mapper/mk_encrypted_drive + echo "Formatting Encrypted Root Filesystem" + mkfs.ext4 -L "${driveData.unencryptedLabel}" /dev/mapper/mk_encrypted_drive - echo "mount /dev/mapper/mk_encrypted_drive to install" - ''; -} + echo "mount /dev/mapper/mk_encrypted_drive to install" + ''; + } diff --git a/extras/mk-raspberry-ext-drive.nix b/extras/mk-raspberry-ext-drive.nix index 36aa797..6a7d90a 100644 --- a/extras/mk-raspberry-ext-drive.nix +++ b/extras/mk-raspberry-ext-drive.nix @@ -5,63 +5,64 @@ writeShellApplication, }: let externalDriveData = import ../data/drives/raspberryExternalDrive.nix; -in writeShellApplication { - name = "mk-raspberry-ext-drive"; - runtimeInputs = [ - util-linux - cryptsetup - btrfs-progs - ]; - text = '' - if [ -z "''${1-}" ]; then - echo "Please specify a path to device as first argument" - exit 1 - fi +in + writeShellApplication { + name = "mk-raspberry-ext-drive"; + runtimeInputs = [ + util-linux + cryptsetup + btrfs-progs + ]; + text = '' + if [ -z "''${1-}" ]; then + echo "Please specify a path to device as first argument" + exit 1 + fi - DRIVE_PATH=$1 + DRIVE_PATH=$1 - if [ -z "''${2-}" ]; then - echo "Please specify a key file to use" - exit 1 - fi + if [ -z "''${2-}" ]; then + echo "Please specify a key file to use" + exit 1 + fi - KEY_FILE=$2 + KEY_FILE=$2 - if [ -z "''${3-}" ]; then - echo "Please specify a temp mountpoint to use" - exit 1 - fi + if [ -z "''${3-}" ]; then + echo "Please specify a temp mountpoint to use" + exit 1 + fi - TEMP_MOUNTPOINT=$3 + TEMP_MOUNTPOINT=$3 - if [ "$EUID" -ne 0 ]; then - echo "Please run as root" - exit - fi - echo "Wiping Partitions..." - wipefs --all "$DRIVE_PATH" + if [ "$EUID" -ne 0 ]; then + echo "Please run as root" + exit + fi + echo "Wiping Partitions..." + wipefs --all "$DRIVE_PATH" - echo "Creating Encrypted Partition" - cryptsetup luksFormat "$DRIVE_PATH" --key-file "$KEY_FILE" --label "${externalDriveData.encryptedLabel}" + echo "Creating Encrypted Partition" + cryptsetup luksFormat "$DRIVE_PATH" --key-file "$KEY_FILE" --label "${externalDriveData.encryptedLabel}" - echo "Opening Encrypted Partition" - cryptsetup open "$DRIVE_PATH" "mk-raspberry-ext-drive" --key-file "$KEY_FILE" + echo "Opening Encrypted Partition" + cryptsetup open "$DRIVE_PATH" "mk-raspberry-ext-drive" --key-file "$KEY_FILE" - echo "Formatting Encrypted Filesystem" - mkfs.btrfs -L "${externalDriveData.unencryptedLabel}" /dev/mapper/mk-raspberry-ext-drive + echo "Formatting Encrypted Filesystem" + mkfs.btrfs -L "${externalDriveData.unencryptedLabel}" /dev/mapper/mk-raspberry-ext-drive - echo "Mounting Partition" - mount -t btrfs /dev/mapper/mk-raspberry-ext-drive "$TEMP_MOUNTPOINT" + echo "Mounting Partition" + mount -t btrfs /dev/mapper/mk-raspberry-ext-drive "$TEMP_MOUNTPOINT" - echo "Creating Folders" - mkdir "$TEMP_MOUNTPOINT/backups" - mkdir "$TEMP_MOUNTPOINT/storage" - mkdir "$TEMP_MOUNTPOINT/extras" + echo "Creating Folders" + mkdir "$TEMP_MOUNTPOINT/backups" + mkdir "$TEMP_MOUNTPOINT/storage" + mkdir "$TEMP_MOUNTPOINT/extras" - echo "Unmounting" - umount "$TEMP_MOUNTPOINT" + echo "Unmounting" + umount "$TEMP_MOUNTPOINT" - echo "Closing mapper device" - cryptsetup close "mk-raspberry-ext-drive" - ''; -} + echo "Closing mapper device" + cryptsetup close "mk-raspberry-ext-drive" + ''; + } diff --git a/modules/nixos/secretsLib/lib.nix b/modules/nixos/secretsLib/lib.nix index ea54a61..1feafaf 100644 --- a/modules/nixos/secretsLib/lib.nix +++ b/modules/nixos/secretsLib/lib.nix @@ -301,12 +301,13 @@ in rec { mkSecretsInitScript = cfg: mkSecretsInitScriptWithName cfg null; mkSecretsInitScriptWithName = cfg: name: let - scriptName = - if name == null - then "secrets-init" - else "secrets-init-${name}"; - scripts = genScripts cfg; - in writeShellApplication { + scriptName = + if name == null + then "secrets-init" + else "secrets-init-${name}"; + scripts = genScripts cfg; + in + writeShellApplication { name = scriptName; runtimeInputs = defaultPackages ++ cfg.packages; text = scripts.initScript; @@ -314,37 +315,39 @@ in rec { mkSecretsCheckScript = cfg: mkSecretsCheckScriptWithName cfg null; mkSecretsCheckScriptWithName = cfg: name: let - scriptName = - if name == null - then "secrets-check" - else "secrets-check-${name}"; - scripts = genScripts cfg; - in writeShellApplication { + scriptName = + if name == null + then "secrets-check" + else "secrets-check-${name}"; + scripts = genScripts cfg; + in + writeShellApplication { name = scriptName; runtimeInputs = defaultPackages ++ cfg.checkPackages; text = scripts.checkScript; }; genVaultPolicy = cfg: name: let - inherit (cfg) requiredVaultPaths; + inherit (cfg) requiredVaultPaths; - policies = forEach requiredVaultPaths (policyConfig: let - path = - if isString policyConfig - then policyConfig - else policyConfig.path; - capabilities = - if isString policyConfig - then ["read" "list"] - else policyConfig.capabilities; + policies = forEach requiredVaultPaths (policyConfig: let + path = + if isString policyConfig + then policyConfig + else policyConfig.path; + capabilities = + if isString policyConfig + then ["read" "list"] + else policyConfig.capabilities; - escapeString = str: "\"" + str + "\""; - in '' - path "${path}" { - capabilities = [${concatStringsSep "," (forEach capabilities escapeString)}] - } - ''); - in toFile "vault-policy-${name}.hcl" '' + escapeString = str: "\"" + str + "\""; + in '' + path "${path}" { + capabilities = [${concatStringsSep "," (forEach capabilities escapeString)}] + } + ''); + in + toFile "vault-policy-${name}.hcl" '' ${concatStringsSep "\n" policies} ''; } diff --git a/outputs.nix b/outputs.nix index 66a1e33..9870e03 100644 --- a/outputs.nix +++ b/outputs.nix @@ -202,10 +202,11 @@ in (mergeAttrsList (forEach machinesWithContainers (machineName: let machine = machines.${machineName}; inherit (machine) containers; - in mergeAttrsList (forEach containers (containerName: { - "secrets-init-${machineName}-container-${containerName}" = secretsInitScriptForContainer machineName containerName; - "vault-policy-${machineName}-container-${containerName}" = vaultPolicyForContainer machineName containerName; - }))))) + in + mergeAttrsList (forEach containers (containerName: { + "secrets-init-${machineName}-container-${containerName}" = secretsInitScriptForContainer machineName containerName; + "vault-policy-${machineName}-container-${containerName}" = vaultPolicyForContainer machineName containerName; + }))))) ]; }) ]