more work on raspberry's drive
This commit is contained in:
chaos
parent
8f3cebb6b0
commit
cd961b33be
16
data/raspberry_ext_drive.nix
Normal file
16
data/raspberry_ext_drive.nix
Normal file
|
|
@ -0,0 +1,16 @@
|
||||||
|
{}: rec {
|
||||||
|
encrypted_label = "raspberry_encrypted";
|
||||||
|
unencrypted_label = "raspberry_drive";
|
||||||
|
|
||||||
|
mapper_name = "raspberry_external_drive";
|
||||||
|
|
||||||
|
mountpoint = "/external_drive";
|
||||||
|
|
||||||
|
backups_path = "${mountpoint}/backups";
|
||||||
|
storage_path = "${mountpoint}/storage";
|
||||||
|
extras_path = "${mountpoint}/extras";
|
||||||
|
|
||||||
|
encrypted_path = "/dev/disk/by-label/${encrypted_label}";
|
||||||
|
unencrypted_path = "/dev/disk/by-label/${unencrypted_label}";
|
||||||
|
mapper_path = "/dev/mapper/${mapper_name}";
|
||||||
|
}
|
||||||
35
extras/mk-raspberry-ext-drive.nix
Normal file
35
extras/mk-raspberry-ext-drive.nix
Normal file
|
|
@ -0,0 +1,35 @@
|
||||||
|
{
|
||||||
|
stdenv,
|
||||||
|
bash,
|
||||||
|
util-linux,
|
||||||
|
cryptsetup,
|
||||||
|
btrfs-progs,
|
||||||
|
}: let
|
||||||
|
external_drive_data = import ../data/raspberry_ext_drive.nix {};
|
||||||
|
in
|
||||||
|
stdenv.mkDerivation {
|
||||||
|
name = "mk-raspberry-ext-drive";
|
||||||
|
src = ./mk-raspberry-ext-drive.sh;
|
||||||
|
unpackPhase = ''
|
||||||
|
for srcFile in $src; do
|
||||||
|
cp $srcFile $(stripHash $srcFile)
|
||||||
|
done
|
||||||
|
'';
|
||||||
|
|
||||||
|
patchPhase = ''
|
||||||
|
substituteAllInPlace mk-raspberry-ext-drive.sh
|
||||||
|
substituteInPlace mk-raspberry-ext-drive.sh \
|
||||||
|
--replace "@util-linux@" "${util-linux}" \
|
||||||
|
--replace "@btrfs-progs@" "${btrfs-progs}" \
|
||||||
|
--replace "@cryptsetup@" "${cryptsetup}" \
|
||||||
|
--replace "@bash@" "${bash}" \
|
||||||
|
--replace "@ENCRYPTED_LABEL@" "${external_drive_data.encrypted_label}" \
|
||||||
|
--replace "@UNENCRYPTED_LABEL@" "${external_drive_data.unencrypted_label}"
|
||||||
|
'';
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
mkdir -p $out/bin
|
||||||
|
cp mk-raspberry-ext-drive.sh $out/bin/mk-raspberry-ext-drive
|
||||||
|
chmod +x $out/bin/mk-raspberry-ext-drive
|
||||||
|
'';
|
||||||
|
}
|
||||||
65
extras/mk-raspberry-ext-drive.sh
Normal file
65
extras/mk-raspberry-ext-drive.sh
Normal file
|
|
@ -0,0 +1,65 @@
|
||||||
|
#! @bash@/bin/sh
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# e.g /dev/nvme0n1
|
||||||
|
DRIVE_PATH=$1
|
||||||
|
KEY_FILE=$2
|
||||||
|
TEMP_MOUNTPOINT=$3
|
||||||
|
|
||||||
|
if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then
|
||||||
|
PARTITION_SEPARATOR="p"
|
||||||
|
else
|
||||||
|
PARTITION_SEPARATOR=""
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$DRIVE_PATH" ]; then
|
||||||
|
echo "Please specify a path to device as first argument"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$KEY_FILE" ]; then
|
||||||
|
echo "Please specify a key file to use"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$TEMP_MOUNTPOINT" ]; then
|
||||||
|
echo "Please specify a temp mountpoint to use"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$EUID" -ne 0 ]; then
|
||||||
|
echo "Please run as root"
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
|
||||||
|
# encrypted partition label
|
||||||
|
ENCRYPTED_LABEL=@ENCRYPTED_LABEL@
|
||||||
|
# unencrypted filesystem label
|
||||||
|
UNENCRYPTED_LABEL=@UNENCRYPTED_LABEL@
|
||||||
|
|
||||||
|
echo "Wiping Partitions..."
|
||||||
|
@util-linux@/bin/wipefs --all ${DRIVE_PATH}
|
||||||
|
|
||||||
|
echo "Creating Encrypted Partition"
|
||||||
|
@cryptsetup@/bin/cryptsetup luksFormat "${DRIVE_PATH}" --key-file "${KEY_FILE}" --label "${ENCRYPTED_LABEL}"
|
||||||
|
|
||||||
|
echo "Opening Encrypted Partition"
|
||||||
|
@cryptsetup@/bin/cryptsetup open "${DRIVE_PATH}" "mk-raspberry-ext-drive" --key-file "${KEY_FILE}"
|
||||||
|
|
||||||
|
echo "Formatting Encrypted Filesystem"
|
||||||
|
@btrfs-progs@/bin/mkfs.btrfs -L "${UNENCRYPTED_LABEL}" /dev/mapper/mk-raspberry-ext-drive
|
||||||
|
|
||||||
|
echo "Mounting Partition"
|
||||||
|
mount -t btrfs /dev/mapper/mk-raspberry-ext-drive "$TEMP_MOUNTPOINT"
|
||||||
|
|
||||||
|
echo "Creating Folders"
|
||||||
|
mkdir "$TEMP_MOUNTPOINT/backups"
|
||||||
|
mkdir "$TEMP_MOUNTPOINT/storage"
|
||||||
|
mkdir "$TEMP_MOUNTPOINT/extras"
|
||||||
|
|
||||||
|
echo "Unmounting"
|
||||||
|
umount "$TEMP_MOUNTPOINT"
|
||||||
|
|
||||||
|
echo "Closing mapper device"
|
||||||
|
@cryptsetup@/bin/cryptsetup close "mk-raspberry-ext-drive"
|
||||||
|
|
@ -19,5 +19,6 @@
|
||||||
mk-enc-usb
|
mk-enc-usb
|
||||||
mk-normal-enc-ssd
|
mk-normal-enc-ssd
|
||||||
mk-dual-enc-ssd
|
mk-dual-enc-ssd
|
||||||
|
mk-raspberry-ext-drive
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
44
hosts/raspberry/profiles/external-drive.nix
Normal file
44
hosts/raspberry/profiles/external-drive.nix
Normal file
|
|
@ -0,0 +1,44 @@
|
||||||
|
{pkgs, ...}: let
|
||||||
|
external_drive_data = import ../../../data/raspberry_ext_drive.nix {};
|
||||||
|
|
||||||
|
mount_external_drive = let
|
||||||
|
jq = "${pkgs.jq}/bin/jq";
|
||||||
|
vault = "${pkgs.vault-bin}/bin/vault";
|
||||||
|
cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
|
||||||
|
in
|
||||||
|
pkgs.writeShellScriptBin "mount_external_drive" ''
|
||||||
|
${unmount_external_drive}/bin/unmount_external_drive
|
||||||
|
|
||||||
|
vault-login
|
||||||
|
|
||||||
|
${vault} kv get -format json "/private-public-keys/cryptsetup/raspberry-ext-drive" \
|
||||||
|
| ${jq} -r ".data.data.key" \
|
||||||
|
| base64 -d \
|
||||||
|
| ${cryptsetup} open ${external_drive_data.encrypted_path} ${external_drive_data.mapper_name} --key-file=/dev/stdin
|
||||||
|
mount ${external_drive_data.mapper_path} -o rw,compress=zstd ${external_drive_data.mountpoint}
|
||||||
|
'';
|
||||||
|
|
||||||
|
unmount_external_drive = let
|
||||||
|
cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
|
||||||
|
in
|
||||||
|
pkgs.writeShellScriptBin "unmount_external_drive" ''
|
||||||
|
umount -flR ${external_drive_data.mountpoint} || true
|
||||||
|
${cryptsetup} close ${external_drive_data.mapper_name} || true
|
||||||
|
'';
|
||||||
|
in {
|
||||||
|
environment.systemPackages =
|
||||||
|
(with pkgs; [
|
||||||
|
cryptsetup
|
||||||
|
])
|
||||||
|
++ [
|
||||||
|
mount_external_drive
|
||||||
|
unmount_external_drive
|
||||||
|
];
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = ["d ${external_drive_data.mountpoint} - root root"];
|
||||||
|
|
||||||
|
# services.udev.extraRules = ''
|
||||||
|
# ACTION=="add", ENV{PARTNAME}=="${external_drive_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="mount-external-drive.service"
|
||||||
|
# ACTION=="remove", ENV{PARTNAME}=="${external_drive_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="unmount-external-drive.service"
|
||||||
|
# '';
|
||||||
|
}
|
||||||
|
|
@ -1,25 +1,38 @@
|
||||||
{
|
{
|
||||||
tree,
|
tree,
|
||||||
modulesPath,
|
modulesPath,
|
||||||
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
lib,
|
lib,
|
||||||
...
|
...
|
||||||
}: {
|
}: let
|
||||||
imports = with tree; [
|
secrets = config.services.secrets.secrets;
|
||||||
users.root
|
in {
|
||||||
users.chaos
|
imports = with tree;
|
||||||
|
[
|
||||||
|
users.root
|
||||||
|
users.chaos
|
||||||
|
|
||||||
profiles.base
|
profiles.base
|
||||||
profiles.sshd
|
profiles.sshd
|
||||||
|
|
||||||
profiles.connectivity.network_manager
|
profiles.connectivity.network_manager
|
||||||
profiles.connectivity.bluetooth
|
profiles.connectivity.bluetooth
|
||||||
profiles.connectivity.ios
|
profiles.connectivity.ios
|
||||||
|
|
||||||
./secrets.nix
|
./secrets.nix
|
||||||
|
|
||||||
./boot.nix
|
./boot.nix
|
||||||
(modulesPath + "/installer/sd-card/sd-image.nix")
|
(modulesPath + "/installer/sd-card/sd-image.nix")
|
||||||
|
]
|
||||||
|
++ (with hosts.raspberry.profiles; [
|
||||||
|
external-drive
|
||||||
|
]);
|
||||||
|
|
||||||
|
environment.systemPackages = [
|
||||||
|
(pkgs.writeShellScriptBin "vault-login" ''
|
||||||
|
${pkgs.vault-bin}/bin/vault login -method=userpass username=raspberry password=$(cat ${secrets.vault_login_password.path})
|
||||||
|
'')
|
||||||
];
|
];
|
||||||
|
|
||||||
home-manager.users.root = {
|
home-manager.users.root = {
|
||||||
|
|
|
||||||
|
|
@ -2,10 +2,17 @@
|
||||||
services.secrets = {
|
services.secrets = {
|
||||||
enable = true;
|
enable = true;
|
||||||
secrets = {
|
secrets = {
|
||||||
|
# Used for fetching the encryption drive's key at runtime
|
||||||
|
# can be revoked in case of hardware theft
|
||||||
|
# Can also run vault-login on host before secrets-init to fetch secrets using raspberry's login
|
||||||
|
vault_login_password = {
|
||||||
|
manual = true;
|
||||||
|
};
|
||||||
|
|
||||||
home-wifi-password = {
|
home-wifi-password = {
|
||||||
user = "root";
|
user = "root";
|
||||||
group = "root";
|
group = "root";
|
||||||
permissions = "0600";
|
permissions = "600";
|
||||||
path = "/etc/NetworkManager/system-connections/Home-WiFi.nmconnection";
|
path = "/etc/NetworkManager/system-connections/Home-WiFi.nmconnection";
|
||||||
|
|
||||||
fetchScript = ''
|
fetchScript = ''
|
||||||
|
|
|
||||||
|
|
@ -69,6 +69,7 @@ in
|
||||||
mk-enc-usb
|
mk-enc-usb
|
||||||
mk-normal-enc-ssd
|
mk-normal-enc-ssd
|
||||||
mk-dual-enc-ssd
|
mk-dual-enc-ssd
|
||||||
|
mk-raspberry-ext-drive
|
||||||
]);
|
]);
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -87,6 +88,10 @@ in
|
||||||
type = "app";
|
type = "app";
|
||||||
program = "${packages.mk-dual-enc-ssd}/bin/mk-dual-enc-ssd";
|
program = "${packages.mk-dual-enc-ssd}/bin/mk-dual-enc-ssd";
|
||||||
};
|
};
|
||||||
|
mk-raspberry-ext-drive = {
|
||||||
|
type = "app";
|
||||||
|
program = "${packages.mk-raspberry-ext-drive}/bin/mk-raspberry-ext-drive";
|
||||||
|
};
|
||||||
secrets-init-lappy-t495 = secretsInitAppForSystem "lappy-t495" packages;
|
secrets-init-lappy-t495 = secretsInitAppForSystem "lappy-t495" packages;
|
||||||
secrets-init-vault = secretsInitAppForSystem "vault" packages;
|
secrets-init-vault = secretsInitAppForSystem "vault" packages;
|
||||||
secrets-init-hetzner-vm = secretsInitAppForSystem "hetzner-vm" packages;
|
secrets-init-hetzner-vm = secretsInitAppForSystem "hetzner-vm" packages;
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@ final: prev: {
|
||||||
mk-enc-usb = final.callPackage ../extras/mk-enc-usb.nix {};
|
mk-enc-usb = final.callPackage ../extras/mk-enc-usb.nix {};
|
||||||
mk-normal-enc-ssd = final.callPackage ../extras/mk-normal-enc-ssd.nix {};
|
mk-normal-enc-ssd = final.callPackage ../extras/mk-normal-enc-ssd.nix {};
|
||||||
mk-dual-enc-ssd = final.callPackage ../extras/mk-dual-enc-ssd.nix {};
|
mk-dual-enc-ssd = final.callPackage ../extras/mk-dual-enc-ssd.nix {};
|
||||||
|
mk-raspberry-ext-drive = final.callPackage ../extras/mk-raspberry-ext-drive.nix {};
|
||||||
|
|
||||||
gotosocial = prev.gotosocial.overrideAttrs (_old: let
|
gotosocial = prev.gotosocial.overrideAttrs (_old: let
|
||||||
owner = "superseriousbusiness";
|
owner = "superseriousbusiness";
|
||||||
|
|
|
||||||
|
|
@ -11,5 +11,4 @@ HOSTNAME=$(hostname)
|
||||||
[ "${NO_REBUILD}" == "" ] && ./scripts/rebuild.sh $@
|
[ "${NO_REBUILD}" == "" ] && ./scripts/rebuild.sh $@
|
||||||
[ "${HOSTNAME}" != "hetzner-vm" ] && deploy -s ".#hetzner-vm" -- $@
|
[ "${HOSTNAME}" != "hetzner-vm" ] && deploy -s ".#hetzner-vm" -- $@
|
||||||
[ "${HOSTNAME}" != "vault" ] && deploy -s ".#vault" -- $@
|
[ "${HOSTNAME}" != "vault" ] && deploy -s ".#vault" -- $@
|
||||||
[ "${HOSTNAME}" != "buildbox" ] && deploy -s ".#buildbox" -- $@
|
[ "${HOSTNAME}" != "raspberry" ] && nixos-rebuild --flake .#raspberry --target-host root@192.168.0.203 $@
|
||||||
|
|
||||||
Loading…
Reference in a new issue