nixfiles/hosts/raspberry/profiles/externalDrive.nix
2023-09-18 03:56:58 +01:00

49 lines
1.5 KiB
Nix

{
self,
pkgs,
...
}: let
externalDriveData = import "${self}/data/raspberryExternalDrive.nix";
mountExternalDrive = let
jq = "${pkgs.jq}/bin/jq";
vault = "${pkgs.vault-bin}/bin/vault";
cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
in
pkgs.writeShellScriptBin "mount_external_drive" ''
${unmountExternalDrive}/bin/unmount_external_drive
vault-login
${vault} kv get -format json "/private-public-keys/cryptsetup/raspberry-ext-drive" \
| ${jq} -r ".data.data.key" \
| base64 -d \
| ${cryptsetup} open ${externalDriveData.encryptedPath} ${externalDriveData.mapperName} --key-file=/dev/stdin
mount ${externalDriveData.mapperPath} -o rw,compress=zstd ${externalDriveData.mountpoint}
'';
unmountExternalDrive = let
cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
in
pkgs.writeShellScriptBin "unmount_external_drive" ''
umount -flR ${externalDriveData.mountpoint} || true
${cryptsetup} close ${externalDriveData.mapperName} || true
'';
in {
environment.systemPackages =
(with pkgs; [
cryptsetup
])
++ [
mountExternalDrive
unmountExternalDrive
];
systemd.tmpfiles.rules = ["d ${externalDriveData.mountpoint} - root root"];
#services.udev.extraRules = ''
# ACTION=="add", ENV{PARTLABEL}=="${externalDriveData.encryptedLabel}", ENV{SYSTEMD_WANTS}="mount-external-drive.service"
# ACTION=="remove", ENV{PARTLABEL}=="${externalDriveData.encryptedLabel}", ENV{SYSTEMD_WANTS}="unmount-external-drive.service"
#'';
}