stuff

home/base/zsh.nix

@@ -1,4 +1,6 @@
-{ config, pkgs, ... }: {
+{ config, pkgs, ... }:
+let usb_data = import ../../hosts/lappy/hardware/usb_data.nix { };
+in {
   home.packages = with pkgs; [ exa bat ripgrep vault age ];
   programs.zsh = {
     enable = true;
@@ -22,8 +24,8 @@
       log = "journalctl";
       dmesg = "dmesg -HP";
       hg = "history 0 | rg";
-      chaos_age = "age -i /usb/age-keys/chaoskey.priv";
+      chaos_age = "age -i ${usb_data.chaos_age_privkey_path}";
-      chaos_pub = "cat /usb/age-keys/chaoskey.pub";
+      chaos_pub = "cat ${usb_data.chaos_age_pubkey_path}";
     };
     envExtra = ''
       export VAULT_ADDR="https://vault.owo.monster"

hosts/lappy/hardware/usb_data.nix

@@ -20,4 +20,9 @@
   # Paths to some important files
   lappy_encryption_key_path = "${mountpoint}/encryption-keys/lappy.key";
 
+  chaos_age_privkey_path = "${mountpoint}/age-keys/chaoskey.priv";
+  chaos_age_pubkey_path = "${mountpoint}/age-keys/chaoskey.pub";
+
+  ssh_priv_path = "${mountpoint}/ssh-keys/chaos.priv";
+  ssh_pub_path = "${mountpoint}/ssh-keys/chaos.pub";
 }

hosts/lappy/lappy.nix

@@ -1,6 +1,6 @@
 { tree, config, pkgs, lib, ... }:
-
+let usb_data = import ./hardware/usb_data.nix { };
-{
+in {
   imports = with tree; [
     users.root
     users.chaos
@@ -9,7 +9,7 @@
     #profiles.printing
     profiles.sshd
 
-    #hosts.lappy.profiles.usb-automount
+    hosts.lappy.profiles.usb-automount
 
     # required for dualsense controller
     profiles.kernels.latest
@@ -39,6 +39,8 @@
 
   home-manager.users.root = { imports = with tree; [ home.base ]; };
   home-manager.users.chaos = {
+    programs.ssh.matchBlocks."*".identityFile = "${usb_data.ssh_priv_path}";
+
     imports = with tree; [
       home.base
       home.dev.all

hosts/lappy/profiles/usb-automount.nix

@@ -1,23 +1,43 @@
 { lib, pkgs, ... }:
 let
-  usb_label = "my_usb";
+  usb_data = import ../hardware/usb_data.nix { };
-  usb_path = "/usb";
+  mapper_name = "usb_unencrypted_afterboot";
-  keyPath = "/home/chaos/.ssh/id_ed25519";
+  mapper_path = "/dev/mapper/${mapper_name}";
-  onInsert = pkgs.writeShellScriptBin "usb-on-insert" ''
+  mount_usb = pkgs.writeShellScriptBin "mount_usb" ''
-    umount /usb || true
+    umount ${usb_data.mountpoint} || true
-    mount $(findfs LABEL=${usb_label}) -o rw,umask=600,uid=chaos,gid=root,fmask=0022,dmask=0022 ${usb_path}
+    cryptsetup close ${mapper_name} || true
+
+    cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${usb_data.encrypted_path} ${mapper_name} -
+    mount ${mapper_path} -o rw ${usb_data.mountpoint}
+  '';
+  unmount_usb = pkgs.writeShellScriptBin "unmount_usb" ''
+    umount -flR ${usb_data.mountpoint} || true
+    cryptsetup close ${mapper_name} || true
   '';
 in {
-  systemd.tmpfiles.rules = [ "d ${usb_path} - chaos root" ];
+  environment.systemPackages = [
+    mount_usb
+    unmount_usb
+  ];
 
-  systemd.services.usb-automount = {
+  systemd.tmpfiles.rules = [ "d ${usb_data.mountpoint} - chaos root" ];
-    path = [ pkgs.util-linux pkgs.bindfs ];
+
+  systemd.services.usb-mount = {
+    path = [ pkgs.util-linux pkgs.cryptsetup ];
     script = ''
-      ${onInsert}/bin/usb-on-insert
+      ${mount_usb}/bin/mount_usb
+    '';
+  };
+
+  systemd.services.usb-unmount = {
+    path = [ pkgs.util-linux pkgs.cryptsetup ];
+    script = ''
+      ${unmount_usb}/bin/unmount_usb
     '';
   };
 
   services.udev.extraRules = ''
-    ACTION=="add", ENV{ID_FS_LABEL}=="${usb_label}", ENV{SYSTEMD_WANTS}="usb-automount.service", ENV{UDISKS_PRESENTATION_HIDE}="1"
+    ACTION=="add", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-mount.service", ENV{UDISKS_PRESENTATION_HIDE}="1"
+    ACTION=="remove", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-unmount.service"
   '';
 }