mount encrypted partition with sops key
This commit is contained in:
parent
a73ffd1934
commit
48f202132f
GPG Key ID:
FD266B810DF48DF2
@ -51,10 +51,16 @@
|
||||
# Mount
|
||||
# TODO: fix sops
|
||||
sops.secrets.files-veracrypt.sopsFile = inputs.self.secretsDir + /amd-workstation/misc.yaml;
|
||||
environment.etc.crypttab = {
|
||||
text = ''
|
||||
files-veracrypt /dev/disk/by-partuuid/15fa11a1-a6d8-4962-9c03-74b209d7c46a /var/secrets/files-veracrypt tcrypt-veracrypt
|
||||
'';
|
||||
services.cryptmount.files-veracrypt = {
|
||||
what = "/dev/disk/by-partuuid/15fa11a1-a6d8-4962-9c03-74b209d7c46a";
|
||||
where = "/media/files";
|
||||
fsType = "ntfs";
|
||||
cryptType = "tcrypt";
|
||||
passwordFile = config.sops.secrets.files-veracrypt.path;
|
||||
mountOptions = [
|
||||
"uid=${toString config.users.users.${config.mainuser}.uid}"
|
||||
"gid=${toString config.users.groups.users.gid}"
|
||||
];
|
||||
};
|
||||
fileSystems = {
|
||||
"/media/win-sys" = {
|
||||
@ -66,15 +72,6 @@
|
||||
"gid=${toString config.users.groups.users.gid}"
|
||||
];
|
||||
};
|
||||
"/media/files" = {
|
||||
fsType = "ntfs";
|
||||
device = "/dev/mapper/files-veracrypt";
|
||||
options = [
|
||||
"nofail"
|
||||
"uid=${toString config.users.users.${config.mainuser}.uid}"
|
||||
"gid=${toString config.users.groups.users.gid}"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
powerManagement.cpuFreqGovernor = "schedutil";
|
||||
|
||||
81
modules/crypt-mount.nix
Normal file
81
modules/crypt-mount.nix
Normal file
@ -0,0 +1,81 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
with lib;
|
||||
{
|
||||
options.services.cryptmount = mkOption {
|
||||
type = types.attrsOf (
|
||||
types.submodule (
|
||||
{ name, ... }:
|
||||
{
|
||||
options = {
|
||||
cryptname = mkOption {
|
||||
type = types.str;
|
||||
default = name;
|
||||
};
|
||||
passwordFile = mkOption { type = types.str; };
|
||||
what = mkOption { type = types.str; };
|
||||
where = mkOption { type = types.str; };
|
||||
fsType = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
};
|
||||
cryptType = mkOption {
|
||||
type = types.enum [
|
||||
"luks"
|
||||
"luks1"
|
||||
"luks2"
|
||||
"plain"
|
||||
"loopaes"
|
||||
"tcrypt"
|
||||
"bitlk"
|
||||
];
|
||||
default = "luks";
|
||||
};
|
||||
mountOptions = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [ ];
|
||||
};
|
||||
};
|
||||
}
|
||||
)
|
||||
);
|
||||
default = { };
|
||||
};
|
||||
config = mkIf (config.services.cryptmount != { }) {
|
||||
systemd.services =
|
||||
mapAttrs'
|
||||
(
|
||||
name: cfg:
|
||||
nameValuePair "cryptmount-${name}" ({
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = [ pkgs.cryptsetup ];
|
||||
serviceConfig =
|
||||
let
|
||||
mount-type = if (cfg.fsType != null) then "-t ${cfg.fsType}" else "";
|
||||
opts =
|
||||
if (cfg.mountOptions != [ ]) then "-o ${strings.concatStringsSep "," cfg.mountOptions}" else "";
|
||||
in
|
||||
{
|
||||
Type = "oneshot";
|
||||
TimeoutStartSec = "infinity";
|
||||
RemainAfterExit = true;
|
||||
ExecStart = pkgs.writeShellScript "storage-decrypt-${name}" ''
|
||||
set -euo pipefail
|
||||
mkdir -p ${cfg.where}
|
||||
cat ${cfg.passwordFile} | cryptsetup open ${cfg.what} ${cfg.cryptname} - --type ${cfg.cryptType}
|
||||
/run/wrappers/bin/mount ${mount-type} ${opts} /dev/mapper/${cfg.cryptname} ${cfg.where}
|
||||
'';
|
||||
ExecStop = pkgs.writeShellScript "storage-decrypt-stop-${name}" ''
|
||||
/run/wrappers/bin/umount -R ${cfg.where}
|
||||
cryptsetup close ${cfg.cryptname}
|
||||
'';
|
||||
};
|
||||
})
|
||||
)
|
||||
config.services.cryptmount;
|
||||
};
|
||||
}
|
||||
Loading…
x
Reference in New Issue
Block a user