run formatter
This commit is contained in:
parent
dd4bc277d1
commit
937a5df23f
|
|
@ -5,47 +5,48 @@
|
|||
writeShellApplication,
|
||||
}: let
|
||||
encryptedUSBData = import ../data/drives/encryptedUSB.nix;
|
||||
in writeShellApplication {
|
||||
name = "mk-enc-usb";
|
||||
runtimeInputs = [
|
||||
parted
|
||||
cryptsetup
|
||||
e2fsprogs
|
||||
];
|
||||
text = ''
|
||||
if [ -z "''${1-}" ]; then
|
||||
echo "Please specify a path to device as first argument"
|
||||
exit 1
|
||||
fi
|
||||
in
|
||||
writeShellApplication {
|
||||
name = "mk-enc-usb";
|
||||
runtimeInputs = [
|
||||
parted
|
||||
cryptsetup
|
||||
e2fsprogs
|
||||
];
|
||||
text = ''
|
||||
if [ -z "''${1-}" ]; then
|
||||
echo "Please specify a path to device as first argument"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# e.g /dev/sdb
|
||||
USB_DEVICE=$1
|
||||
# e.g /dev/sdb
|
||||
USB_DEVICE=$1
|
||||
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
echo "Please run as root"
|
||||
exit
|
||||
fi
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
echo "Please run as root"
|
||||
exit
|
||||
fi
|
||||
|
||||
echo "Creating Encrypted USB."
|
||||
echo "Creating Encrypted USB."
|
||||
|
||||
echo "Creating Partitions..."
|
||||
parted "$USB_DEVICE" -- mklabel gpt
|
||||
parted "$USB_DEVICE" -- mkpart primary 0% 100%
|
||||
echo "Creating Partitions..."
|
||||
parted "$USB_DEVICE" -- mklabel gpt
|
||||
parted "$USB_DEVICE" -- mkpart primary 0% 100%
|
||||
|
||||
echo "Creating Encrypted Partition"
|
||||
cryptsetup luksFormat "''${USB_DEVICE}1"
|
||||
echo "Creating Encrypted Partition"
|
||||
cryptsetup luksFormat "''${USB_DEVICE}1"
|
||||
|
||||
echo "Opening Encrypted Partition"
|
||||
cryptsetup open "''${USB_DEVICE}1" "mk_enc_usb"
|
||||
echo "Opening Encrypted Partition"
|
||||
cryptsetup open "''${USB_DEVICE}1" "mk_enc_usb"
|
||||
|
||||
echo "Making Encrypted Filesystem"
|
||||
mkfs.ext4 -L "${encryptedUSBData.unencryptedLabel}" /dev/mapper/mk_enc_usb
|
||||
echo "Making Encrypted Filesystem"
|
||||
mkfs.ext4 -L "${encryptedUSBData.unencryptedLabel}" /dev/mapper/mk_enc_usb
|
||||
|
||||
echo "Closing Encrypted Partition"
|
||||
cryptsetup close "mk_enc_usb"
|
||||
echo "Closing Encrypted Partition"
|
||||
cryptsetup close "mk_enc_usb"
|
||||
|
||||
# Do this now so that i can run the damn script with usb-automount and stop it trying to mount
|
||||
echo "Naming Partitions"
|
||||
parted "$USB_DEVICE" -- name 1 ${encryptedUSBData.encryptedPartLabel}
|
||||
'';
|
||||
}
|
||||
# Do this now so that i can run the damn script with usb-automount and stop it trying to mount
|
||||
echo "Naming Partitions"
|
||||
parted "$USB_DEVICE" -- name 1 ${encryptedUSBData.encryptedPartLabel}
|
||||
'';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,80 +6,81 @@
|
|||
writeShellApplication,
|
||||
}: let
|
||||
driveData = import ../data/drives/encryptedDrive.nix;
|
||||
in writeShellApplication {
|
||||
name = "mk-encrypted-drive";
|
||||
runtimeInputs = [
|
||||
parted
|
||||
cryptsetup
|
||||
e2fsprogs
|
||||
dosfstools
|
||||
];
|
||||
text = ''
|
||||
if [ -z "''${BIOS-}" ]; then
|
||||
echo "If making a drive for bios then you will need to set BIOS env variable"
|
||||
fi
|
||||
in
|
||||
writeShellApplication {
|
||||
name = "mk-encrypted-drive";
|
||||
runtimeInputs = [
|
||||
parted
|
||||
cryptsetup
|
||||
e2fsprogs
|
||||
dosfstools
|
||||
];
|
||||
text = ''
|
||||
if [ -z "''${BIOS-}" ]; then
|
||||
echo "If making a drive for bios then you will need to set BIOS env variable"
|
||||
fi
|
||||
|
||||
if [ -z "''${PASSWORD_FILE-}" ]; then
|
||||
echo "If the drive is for a encrypted server then password will need to be set with PASSWORD_FILE"
|
||||
fi
|
||||
if [ -z "''${PASSWORD_FILE-}" ]; then
|
||||
echo "If the drive is for a encrypted server then password will need to be set with PASSWORD_FILE"
|
||||
fi
|
||||
|
||||
if [ -z "''${1-}" ]; then
|
||||
echo "Please specify a path to device as first argument"
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "''${1-}" ]; then
|
||||
echo "Please specify a path to device as first argument"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "''${2-}" ]; then
|
||||
echo "Please specify a path to key file as second argument"
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "''${2-}" ]; then
|
||||
echo "Please specify a path to key file as second argument"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
DRIVE_PATH=$1
|
||||
KEY_FILE=$2
|
||||
DRIVE_PATH=$1
|
||||
KEY_FILE=$2
|
||||
|
||||
if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then
|
||||
PARTITION_SEPARATOR="p"
|
||||
else
|
||||
PARTITION_SEPARATOR=""
|
||||
fi
|
||||
if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then
|
||||
PARTITION_SEPARATOR="p"
|
||||
else
|
||||
PARTITION_SEPARATOR=""
|
||||
fi
|
||||
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
echo "Please run as root"
|
||||
exit
|
||||
fi
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
echo "Please run as root"
|
||||
exit
|
||||
fi
|
||||
|
||||
echo "Creating Partitions..."
|
||||
if [ -n "''${BIOS-}" ]; then
|
||||
# EFI Install
|
||||
parted "$DRIVE_PATH" -- mklabel gpt
|
||||
parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB
|
||||
parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB
|
||||
parted "$DRIVE_PATH" -- set 1 esp on
|
||||
parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}"
|
||||
parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}"
|
||||
else
|
||||
parted "$DRIVE_PATH" -- mklabel gpt
|
||||
parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB
|
||||
parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB
|
||||
parted "$DRIVE_PATH" -- set 1 boot on
|
||||
parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}"
|
||||
parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}"
|
||||
fi
|
||||
echo "Creating Partitions..."
|
||||
if [ -n "''${BIOS-}" ]; then
|
||||
# EFI Install
|
||||
parted "$DRIVE_PATH" -- mklabel gpt
|
||||
parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB
|
||||
parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB
|
||||
parted "$DRIVE_PATH" -- set 1 esp on
|
||||
parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}"
|
||||
parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}"
|
||||
else
|
||||
parted "$DRIVE_PATH" -- mklabel gpt
|
||||
parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB
|
||||
parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB
|
||||
parted "$DRIVE_PATH" -- set 1 boot on
|
||||
parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}"
|
||||
parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}"
|
||||
fi
|
||||
|
||||
echo "Formatting boot partition"
|
||||
mkfs.fat -n "${driveData.bootLabel}" "''${DRIVE_PATH}''${PARTITION_SEPARATOR}1"
|
||||
echo "Formatting boot partition"
|
||||
mkfs.fat -n "${driveData.bootLabel}" "''${DRIVE_PATH}''${PARTITION_SEPARATOR}1"
|
||||
|
||||
echo "Creating Encrypted Partition"
|
||||
cryptsetup luksFormat "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE"
|
||||
if [ -n "''${PASSWORD_FILE-}" ]; then
|
||||
cryptsetup luksAddKey "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" < "$PASSWORD_FILE"
|
||||
fi
|
||||
echo "Creating Encrypted Partition"
|
||||
cryptsetup luksFormat "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE"
|
||||
if [ -n "''${PASSWORD_FILE-}" ]; then
|
||||
cryptsetup luksAddKey "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" < "$PASSWORD_FILE"
|
||||
fi
|
||||
|
||||
echo "Opening Encrypted Partition"
|
||||
cryptsetup open "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" "mk_encrypted_drive" --key-file "$KEY_FILE"
|
||||
echo "Opening Encrypted Partition"
|
||||
cryptsetup open "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" "mk_encrypted_drive" --key-file "$KEY_FILE"
|
||||
|
||||
echo "Formatting Encrypted Root Filesystem"
|
||||
mkfs.ext4 -L "${driveData.unencryptedLabel}" /dev/mapper/mk_encrypted_drive
|
||||
echo "Formatting Encrypted Root Filesystem"
|
||||
mkfs.ext4 -L "${driveData.unencryptedLabel}" /dev/mapper/mk_encrypted_drive
|
||||
|
||||
echo "mount /dev/mapper/mk_encrypted_drive to install"
|
||||
'';
|
||||
}
|
||||
echo "mount /dev/mapper/mk_encrypted_drive to install"
|
||||
'';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,63 +5,64 @@
|
|||
writeShellApplication,
|
||||
}: let
|
||||
externalDriveData = import ../data/drives/raspberryExternalDrive.nix;
|
||||
in writeShellApplication {
|
||||
name = "mk-raspberry-ext-drive";
|
||||
runtimeInputs = [
|
||||
util-linux
|
||||
cryptsetup
|
||||
btrfs-progs
|
||||
];
|
||||
text = ''
|
||||
if [ -z "''${1-}" ]; then
|
||||
echo "Please specify a path to device as first argument"
|
||||
exit 1
|
||||
fi
|
||||
in
|
||||
writeShellApplication {
|
||||
name = "mk-raspberry-ext-drive";
|
||||
runtimeInputs = [
|
||||
util-linux
|
||||
cryptsetup
|
||||
btrfs-progs
|
||||
];
|
||||
text = ''
|
||||
if [ -z "''${1-}" ]; then
|
||||
echo "Please specify a path to device as first argument"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
DRIVE_PATH=$1
|
||||
DRIVE_PATH=$1
|
||||
|
||||
if [ -z "''${2-}" ]; then
|
||||
echo "Please specify a key file to use"
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "''${2-}" ]; then
|
||||
echo "Please specify a key file to use"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
KEY_FILE=$2
|
||||
KEY_FILE=$2
|
||||
|
||||
if [ -z "''${3-}" ]; then
|
||||
echo "Please specify a temp mountpoint to use"
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "''${3-}" ]; then
|
||||
echo "Please specify a temp mountpoint to use"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TEMP_MOUNTPOINT=$3
|
||||
TEMP_MOUNTPOINT=$3
|
||||
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
echo "Please run as root"
|
||||
exit
|
||||
fi
|
||||
echo "Wiping Partitions..."
|
||||
wipefs --all "$DRIVE_PATH"
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
echo "Please run as root"
|
||||
exit
|
||||
fi
|
||||
echo "Wiping Partitions..."
|
||||
wipefs --all "$DRIVE_PATH"
|
||||
|
||||
echo "Creating Encrypted Partition"
|
||||
cryptsetup luksFormat "$DRIVE_PATH" --key-file "$KEY_FILE" --label "${externalDriveData.encryptedLabel}"
|
||||
echo "Creating Encrypted Partition"
|
||||
cryptsetup luksFormat "$DRIVE_PATH" --key-file "$KEY_FILE" --label "${externalDriveData.encryptedLabel}"
|
||||
|
||||
echo "Opening Encrypted Partition"
|
||||
cryptsetup open "$DRIVE_PATH" "mk-raspberry-ext-drive" --key-file "$KEY_FILE"
|
||||
echo "Opening Encrypted Partition"
|
||||
cryptsetup open "$DRIVE_PATH" "mk-raspberry-ext-drive" --key-file "$KEY_FILE"
|
||||
|
||||
echo "Formatting Encrypted Filesystem"
|
||||
mkfs.btrfs -L "${externalDriveData.unencryptedLabel}" /dev/mapper/mk-raspberry-ext-drive
|
||||
echo "Formatting Encrypted Filesystem"
|
||||
mkfs.btrfs -L "${externalDriveData.unencryptedLabel}" /dev/mapper/mk-raspberry-ext-drive
|
||||
|
||||
echo "Mounting Partition"
|
||||
mount -t btrfs /dev/mapper/mk-raspberry-ext-drive "$TEMP_MOUNTPOINT"
|
||||
echo "Mounting Partition"
|
||||
mount -t btrfs /dev/mapper/mk-raspberry-ext-drive "$TEMP_MOUNTPOINT"
|
||||
|
||||
echo "Creating Folders"
|
||||
mkdir "$TEMP_MOUNTPOINT/backups"
|
||||
mkdir "$TEMP_MOUNTPOINT/storage"
|
||||
mkdir "$TEMP_MOUNTPOINT/extras"
|
||||
echo "Creating Folders"
|
||||
mkdir "$TEMP_MOUNTPOINT/backups"
|
||||
mkdir "$TEMP_MOUNTPOINT/storage"
|
||||
mkdir "$TEMP_MOUNTPOINT/extras"
|
||||
|
||||
echo "Unmounting"
|
||||
umount "$TEMP_MOUNTPOINT"
|
||||
echo "Unmounting"
|
||||
umount "$TEMP_MOUNTPOINT"
|
||||
|
||||
echo "Closing mapper device"
|
||||
cryptsetup close "mk-raspberry-ext-drive"
|
||||
'';
|
||||
}
|
||||
echo "Closing mapper device"
|
||||
cryptsetup close "mk-raspberry-ext-drive"
|
||||
'';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -301,12 +301,13 @@ in rec {
|
|||
|
||||
mkSecretsInitScript = cfg: mkSecretsInitScriptWithName cfg null;
|
||||
mkSecretsInitScriptWithName = cfg: name: let
|
||||
scriptName =
|
||||
if name == null
|
||||
then "secrets-init"
|
||||
else "secrets-init-${name}";
|
||||
scripts = genScripts cfg;
|
||||
in writeShellApplication {
|
||||
scriptName =
|
||||
if name == null
|
||||
then "secrets-init"
|
||||
else "secrets-init-${name}";
|
||||
scripts = genScripts cfg;
|
||||
in
|
||||
writeShellApplication {
|
||||
name = scriptName;
|
||||
runtimeInputs = defaultPackages ++ cfg.packages;
|
||||
text = scripts.initScript;
|
||||
|
|
@ -314,37 +315,39 @@ in rec {
|
|||
|
||||
mkSecretsCheckScript = cfg: mkSecretsCheckScriptWithName cfg null;
|
||||
mkSecretsCheckScriptWithName = cfg: name: let
|
||||
scriptName =
|
||||
if name == null
|
||||
then "secrets-check"
|
||||
else "secrets-check-${name}";
|
||||
scripts = genScripts cfg;
|
||||
in writeShellApplication {
|
||||
scriptName =
|
||||
if name == null
|
||||
then "secrets-check"
|
||||
else "secrets-check-${name}";
|
||||
scripts = genScripts cfg;
|
||||
in
|
||||
writeShellApplication {
|
||||
name = scriptName;
|
||||
runtimeInputs = defaultPackages ++ cfg.checkPackages;
|
||||
text = scripts.checkScript;
|
||||
};
|
||||
|
||||
genVaultPolicy = cfg: name: let
|
||||
inherit (cfg) requiredVaultPaths;
|
||||
inherit (cfg) requiredVaultPaths;
|
||||
|
||||
policies = forEach requiredVaultPaths (policyConfig: let
|
||||
path =
|
||||
if isString policyConfig
|
||||
then policyConfig
|
||||
else policyConfig.path;
|
||||
capabilities =
|
||||
if isString policyConfig
|
||||
then ["read" "list"]
|
||||
else policyConfig.capabilities;
|
||||
policies = forEach requiredVaultPaths (policyConfig: let
|
||||
path =
|
||||
if isString policyConfig
|
||||
then policyConfig
|
||||
else policyConfig.path;
|
||||
capabilities =
|
||||
if isString policyConfig
|
||||
then ["read" "list"]
|
||||
else policyConfig.capabilities;
|
||||
|
||||
escapeString = str: "\"" + str + "\"";
|
||||
in ''
|
||||
path "${path}" {
|
||||
capabilities = [${concatStringsSep "," (forEach capabilities escapeString)}]
|
||||
}
|
||||
'');
|
||||
in toFile "vault-policy-${name}.hcl" ''
|
||||
escapeString = str: "\"" + str + "\"";
|
||||
in ''
|
||||
path "${path}" {
|
||||
capabilities = [${concatStringsSep "," (forEach capabilities escapeString)}]
|
||||
}
|
||||
'');
|
||||
in
|
||||
toFile "vault-policy-${name}.hcl" ''
|
||||
${concatStringsSep "\n" policies}
|
||||
'';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -202,10 +202,11 @@ in
|
|||
(mergeAttrsList (forEach machinesWithContainers (machineName: let
|
||||
machine = machines.${machineName};
|
||||
inherit (machine) containers;
|
||||
in mergeAttrsList (forEach containers (containerName: {
|
||||
"secrets-init-${machineName}-container-${containerName}" = secretsInitScriptForContainer machineName containerName;
|
||||
"vault-policy-${machineName}-container-${containerName}" = vaultPolicyForContainer machineName containerName;
|
||||
})))))
|
||||
in
|
||||
mergeAttrsList (forEach containers (containerName: {
|
||||
"secrets-init-${machineName}-container-${containerName}" = secretsInitScriptForContainer machineName containerName;
|
||||
"vault-policy-${machineName}-container-${containerName}" = vaultPolicyForContainer machineName containerName;
|
||||
})))))
|
||||
];
|
||||
})
|
||||
]
|
||||
|
|
|
|||
Loading…
Reference in a new issue