{
self,
config,
pkgs,
lib,
...
}: let
inherit (lib.modules) mkBefore;
encryptedUSB = import "${self}/data/drives/encryptedUSB.nix";
driveData = import "${self}/data/drives/encryptedDrive.nix";
in {
boot = {
initrd.availableKernelModules = [
# For USB w/ Encryption Key
"usb_storage"
"usbcore"
"uas"
"sd_mod"
# For USB Keyboards
"usbhid"
# For Cryptography
"aesni_intel"
"cryptd"
];
initrd.postDeviceCommands = mkBefore ''
mkdir -m 0755 -p /keys
mkdir -m 0755 -p ${encryptedUSB.mountpoint}
while !(test -b ${encryptedUSB.encryptedPath})
do
${
if config.boot.plymouth.enable
then ''
${pkgs.plymouth}/bin/plymouth display-message --text="Please Plug In USB"
''
else ''
echo "Please Plug In USB"
''
}
sleep 1
done
${
if config.boot.plymouth.enable
then ''
${pkgs.plymouth}/bin/plymouth hide-message --text="Please Plug In USB"
${pkgs.plymouth}/bin/plymouth ask-for-password \
--prompt="Please Decrypt USB" \
--command="cryptsetup -T1 open ${encryptedUSB.encryptedPath} ${encryptedUSB.preBootMapperName}" \
--number-of-tries=3
''
else ''
echo "Please Decrypt USB"
cryptsetup open ${encryptedUSB.encryptedPath} ${encryptedUSB.preBootMapperName}
''
}
mount -n -t ${encryptedUSB.unencryptedFSType} -o ro ${encryptedUSB.preBootMapperPath} ${encryptedUSB.mountpoint}
cp ${encryptedUSB.encryptionKeysPath}/${config.networking.hostName}.key /keys
umount -f ${encryptedUSB.mountpoint}
cryptsetup close ${encryptedUSB.preBootMapperName}
'';
initrd.luks.devices = {
"${driveData.mapperName}" = {
device = "${driveData.encryptedPath}";
keyFile = "/keys/${config.networking.hostName}.key";
preLVM = false;
allowDiscards = true;
};
};
};
fileSystems = {
"/" = {
device = "${driveData.decryptedPath}";
fsType = "${driveData.unencryptedFSType}";
};
"/boot" = {
device = "${driveData.bootPath}";
fsType = "${driveData.bootFSType}";
};
};
}