65 lines
1.5 KiB
Nix
65 lines
1.5 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
...
|
|
}: let
|
|
usb_data = import ../../data/usb_data.nix {};
|
|
drive_data = import ../../data/dual_drive_data.nix {};
|
|
in {
|
|
config.boot = {
|
|
initrd.availableKernelModules = [
|
|
# For USB w/ Encryption Key
|
|
"usb_storage"
|
|
"usbcore"
|
|
"uas"
|
|
"sd_mod"
|
|
# For USB Keyboards
|
|
"usbhid"
|
|
# For Cryptography
|
|
"aesni_intel"
|
|
"cryptd"
|
|
];
|
|
initrd.postDeviceCommands = pkgs.lib.mkBefore ''
|
|
mkdir -m 0755 -p /keys
|
|
mkdir -m 0755 -p ${usb_data.mountpoint}
|
|
|
|
while !(test -b ${usb_data.encrypted_path})
|
|
do
|
|
echo "Please Plug In USB"
|
|
sleep 1
|
|
done
|
|
|
|
echo "Please Decrypt USB"
|
|
|
|
cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}
|
|
|
|
mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}
|
|
|
|
cp ${usb_data.encryption_keys_path}/${config.networking.hostName}.key /keys
|
|
|
|
umount -f ${usb_data.mountpoint}
|
|
|
|
cryptsetup close ${usb_data.mapper_name}
|
|
'';
|
|
|
|
initrd.luks.devices = {
|
|
"${drive_data.root_mapper_name}" = {
|
|
device = "${drive_data.encrypted_root_path}";
|
|
keyFile = "/keys/${config.networking.hostName}.key";
|
|
preLVM = false;
|
|
allowDiscards = true;
|
|
};
|
|
};
|
|
};
|
|
config.fileSystems = {
|
|
"/" = {
|
|
device = "${drive_data.decrypted_root_path}";
|
|
fsType = "${drive_data.unencrypted_root_fs_type}";
|
|
};
|
|
"/boot" = {
|
|
device = "${drive_data.boot_path}";
|
|
fsType = "${drive_data.boot_fs_type}";
|
|
};
|
|
};
|
|
}
|