chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

Compare commits

base: chaos:937a5df23f557ac598d25fa5f3596946a68aa1c0
Branches Tags
chaos:vixen
chaos:feature-notes-webdav
..
compare: chaos:94eb79d5c6addeee464f88ffa0740da676aa3304
Branches Tags
chaos:vixen
chaos:feature-notes-webdav

No commits in common. "937a5df23f557ac598d25fa5f3596946a68aa1c0" and "94eb79d5c6addeee464f88ffa0740da676aa3304" have entirely different histories.
937a5df23f ... 94eb79d5c6

6 changed files with 181 additions and 211 deletions
Show stats Expand all files Collapse all files

71
extras/mk-enc-usb.nix
View file

@ -5,48 +5,47 @@
writeShellApplication, writeShellApplication,
}: let }: let
encryptedUSBData = import ../data/drives/encryptedUSB.nix; encryptedUSBData = import ../data/drives/encryptedUSB.nix;
in in writeShellApplication {
writeShellApplication { name = "mk-enc-usb";
name = "mk-enc-usb"; runtimeInputs = [
runtimeInputs = [ parted
parted cryptsetup
cryptsetup e2fsprogs
e2fsprogs ];
]; text = ''
text = '' if [ -z "''${1-}" ]; then
if [ -z "''${1-}" ]; then echo "Please specify a path to device as first argument"
echo "Please specify a path to device as first argument" exit 1
exit 1 fi
fi
# e.g /dev/sdb # e.g /dev/sdb
USB_DEVICE=$1 USB_DEVICE=$1
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
echo "Please run as root" echo "Please run as root"
exit exit
fi fi
echo "Creating Encrypted USB." echo "Creating Encrypted USB."
echo "Creating Partitions..." echo "Creating Partitions..."
parted "$USB_DEVICE" -- mklabel gpt parted "$USB_DEVICE" -- mklabel gpt
parted "$USB_DEVICE" -- mkpart primary 0% 100% parted "$USB_DEVICE" -- mkpart primary 0% 100%
echo "Creating Encrypted Partition" echo "Creating Encrypted Partition"
cryptsetup luksFormat "''${USB_DEVICE}1" cryptsetup luksFormat "''${USB_DEVICE}1"
echo "Opening Encrypted Partition" echo "Opening Encrypted Partition"
cryptsetup open "''${USB_DEVICE}1" "mk_enc_usb" cryptsetup open "''${USB_DEVICE}1" "mk_enc_usb"
echo "Making Encrypted Filesystem" echo "Making Encrypted Filesystem"
mkfs.ext4 -L "${encryptedUSBData.unencryptedLabel}" /dev/mapper/mk_enc_usb mkfs.ext4 -L "${encryptedUSBData.unencryptedLabel}" /dev/mapper/mk_enc_usb
echo "Closing Encrypted Partition" echo "Closing Encrypted Partition"
cryptsetup close "mk_enc_usb" cryptsetup close "mk_enc_usb"
# Do this now so that i can run the damn script with usb-automount and stop it trying to mount # Do this now so that i can run the damn script with usb-automount and stop it trying to mount
echo "Naming Partitions" echo "Naming Partitions"
parted "$USB_DEVICE" -- name 1 ${encryptedUSBData.encryptedPartLabel} parted "$USB_DEVICE" -- name 1 ${encryptedUSBData.encryptedPartLabel}
''; '';
} }

131
extras/mk-encrypted-drive.nix
View file

@ -6,81 +6,80 @@
writeShellApplication, writeShellApplication,
}: let }: let
driveData = import ../data/drives/encryptedDrive.nix; driveData = import ../data/drives/encryptedDrive.nix;
in in writeShellApplication {
writeShellApplication { name = "mk-encrypted-drive";
name = "mk-encrypted-drive"; runtimeInputs = [
runtimeInputs = [ parted
parted cryptsetup
cryptsetup e2fsprogs
e2fsprogs dosfstools
dosfstools ];
]; text = ''
text = '' if [ -z "''${BIOS-}" ]; then
if [ -z "''${BIOS-}" ]; then echo "If making a drive for bios then you will need to set BIOS env variable"
echo "If making a drive for bios then you will need to set BIOS env variable" fi
fi
if [ -z "''${PASSWORD_FILE-}" ]; then if [ -z "''${PASSWORD_FILE-}" ]; then
echo "If the drive is for a encrypted server then password will need to be set with PASSWORD_FILE" echo "If the drive is for a encrypted server then password will need to be set with PASSWORD_FILE"
fi fi
if [ -z "''${1-}" ]; then if [ -z "''${1-}" ]; then
echo "Please specify a path to device as first argument" echo "Please specify a path to device as first argument"
exit 1 exit 1
fi fi
if [ -z "''${2-}" ]; then if [ -z "''${2-}" ]; then
echo "Please specify a path to key file as second argument" echo "Please specify a path to key file as second argument"
exit 1 exit 1
fi fi
DRIVE_PATH=$1 DRIVE_PATH=$1
KEY_FILE=$2 KEY_FILE=$2
if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then
PARTITION_SEPARATOR="p" PARTITION_SEPARATOR="p"
else else
PARTITION_SEPARATOR="" PARTITION_SEPARATOR=""
fi fi
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
echo "Please run as root" echo "Please run as root"
exit exit
fi fi
echo "Creating Partitions..." echo "Creating Partitions..."
if [ -n "''${BIOS-}" ]; then if [ -n "''${BIOS-}" ]; then
# EFI Install # EFI Install
parted "$DRIVE_PATH" -- mklabel gpt parted "$DRIVE_PATH" -- mklabel gpt
parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB
parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB
parted "$DRIVE_PATH" -- set 1 esp on parted "$DRIVE_PATH" -- set 1 esp on
parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}" parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}"
parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}" parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}"
else else
parted "$DRIVE_PATH" -- mklabel gpt parted "$DRIVE_PATH" -- mklabel gpt
parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB
parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB
parted "$DRIVE_PATH" -- set 1 boot on parted "$DRIVE_PATH" -- set 1 boot on
parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}" parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}"
parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}" parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}"
fi fi
echo "Formatting boot partition" echo "Formatting boot partition"
mkfs.fat -n "${driveData.bootLabel}" "''${DRIVE_PATH}''${PARTITION_SEPARATOR}1" mkfs.fat -n "${driveData.bootLabel}" "''${DRIVE_PATH}''${PARTITION_SEPARATOR}1"
echo "Creating Encrypted Partition" echo "Creating Encrypted Partition"
cryptsetup luksFormat "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" cryptsetup luksFormat "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE"
if [ -n "''${PASSWORD_FILE-}" ]; then if [ -n "''${PASSWORD_FILE-}" ]; then
cryptsetup luksAddKey "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" < "$PASSWORD_FILE" cryptsetup luksAddKey "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" < "$PASSWORD_FILE"
fi fi
echo "Opening Encrypted Partition" echo "Opening Encrypted Partition"
cryptsetup open "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" "mk_encrypted_drive" --key-file "$KEY_FILE" cryptsetup open "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" "mk_encrypted_drive" --key-file "$KEY_FILE"
echo "Formatting Encrypted Root Filesystem" echo "Formatting Encrypted Root Filesystem"
mkfs.ext4 -L "${driveData.unencryptedLabel}" /dev/mapper/mk_encrypted_drive mkfs.ext4 -L "${driveData.unencryptedLabel}" /dev/mapper/mk_encrypted_drive
echo "mount /dev/mapper/mk_encrypted_drive to install" echo "mount /dev/mapper/mk_encrypted_drive to install"
''; '';
} }

95
extras/mk-raspberry-ext-drive.nix
View file

@ -5,64 +5,63 @@
writeShellApplication, writeShellApplication,
}: let }: let
externalDriveData = import ../data/drives/raspberryExternalDrive.nix; externalDriveData = import ../data/drives/raspberryExternalDrive.nix;
in in writeShellApplication {
writeShellApplication { name = "mk-raspberry-ext-drive";
name = "mk-raspberry-ext-drive"; runtimeInputs = [
runtimeInputs = [ util-linux
util-linux cryptsetup
cryptsetup btrfs-progs
btrfs-progs ];
]; text = ''
text = '' if [ -z "''${1-}" ]; then
if [ -z "''${1-}" ]; then echo "Please specify a path to device as first argument"
echo "Please specify a path to device as first argument" exit 1
exit 1 fi
fi
DRIVE_PATH=$1 DRIVE_PATH=$1
if [ -z "''${2-}" ]; then if [ -z "''${2-}" ]; then
echo "Please specify a key file to use" echo "Please specify a key file to use"
exit 1 exit 1
fi fi
KEY_FILE=$2 KEY_FILE=$2
if [ -z "''${3-}" ]; then if [ -z "''${3-}" ]; then
echo "Please specify a temp mountpoint to use" echo "Please specify a temp mountpoint to use"
exit 1 exit 1
fi fi
TEMP_MOUNTPOINT=$3 TEMP_MOUNTPOINT=$3
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
echo "Please run as root" echo "Please run as root"
exit exit
fi fi
echo "Wiping Partitions..." echo "Wiping Partitions..."
wipefs --all "$DRIVE_PATH" wipefs --all "$DRIVE_PATH"
echo "Creating Encrypted Partition" echo "Creating Encrypted Partition"
cryptsetup luksFormat "$DRIVE_PATH" --key-file "$KEY_FILE" --label "${externalDriveData.encryptedLabel}" cryptsetup luksFormat "$DRIVE_PATH" --key-file "$KEY_FILE" --label "${externalDriveData.encryptedLabel}"
echo "Opening Encrypted Partition" echo "Opening Encrypted Partition"
cryptsetup open "$DRIVE_PATH" "mk-raspberry-ext-drive" --key-file "$KEY_FILE" cryptsetup open "$DRIVE_PATH" "mk-raspberry-ext-drive" --key-file "$KEY_FILE"
echo "Formatting Encrypted Filesystem" echo "Formatting Encrypted Filesystem"
mkfs.btrfs -L "${externalDriveData.unencryptedLabel}" /dev/mapper/mk-raspberry-ext-drive mkfs.btrfs -L "${externalDriveData.unencryptedLabel}" /dev/mapper/mk-raspberry-ext-drive
echo "Mounting Partition" echo "Mounting Partition"
mount -t btrfs /dev/mapper/mk-raspberry-ext-drive "$TEMP_MOUNTPOINT" mount -t btrfs /dev/mapper/mk-raspberry-ext-drive "$TEMP_MOUNTPOINT"
echo "Creating Folders" echo "Creating Folders"
mkdir "$TEMP_MOUNTPOINT/backups" mkdir "$TEMP_MOUNTPOINT/backups"
mkdir "$TEMP_MOUNTPOINT/storage" mkdir "$TEMP_MOUNTPOINT/storage"
mkdir "$TEMP_MOUNTPOINT/extras" mkdir "$TEMP_MOUNTPOINT/extras"
echo "Unmounting" echo "Unmounting"
umount "$TEMP_MOUNTPOINT" umount "$TEMP_MOUNTPOINT"
echo "Closing mapper device" echo "Closing mapper device"
cryptsetup close "mk-raspberry-ext-drive" cryptsetup close "mk-raspberry-ext-drive"
''; '';
} }

25
home/musicLibrary.nix
View file

@ -21,29 +21,6 @@ in {
'') '')
]; ];
home.file."Music/music-sync-check.sh" = {
executable = true;
text = ''
#!/usr/bin/env bash
SCRIPT_DIR=$( cd -- "$( dirname -- "''${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd "''${SCRIPT_DIR}"
ERROR_LOG=$(mktemp -t music-check-log-XXX)
echo "Checking StorageBox sync status"
if rclone check . Storage:Music --exclude "/*.sh" 2>$ERROR_LOG; then
echo "Up to date with StorageBox"
else
echo "An error occured attempting to check sync status:"
cat "$ERROR_LOG"
echo
fi
rm "$ERROR_LOG"
'';
};
home.file."Music/music-sync.sh" = { home.file."Music/music-sync.sh" = {
executable = true; executable = true;
text = '' text = ''
@ -52,7 +29,7 @@ in {
SCRIPT_DIR=$( cd -- "$( dirname -- "''${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) SCRIPT_DIR=$( cd -- "$( dirname -- "''${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd "''${SCRIPT_DIR}" cd "''${SCRIPT_DIR}"
rclone sync -P . Storage:Music --exclude "/*.sh" rclone sync -P . Storage:Music --exclude music-sync.sh,music-download.sh
restic-music backup $(fd -t d --max-depth=1 && fd -t f --max-depth=1) restic-music backup $(fd -t d --max-depth=1 && fd -t f --max-depth=1)
TITLE="chaos's Music Library" TITLE="chaos's Music Library"

61
modules/nixos/secretsLib/lib.nix
View file

@ -301,13 +301,12 @@ in rec {
mkSecretsInitScript = cfg: mkSecretsInitScriptWithName cfg null; mkSecretsInitScript = cfg: mkSecretsInitScriptWithName cfg null;
mkSecretsInitScriptWithName = cfg: name: let mkSecretsInitScriptWithName = cfg: name: let
scriptName = scriptName =
if name == null if name == null
then "secrets-init" then "secrets-init"
else "secrets-init-${name}"; else "secrets-init-${name}";
scripts = genScripts cfg; scripts = genScripts cfg;
in in writeShellApplication {
writeShellApplication {
name = scriptName; name = scriptName;
runtimeInputs = defaultPackages ++ cfg.packages; runtimeInputs = defaultPackages ++ cfg.packages;
text = scripts.initScript; text = scripts.initScript;
@ -315,39 +314,37 @@ in rec {
mkSecretsCheckScript = cfg: mkSecretsCheckScriptWithName cfg null; mkSecretsCheckScript = cfg: mkSecretsCheckScriptWithName cfg null;
mkSecretsCheckScriptWithName = cfg: name: let mkSecretsCheckScriptWithName = cfg: name: let
scriptName = scriptName =
if name == null if name == null
then "secrets-check" then "secrets-check"
else "secrets-check-${name}"; else "secrets-check-${name}";
scripts = genScripts cfg; scripts = genScripts cfg;
in in writeShellApplication {
writeShellApplication {
name = scriptName; name = scriptName;
runtimeInputs = defaultPackages ++ cfg.checkPackages; runtimeInputs = defaultPackages ++ cfg.checkPackages;
text = scripts.checkScript; text = scripts.checkScript;
}; };
genVaultPolicy = cfg: name: let genVaultPolicy = cfg: name: let
inherit (cfg) requiredVaultPaths; inherit (cfg) requiredVaultPaths;
policies = forEach requiredVaultPaths (policyConfig: let policies = forEach requiredVaultPaths (policyConfig: let
path = path =
if isString policyConfig if isString policyConfig
then policyConfig then policyConfig
else policyConfig.path; else policyConfig.path;
capabilities = capabilities =
if isString policyConfig if isString policyConfig
then ["read" "list"] then ["read" "list"]
else policyConfig.capabilities; else policyConfig.capabilities;
escapeString = str: "\"" + str + "\""; escapeString = str: "\"" + str + "\"";
in '' in ''
path "${path}" { path "${path}" {
capabilities = [${concatStringsSep "," (forEach capabilities escapeString)}] capabilities = [${concatStringsSep "," (forEach capabilities escapeString)}]
} }
''); '');
in in toFile "vault-policy-${name}.hcl" ''
toFile "vault-policy-${name}.hcl" ''
${concatStringsSep "\n" policies} ${concatStringsSep "\n" policies}
''; '';
} }

9
outputs.nix
View file

@ -202,11 +202,10 @@ in
(mergeAttrsList (forEach machinesWithContainers (machineName: let (mergeAttrsList (forEach machinesWithContainers (machineName: let
machine = machines.${machineName}; machine = machines.${machineName};
inherit (machine) containers; inherit (machine) containers;
in in mergeAttrsList (forEach containers (containerName: {
mergeAttrsList (forEach containers (containerName: { "secrets-init-${machineName}-container-${containerName}" = secretsInitScriptForContainer machineName containerName;
"secrets-init-${machineName}-container-${containerName}" = secretsInitScriptForContainer machineName containerName; "vault-policy-${machineName}-container-${containerName}" = vaultPolicyForContainer machineName containerName;
"vault-policy-${machineName}-container-${containerName}" = vaultPolicyForContainer machineName containerName; })))))
})))))
]; ];
}) })
] ]