chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

run formatter

Browse source
This commit is contained in:
chaos 2024-03-10 18:29:49 +00:00
parent dd4bc277d1
commit 937a5df23f
No known key found for this signature in database
5 changed files with 187 additions and 180 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

71
extras/mk-enc-usb.nix
View file

@ -5,47 +5,48 @@
writeShellApplication, writeShellApplication,
}: let }: let
encryptedUSBData = import ../data/drives/encryptedUSB.nix; encryptedUSBData = import ../data/drives/encryptedUSB.nix;
in writeShellApplication { in
name = "mk-enc-usb"; writeShellApplication {
runtimeInputs = [ name = "mk-enc-usb";
parted runtimeInputs = [
cryptsetup parted
e2fsprogs cryptsetup
]; e2fsprogs
text = '' ];
if [ -z "''${1-}" ]; then text = ''
echo "Please specify a path to device as first argument" if [ -z "''${1-}" ]; then
exit 1 echo "Please specify a path to device as first argument"
fi exit 1
fi
# e.g /dev/sdb # e.g /dev/sdb
USB_DEVICE=$1 USB_DEVICE=$1
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
echo "Please run as root" echo "Please run as root"
exit exit
fi fi
echo "Creating Encrypted USB." echo "Creating Encrypted USB."
echo "Creating Partitions..." echo "Creating Partitions..."
parted "$USB_DEVICE" -- mklabel gpt parted "$USB_DEVICE" -- mklabel gpt
parted "$USB_DEVICE" -- mkpart primary 0% 100% parted "$USB_DEVICE" -- mkpart primary 0% 100%
echo "Creating Encrypted Partition" echo "Creating Encrypted Partition"
cryptsetup luksFormat "''${USB_DEVICE}1" cryptsetup luksFormat "''${USB_DEVICE}1"
echo "Opening Encrypted Partition" echo "Opening Encrypted Partition"
cryptsetup open "''${USB_DEVICE}1" "mk_enc_usb" cryptsetup open "''${USB_DEVICE}1" "mk_enc_usb"
echo "Making Encrypted Filesystem" echo "Making Encrypted Filesystem"
mkfs.ext4 -L "${encryptedUSBData.unencryptedLabel}" /dev/mapper/mk_enc_usb mkfs.ext4 -L "${encryptedUSBData.unencryptedLabel}" /dev/mapper/mk_enc_usb
echo "Closing Encrypted Partition" echo "Closing Encrypted Partition"
cryptsetup close "mk_enc_usb" cryptsetup close "mk_enc_usb"
# Do this now so that i can run the damn script with usb-automount and stop it trying to mount # Do this now so that i can run the damn script with usb-automount and stop it trying to mount
echo "Naming Partitions" echo "Naming Partitions"
parted "$USB_DEVICE" -- name 1 ${encryptedUSBData.encryptedPartLabel} parted "$USB_DEVICE" -- name 1 ${encryptedUSBData.encryptedPartLabel}
''; '';
} }

131
extras/mk-encrypted-drive.nix
View file

@ -6,80 +6,81 @@
writeShellApplication, writeShellApplication,
}: let }: let
driveData = import ../data/drives/encryptedDrive.nix; driveData = import ../data/drives/encryptedDrive.nix;
in writeShellApplication { in
name = "mk-encrypted-drive"; writeShellApplication {
runtimeInputs = [ name = "mk-encrypted-drive";
parted runtimeInputs = [
cryptsetup parted
e2fsprogs cryptsetup
dosfstools e2fsprogs
]; dosfstools
text = '' ];
if [ -z "''${BIOS-}" ]; then text = ''
echo "If making a drive for bios then you will need to set BIOS env variable" if [ -z "''${BIOS-}" ]; then
fi echo "If making a drive for bios then you will need to set BIOS env variable"
fi
if [ -z "''${PASSWORD_FILE-}" ]; then if [ -z "''${PASSWORD_FILE-}" ]; then
echo "If the drive is for a encrypted server then password will need to be set with PASSWORD_FILE" echo "If the drive is for a encrypted server then password will need to be set with PASSWORD_FILE"
fi fi
if [ -z "''${1-}" ]; then if [ -z "''${1-}" ]; then
echo "Please specify a path to device as first argument" echo "Please specify a path to device as first argument"
exit 1 exit 1
fi fi
if [ -z "''${2-}" ]; then if [ -z "''${2-}" ]; then
echo "Please specify a path to key file as second argument" echo "Please specify a path to key file as second argument"
exit 1 exit 1
fi fi
DRIVE_PATH=$1 DRIVE_PATH=$1
KEY_FILE=$2 KEY_FILE=$2
if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then
PARTITION_SEPARATOR="p" PARTITION_SEPARATOR="p"
else else
PARTITION_SEPARATOR="" PARTITION_SEPARATOR=""
fi fi
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
echo "Please run as root" echo "Please run as root"
exit exit
fi fi
echo "Creating Partitions..." echo "Creating Partitions..."
if [ -n "''${BIOS-}" ]; then if [ -n "''${BIOS-}" ]; then
# EFI Install # EFI Install
parted "$DRIVE_PATH" -- mklabel gpt parted "$DRIVE_PATH" -- mklabel gpt
parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB
parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB
parted "$DRIVE_PATH" -- set 1 esp on parted "$DRIVE_PATH" -- set 1 esp on
parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}" parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}"
parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}" parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}"
else else
parted "$DRIVE_PATH" -- mklabel gpt parted "$DRIVE_PATH" -- mklabel gpt
parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB
parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB
parted "$DRIVE_PATH" -- set 1 boot on parted "$DRIVE_PATH" -- set 1 boot on
parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}" parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}"
parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}" parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}"
fi fi
echo "Formatting boot partition" echo "Formatting boot partition"
mkfs.fat -n "${driveData.bootLabel}" "''${DRIVE_PATH}''${PARTITION_SEPARATOR}1" mkfs.fat -n "${driveData.bootLabel}" "''${DRIVE_PATH}''${PARTITION_SEPARATOR}1"
echo "Creating Encrypted Partition" echo "Creating Encrypted Partition"
cryptsetup luksFormat "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" cryptsetup luksFormat "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE"
if [ -n "''${PASSWORD_FILE-}" ]; then if [ -n "''${PASSWORD_FILE-}" ]; then
cryptsetup luksAddKey "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" < "$PASSWORD_FILE" cryptsetup luksAddKey "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" < "$PASSWORD_FILE"
fi fi
echo "Opening Encrypted Partition" echo "Opening Encrypted Partition"
cryptsetup open "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" "mk_encrypted_drive" --key-file "$KEY_FILE" cryptsetup open "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" "mk_encrypted_drive" --key-file "$KEY_FILE"
echo "Formatting Encrypted Root Filesystem" echo "Formatting Encrypted Root Filesystem"
mkfs.ext4 -L "${driveData.unencryptedLabel}" /dev/mapper/mk_encrypted_drive mkfs.ext4 -L "${driveData.unencryptedLabel}" /dev/mapper/mk_encrypted_drive
echo "mount /dev/mapper/mk_encrypted_drive to install" echo "mount /dev/mapper/mk_encrypted_drive to install"
''; '';
} }

95
extras/mk-raspberry-ext-drive.nix
View file

@ -5,63 +5,64 @@
writeShellApplication, writeShellApplication,
}: let }: let
externalDriveData = import ../data/drives/raspberryExternalDrive.nix; externalDriveData = import ../data/drives/raspberryExternalDrive.nix;
in writeShellApplication { in
name = "mk-raspberry-ext-drive"; writeShellApplication {
runtimeInputs = [ name = "mk-raspberry-ext-drive";
util-linux runtimeInputs = [
cryptsetup util-linux
btrfs-progs cryptsetup
]; btrfs-progs
text = '' ];
if [ -z "''${1-}" ]; then text = ''
echo "Please specify a path to device as first argument" if [ -z "''${1-}" ]; then
exit 1 echo "Please specify a path to device as first argument"
fi exit 1
fi
DRIVE_PATH=$1 DRIVE_PATH=$1
if [ -z "''${2-}" ]; then if [ -z "''${2-}" ]; then
echo "Please specify a key file to use" echo "Please specify a key file to use"
exit 1 exit 1
fi fi
KEY_FILE=$2 KEY_FILE=$2
if [ -z "''${3-}" ]; then if [ -z "''${3-}" ]; then
echo "Please specify a temp mountpoint to use" echo "Please specify a temp mountpoint to use"
exit 1 exit 1
fi fi
TEMP_MOUNTPOINT=$3 TEMP_MOUNTPOINT=$3
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
echo "Please run as root" echo "Please run as root"
exit exit
fi fi
echo "Wiping Partitions..." echo "Wiping Partitions..."
wipefs --all "$DRIVE_PATH" wipefs --all "$DRIVE_PATH"
echo "Creating Encrypted Partition" echo "Creating Encrypted Partition"
cryptsetup luksFormat "$DRIVE_PATH" --key-file "$KEY_FILE" --label "${externalDriveData.encryptedLabel}" cryptsetup luksFormat "$DRIVE_PATH" --key-file "$KEY_FILE" --label "${externalDriveData.encryptedLabel}"
echo "Opening Encrypted Partition" echo "Opening Encrypted Partition"
cryptsetup open "$DRIVE_PATH" "mk-raspberry-ext-drive" --key-file "$KEY_FILE" cryptsetup open "$DRIVE_PATH" "mk-raspberry-ext-drive" --key-file "$KEY_FILE"
echo "Formatting Encrypted Filesystem" echo "Formatting Encrypted Filesystem"
mkfs.btrfs -L "${externalDriveData.unencryptedLabel}" /dev/mapper/mk-raspberry-ext-drive mkfs.btrfs -L "${externalDriveData.unencryptedLabel}" /dev/mapper/mk-raspberry-ext-drive
echo "Mounting Partition" echo "Mounting Partition"
mount -t btrfs /dev/mapper/mk-raspberry-ext-drive "$TEMP_MOUNTPOINT" mount -t btrfs /dev/mapper/mk-raspberry-ext-drive "$TEMP_MOUNTPOINT"
echo "Creating Folders" echo "Creating Folders"
mkdir "$TEMP_MOUNTPOINT/backups" mkdir "$TEMP_MOUNTPOINT/backups"
mkdir "$TEMP_MOUNTPOINT/storage" mkdir "$TEMP_MOUNTPOINT/storage"
mkdir "$TEMP_MOUNTPOINT/extras" mkdir "$TEMP_MOUNTPOINT/extras"
echo "Unmounting" echo "Unmounting"
umount "$TEMP_MOUNTPOINT" umount "$TEMP_MOUNTPOINT"
echo "Closing mapper device" echo "Closing mapper device"
cryptsetup close "mk-raspberry-ext-drive" cryptsetup close "mk-raspberry-ext-drive"
''; '';
} }

61
modules/nixos/secretsLib/lib.nix
View file

@ -301,12 +301,13 @@ in rec {
mkSecretsInitScript = cfg: mkSecretsInitScriptWithName cfg null; mkSecretsInitScript = cfg: mkSecretsInitScriptWithName cfg null;
mkSecretsInitScriptWithName = cfg: name: let mkSecretsInitScriptWithName = cfg: name: let
scriptName = scriptName =
if name == null if name == null
then "secrets-init" then "secrets-init"
else "secrets-init-${name}"; else "secrets-init-${name}";
scripts = genScripts cfg; scripts = genScripts cfg;
in writeShellApplication { in
writeShellApplication {
name = scriptName; name = scriptName;
runtimeInputs = defaultPackages ++ cfg.packages; runtimeInputs = defaultPackages ++ cfg.packages;
text = scripts.initScript; text = scripts.initScript;
@ -314,37 +315,39 @@ in rec {
mkSecretsCheckScript = cfg: mkSecretsCheckScriptWithName cfg null; mkSecretsCheckScript = cfg: mkSecretsCheckScriptWithName cfg null;
mkSecretsCheckScriptWithName = cfg: name: let mkSecretsCheckScriptWithName = cfg: name: let
scriptName = scriptName =
if name == null if name == null
then "secrets-check" then "secrets-check"
else "secrets-check-${name}"; else "secrets-check-${name}";
scripts = genScripts cfg; scripts = genScripts cfg;
in writeShellApplication { in
writeShellApplication {
name = scriptName; name = scriptName;
runtimeInputs = defaultPackages ++ cfg.checkPackages; runtimeInputs = defaultPackages ++ cfg.checkPackages;
text = scripts.checkScript; text = scripts.checkScript;
}; };
genVaultPolicy = cfg: name: let genVaultPolicy = cfg: name: let
inherit (cfg) requiredVaultPaths; inherit (cfg) requiredVaultPaths;
policies = forEach requiredVaultPaths (policyConfig: let policies = forEach requiredVaultPaths (policyConfig: let
path = path =
if isString policyConfig if isString policyConfig
then policyConfig then policyConfig
else policyConfig.path; else policyConfig.path;
capabilities = capabilities =
if isString policyConfig if isString policyConfig
then ["read" "list"] then ["read" "list"]
else policyConfig.capabilities; else policyConfig.capabilities;
escapeString = str: "\"" + str + "\""; escapeString = str: "\"" + str + "\"";
in '' in ''
path "${path}" { path "${path}" {
capabilities = [${concatStringsSep "," (forEach capabilities escapeString)}] capabilities = [${concatStringsSep "," (forEach capabilities escapeString)}]
} }
''); '');
in toFile "vault-policy-${name}.hcl" '' in
toFile "vault-policy-${name}.hcl" ''
${concatStringsSep "\n" policies} ${concatStringsSep "\n" policies}
''; '';
} }

9
outputs.nix
View file

@ -202,10 +202,11 @@ in
(mergeAttrsList (forEach machinesWithContainers (machineName: let (mergeAttrsList (forEach machinesWithContainers (machineName: let
machine = machines.${machineName}; machine = machines.${machineName};
inherit (machine) containers; inherit (machine) containers;
in mergeAttrsList (forEach containers (containerName: { in
"secrets-init-${machineName}-container-${containerName}" = secretsInitScriptForContainer machineName containerName; mergeAttrsList (forEach containers (containerName: {
"vault-policy-${machineName}-container-${containerName}" = vaultPolicyForContainer machineName containerName; "secrets-init-${machineName}-container-${containerName}" = secretsInitScriptForContainer machineName containerName;
}))))) "vault-policy-${machineName}-container-${containerName}" = vaultPolicyForContainer machineName containerName;
})))))
]; ];
}) })
] ]