diff --git a/home/base/zsh.nix b/home/base/zsh.nix index 8f97be3..a6d3ed4 100644 --- a/home/base/zsh.nix +++ b/home/base/zsh.nix @@ -1,4 +1,6 @@ -{ config, pkgs, ... }: { +{ config, pkgs, ... }: +let usb_data = import ../../hosts/lappy/hardware/usb_data.nix { }; +in { home.packages = with pkgs; [ exa bat ripgrep vault age ]; programs.zsh = { enable = true; @@ -22,8 +24,8 @@ log = "journalctl"; dmesg = "dmesg -HP"; hg = "history 0 | rg"; - chaos_age = "age -i /usb/age-keys/chaoskey.priv"; - chaos_pub = "cat /usb/age-keys/chaoskey.pub"; + chaos_age = "age -i ${usb_data.chaos_age_privkey_path}"; + chaos_pub = "cat ${usb_data.chaos_age_pubkey_path}"; }; envExtra = '' export VAULT_ADDR="https://vault.owo.monster" diff --git a/hosts/lappy/hardware/usb_data.nix b/hosts/lappy/hardware/usb_data.nix index 083b377..98a5f3a 100644 --- a/hosts/lappy/hardware/usb_data.nix +++ b/hosts/lappy/hardware/usb_data.nix @@ -20,4 +20,9 @@ # Paths to some important files lappy_encryption_key_path = "${mountpoint}/encryption-keys/lappy.key"; + chaos_age_privkey_path = "${mountpoint}/age-keys/chaoskey.priv"; + chaos_age_pubkey_path = "${mountpoint}/age-keys/chaoskey.pub"; + + ssh_priv_path = "${mountpoint}/ssh-keys/chaos.priv"; + ssh_pub_path = "${mountpoint}/ssh-keys/chaos.pub"; } diff --git a/hosts/lappy/lappy.nix b/hosts/lappy/lappy.nix index 03210ff..6e76182 100644 --- a/hosts/lappy/lappy.nix +++ b/hosts/lappy/lappy.nix @@ -1,6 +1,6 @@ { tree, config, pkgs, lib, ... }: - -{ +let usb_data = import ./hardware/usb_data.nix { }; +in { imports = with tree; [ users.root users.chaos @@ -9,7 +9,7 @@ #profiles.printing profiles.sshd - #hosts.lappy.profiles.usb-automount + hosts.lappy.profiles.usb-automount # required for dualsense controller profiles.kernels.latest @@ -39,6 +39,8 @@ home-manager.users.root = { imports = with tree; [ home.base ]; }; home-manager.users.chaos = { + programs.ssh.matchBlocks."*".identityFile = "${usb_data.ssh_priv_path}"; + imports = with tree; [ home.base home.dev.all diff --git a/hosts/lappy/profiles/usb-automount.nix b/hosts/lappy/profiles/usb-automount.nix index 632fb1d..87b6e21 100644 --- a/hosts/lappy/profiles/usb-automount.nix +++ b/hosts/lappy/profiles/usb-automount.nix @@ -1,23 +1,43 @@ { lib, pkgs, ... }: let - usb_label = "my_usb"; - usb_path = "/usb"; - keyPath = "/home/chaos/.ssh/id_ed25519"; - onInsert = pkgs.writeShellScriptBin "usb-on-insert" '' - umount /usb || true - mount $(findfs LABEL=${usb_label}) -o rw,umask=600,uid=chaos,gid=root,fmask=0022,dmask=0022 ${usb_path} + usb_data = import ../hardware/usb_data.nix { }; + mapper_name = "usb_unencrypted_afterboot"; + mapper_path = "/dev/mapper/${mapper_name}"; + mount_usb = pkgs.writeShellScriptBin "mount_usb" '' + umount ${usb_data.mountpoint} || true + cryptsetup close ${mapper_name} || true + + cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${usb_data.encrypted_path} ${mapper_name} - + mount ${mapper_path} -o rw ${usb_data.mountpoint} + ''; + unmount_usb = pkgs.writeShellScriptBin "unmount_usb" '' + umount -flR ${usb_data.mountpoint} || true + cryptsetup close ${mapper_name} || true ''; in { - systemd.tmpfiles.rules = [ "d ${usb_path} - chaos root" ]; + environment.systemPackages = [ + mount_usb + unmount_usb + ]; - systemd.services.usb-automount = { - path = [ pkgs.util-linux pkgs.bindfs ]; + systemd.tmpfiles.rules = [ "d ${usb_data.mountpoint} - chaos root" ]; + + systemd.services.usb-mount = { + path = [ pkgs.util-linux pkgs.cryptsetup ]; script = '' - ${onInsert}/bin/usb-on-insert + ${mount_usb}/bin/mount_usb + ''; + }; + + systemd.services.usb-unmount = { + path = [ pkgs.util-linux pkgs.cryptsetup ]; + script = '' + ${unmount_usb}/bin/unmount_usb ''; }; services.udev.extraRules = '' - ACTION=="add", ENV{ID_FS_LABEL}=="${usb_label}", ENV{SYSTEMD_WANTS}="usb-automount.service", ENV{UDISKS_PRESENTATION_HIDE}="1" + ACTION=="add", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-mount.service", ENV{UDISKS_PRESENTATION_HIDE}="1" + ACTION=="remove", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-unmount.service" ''; }