49 lines
1.5 KiB
Nix
49 lines
1.5 KiB
Nix
{
|
|
self,
|
|
pkgs,
|
|
...
|
|
}: let
|
|
externalDriveData = import "${self}/data/drives/raspberryExternalDrive.nix";
|
|
|
|
mountExternalDrive = let
|
|
jq = "${pkgs.jq}/bin/jq";
|
|
vault = "${pkgs.vault}/bin/vault";
|
|
cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
|
|
in
|
|
pkgs.writeShellScriptBin "mount_external_drive" ''
|
|
${unmountExternalDrive}/bin/unmount_external_drive
|
|
|
|
vault-login
|
|
|
|
${vault} kv get -format json "/private-public-keys/cryptsetup/raspberry-ext-drive" \
|
|
| ${jq} -r ".data.data.key" \
|
|
| base64 -d \
|
|
| ${cryptsetup} open ${externalDriveData.encryptedPath} ${externalDriveData.mapperName} --key-file=/dev/stdin
|
|
mount ${externalDriveData.mapperPath} -o rw,compress=zstd ${externalDriveData.mountpoint}
|
|
'';
|
|
|
|
unmountExternalDrive = let
|
|
cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
|
|
in
|
|
pkgs.writeShellScriptBin "unmount_external_drive" ''
|
|
umount -flR ${externalDriveData.mountpoint} || true
|
|
${cryptsetup} close ${externalDriveData.mapperName} || true
|
|
'';
|
|
in {
|
|
environment.systemPackages =
|
|
(with pkgs; [
|
|
cryptsetup
|
|
])
|
|
++ [
|
|
mountExternalDrive
|
|
unmountExternalDrive
|
|
];
|
|
|
|
systemd.tmpfiles.rules = ["d ${externalDriveData.mountpoint} - root root"];
|
|
|
|
#services.udev.extraRules = ''
|
|
# ACTION=="add", ENV{PARTLABEL}=="${externalDriveData.encryptedLabel}", ENV{SYSTEMD_WANTS}="mount-external-drive.service"
|
|
# ACTION=="remove", ENV{PARTLABEL}=="${externalDriveData.encryptedLabel}", ENV{SYSTEMD_WANTS}="unmount-external-drive.service"
|
|
#'';
|
|
}
|