44 lines
1.3 KiB
Nix
44 lines
1.3 KiB
Nix
{ lib, pkgs, ... }:
|
|
let
|
|
usb_data = import ../hardware/usb_data.nix { };
|
|
mapper_name = "usb_unencrypted_afterboot";
|
|
mapper_path = "/dev/mapper/${mapper_name}";
|
|
mount_usb = pkgs.writeShellScriptBin "mount_usb" ''
|
|
umount ${usb_data.mountpoint} || true
|
|
cryptsetup close ${mapper_name} || true
|
|
|
|
cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${usb_data.encrypted_path} ${mapper_name} -
|
|
mount ${mapper_path} -o rw ${usb_data.mountpoint}
|
|
'';
|
|
unmount_usb = pkgs.writeShellScriptBin "unmount_usb" ''
|
|
umount -flR ${usb_data.mountpoint} || true
|
|
cryptsetup close ${mapper_name} || true
|
|
'';
|
|
in {
|
|
environment.systemPackages = [
|
|
mount_usb
|
|
unmount_usb
|
|
];
|
|
|
|
systemd.tmpfiles.rules = [ "d ${usb_data.mountpoint} - chaos root" ];
|
|
|
|
systemd.services.usb-mount = {
|
|
path = [ pkgs.util-linux pkgs.cryptsetup ];
|
|
script = ''
|
|
${mount_usb}/bin/mount_usb
|
|
'';
|
|
};
|
|
|
|
systemd.services.usb-unmount = {
|
|
path = [ pkgs.util-linux pkgs.cryptsetup ];
|
|
script = ''
|
|
${unmount_usb}/bin/unmount_usb
|
|
'';
|
|
};
|
|
|
|
services.udev.extraRules = ''
|
|
ACTION=="add", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-mount.service", ENV{UDISKS_PRESENTATION_HIDE}="1"
|
|
ACTION=="remove", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-unmount.service"
|
|
'';
|
|
}
|